1VFS_FULL_AUDIT(8)         System Administration tools        VFS_FULL_AUDIT(8)
2
3
4

NAME

6       vfs_full_audit - record Samba VFS operations in the system log
7

SYNOPSIS

9       vfs objects = full_audit
10

DESCRIPTION

12       This VFS module is part of the samba(7) suite.
13
14       The vfs_full_audit VFS module records selected client operations to the
15       system log using syslog(3).
16
17       vfs_full_audit is able to record the complete set of Samba VFS
18       operations:
19           aio_force
20           audit_file
21           brl_lock_windows
22           brl_unlock_windows
23           chdir
24           chflags
25           chmod
26           close
27           closedir
28           connect
29           connectpath
30           create_dfs_pathat
31           create_file
32           disconnect
33           disk_free
34           durable_cookie
35           durable_disconnect
36           durable_reconnect
37           fallocate
38           fchmod
39           fchown
40           fdopendir
41           fget_compression
42           fget_dos_attributes
43           fget_nt_acl_at
44           fgetxattr
45           file_id_create
46           flistxattr
47           fremovexattr
48           fs_capabilities
49           fsctl
50           fset_dos_attributes
51           fset_nt_acl
52           fsetxattr
53           fs_file_id
54           fstat
55           fsync
56           fsync_recv
57           fsync_send
58           ftruncate
59           get_alloc_size
60           get_dfs_referrals
61           get_dos_attributes
62           get_dos_attributes_recv
63           get_dos_attributes_send
64           getlock
65           get_nt_acl
66           get_quota
67           get_real_filename
68           get_shadow_copy_data
69           getwd
70           getxattr
71           getxattrat_recv
72           getxattrat_send
73           is_offline
74           filesystem_sharemode
75           lchown
76           linkat
77           linux_setlease
78           listxattr
79           lock
80           lseek
81           lstat
82           mkdirat
83           mknodat
84           ntimes
85           offload_read_recv
86           offload_read_send
87           offload_write_recv
88           offload_write_send
89           open
90           pread
91           pread_recv
92           pread_send
93           pwrite
94           pwrite_recv
95           pwrite_send
96           read
97           readdir
98           readdir_attr
99           readlinkat
100           realpath
101           recvfile
102           removexattr
103           renameat
104           rewinddir
105           seekdir
106           sendfile
107           set_compression
108           set_dos_attributes
109           set_offline
110           set_quota
111           setxattr
112           snap_check_path
113           snap_create
114           snap_delete
115           stat
116           statvfs
117           streaminfo
118           strict_lock_check
119           symlinkat
120           sys_acl_blob_get_fd
121           sys_acl_blob_get_file
122           sys_acl_get_fd
123           sys_acl_get_file
124           sys_acl_set_fd
125           telldir
126           translate_name
127           unlinkat
128           write
129
130       In addition to these operations, vfs_full_audit recognizes the special
131       operation names "all" and "none ", which refer to all the VFS
132       operations and none of the VFS operations respectively.
133
134       If an unknown operation name is used (for example an operation name is
135       miss-spelled), the module will fail to load and clients will be refused
136       connections to a share using this module.
137
138       vfs_full_audit records operations in fixed format consisting of fields
139       separated by '|' characters. The format is:
140
141                     smbd_audit: PREFIX|OPERATION|RESULT|FILE
142
143
144       The record fields are:
145
146              •   PREFIX - the result of the full_audit:prefix string after
147                  variable substitutions
148
149              •   OPERATION - the name of the VFS operation
150
151              •   RESULT - whether the operation succeeded or failed
152
153              •   FILE - the name of the file or directory the operation was
154                  performed on
155
156
157       This module is stackable.
158

OPTIONS

160       full_audit:prefix = STRING
161           Prepend audit messages with STRING. STRING is processed for
162           standard substitution variables listed in smb.conf(5). The default
163           prefix is "%u|%I".
164
165       full_audit:success = LIST
166           LIST is a list of VFS operations that should be recorded if they
167           succeed. Operations are specified using the names listed above.
168           Operations can be unset by prefixing the names with "!". The
169           default is none operations.
170
171       full_audit:failure = LIST
172           LIST is a list of VFS operations that should be recorded if they
173           failed. Operations are specified using the names listed above.
174           Operations can be unset by prefixing the names with "!". The
175           default is none operations.
176
177       full_audit:facility = FACILITY
178           Log messages to the named syslog(3) facility.
179
180       full_audit:priority = PRIORITY
181           Log messages with the named syslog(3) priority.
182
183       full_audit:syslog = true/false
184           Log messages to syslog (default) or as a debug level 1 message.
185
186       full_audit:log_secdesc = true/false
187           Log an sddl form of the security descriptor coming in when a client
188           sets an acl. Defaults to false.
189

EXAMPLES

191       Log file and directory open operations on the [records] share using the
192       LOCAL7 facility and ALERT priority, including the username and IP
193       address. Logging excludes the open VFS function on failures:
194
195                   [records]
196                path = /data/records
197                vfs objects = full_audit
198                full_audit:prefix = %u|%I
199                full_audit:success = open opendir
200                full_audit:failure = all !open
201                full_audit:facility = LOCAL7
202                full_audit:priority = ALERT
203

VERSION

205       This man page is part of version 4.17.5 of the Samba suite.
206

AUTHOR

208       The original Samba software and related utilities were created by
209       Andrew Tridgell. Samba is now developed by the Samba Team as an Open
210       Source project similar to the way the Linux kernel is developed.
211
212
213
214Samba 4.17.5                      01/26/2023                 VFS_FULL_AUDIT(8)
Impressum