1VFS_FULL_AUDIT(8) System Administration tools VFS_FULL_AUDIT(8)
2
3
4
6 vfs_full_audit - record Samba VFS operations in the system log
7
9 vfs objects = full_audit
10
12 This VFS module is part of the samba(7) suite.
13
14 The vfs_full_audit VFS module records selected client operations to the
15 system log using syslog(3).
16
17 vfs_full_audit is able to record the complete set of Samba VFS
18 operations:
19 chdir
20 chflags
21 chmod
22 chown
23 close
24 closedir
25 connect
26 copy_chunk_send
27 copy_chunk_recv
28 disconnect
29 disk_free
30 fchmod
31 fchown
32 fget_nt_acl
33 fgetxattr
34 flistxattr
35 fremovexattr
36 fset_nt_acl
37 fsetxattr
38 fstat
39 fsync
40 ftruncate
41 get_compression
42 get_nt_acl
43 get_quota
44 get_shadow_copy_data
45 getlock
46 getwd
47 getxattr
48 kernel_flock
49 link
50 linux_setlease
51 listxattr
52 lock
53 lseek
54 lstat
55 mkdir
56 mknod
57 open
58 opendir
59 pread
60 pwrite
61 read
62 readdir
63 readlink
64 realpath
65 removexattr
66 rename
67 rewinddir
68 rmdir
69 seekdir
70 sendfile
71 set_compression
72 set_nt_acl
73 set_quota
74 setxattr
75 snap_check_path
76 snap_create
77 snap_delete
78 stat
79 statvfs
80 symlink
81 sys_acl_delete_def_file
82 sys_acl_get_fd
83 sys_acl_get_file
84 sys_acl_set_fd
85 sys_acl_set_file
86 telldir
87 unlink
88 utime
89 write
90
91 In addition to these operations, vfs_full_audit recognizes the special
92 operation names "all" and "none ", which refer to all the VFS
93 operations and none of the VFS operations respectively.
94
95 vfs_full_audit records operations in fixed format consisting of fields
96 separated by '|' characters. The format is:
97
98 smbd_audit: PREFIX|OPERATION|RESULT|FILE
99
100
101 The record fields are:
102
103 · PREFIX - the result of the full_audit:prefix string after
104 variable substitutions
105
106 · OPERATION - the name of the VFS operation
107
108 · RESULT - whether the operation succeeded or failed
109
110 · FILE - the name of the file or directory the operation was
111 performed on
112
113
114 This module is stackable.
115
117 full_audit:prefix = STRING
118 Prepend audit messages with STRING. STRING is processed for
119 standard substitution variables listed in smb.conf(5). The default
120 prefix is "%u|%I".
121
122 full_audit:success = LIST
123 LIST is a list of VFS operations that should be recorded if they
124 succeed. Operations are specified using the names listed above.
125 Operations can be unset by prefixing the names with "!". The
126 default is none operations.
127
128 full_audit:failure = LIST
129 LIST is a list of VFS operations that should be recorded if they
130 failed. Operations are specified using the names listed above.
131 Operations can be unset by prefixing the names with "!". The
132 default is none operations.
133
134 full_audit:facility = FACILITY
135 Log messages to the named syslog(3) facility.
136
137 full_audit:priority = PRIORITY
138 Log messages with the named syslog(3) priority.
139
140 full_audit:syslog = true/false
141 Log messages to syslog (default) or as a debug level 1 message.
142
143 full_audit:log_secdesc = true/false
144 Log an sddl form of the security descriptor coming in when a client
145 sets an acl. Defaults to false.
146
148 Log file and directory open operations on the [records] share using the
149 LOCAL7 facility and ALERT priority, including the username and IP
150 address. Logging excludes the open VFS function on failures:
151
152 [records]
153 path = /data/records
154 vfs objects = full_audit
155 full_audit:prefix = %u|%I
156 full_audit:success = open opendir
157 full_audit:failure = all !open
158 full_audit:facility = LOCAL7
159 full_audit:priority = ALERT
160
162 This man page is part of version 4.9.8 of the Samba suite.
163
165 The original Samba software and related utilities were created by
166 Andrew Tridgell. Samba is now developed by the Samba Team as an Open
167 Source project similar to the way the Linux kernel is developed.
168
169
170
171Samba 4.9.8 05/14/2019 VFS_FULL_AUDIT(8)