1VFS_FULL_AUDIT(8) System Administration tools VFS_FULL_AUDIT(8)
2
6 vfs_full_audit - record Samba VFS operations in the system log
7
9 vfs objects = full_audit
10
12 This VFS module is part of the samba(7) suite.
13 The vfs_full_audit VFS module records selected client operations to the
15 system log using syslog(3).
16 vfs_full_audit is able to record the complete set of Samba VFS
18 operations:
19 aio_force
20 audit_file
21 brl_lock_windows
22 brl_unlock_windows
23 chdir
24 chflags
25 chmod
26 close
27 closedir
28 connect
29 connectpath
30 create_dfs_pathat
31 create_file
32 disconnect
33 disk_free
34 durable_cookie
35 durable_disconnect
36 durable_reconnect
37 fallocate
38 fchmod
39 fchown
40 fdopendir
41 fget_compression
42 fget_dos_attributes
43 fget_nt_acl_at
44 fgetxattr
45 file_id_create
46 flistxattr
47 fremovexattr
48 fs_capabilities
49 fsctl
50 fset_dos_attributes
51 fset_nt_acl
52 fsetxattr
53 fs_file_id
54 fstat
55 fsync
56 fsync_recv
57 fsync_send
58 ftruncate
59 get_alloc_size
60 get_dfs_referrals
61 get_dos_attributes
62 get_dos_attributes_recv
63 get_dos_attributes_send
64 getlock
65 get_nt_acl
66 get_quota
67 get_real_filename
68 get_shadow_copy_data
69 getwd
70 getxattr
71 getxattrat_recv
72 getxattrat_send
73 is_offline
74 filesystem_sharemode
75 lchown
76 linkat
77 linux_setlease
78 listxattr
79 lock
80 lseek
81 lstat
82 mkdirat
83 mknodat
84 ntimes
85 offload_read_recv
86 offload_read_send
87 offload_write_recv
88 offload_write_send
89 open
90 pread
91 pread_recv
92 pread_send
93 pwrite
94 pwrite_recv
95 pwrite_send
96 read
97 readdir
98 readdir_attr
99 readlinkat
100 realpath
101 recvfile
102 removexattr
103 renameat
104 rewinddir
105 seekdir
106 sendfile
107 set_compression
108 set_dos_attributes
109 set_offline
110 set_quota
111 setxattr
112 snap_check_path
113 snap_create
114 snap_delete
115 stat
116 statvfs
117 streaminfo
118 strict_lock_check
119 symlinkat
120 sys_acl_blob_get_fd
121 sys_acl_blob_get_file
122 sys_acl_get_fd
123 sys_acl_get_file
124 sys_acl_set_fd
125 telldir
126 translate_name
127 unlinkat
128 write
129 In addition to these operations, vfs_full_audit recognizes the special
131 operation names "all" and "none ", which refer to all the VFS
132 operations and none of the VFS operations respectively.
133 If an unknown operation name is used (for example an operation name is
135 miss-spelled), the module will fail to load and clients will be refused
136 connections to a share using this module.
137 vfs_full_audit records operations in fixed format consisting of fields
139 separated by '|' characters. The format is:
140 smbd_audit: PREFIX|OPERATION|RESULT|FILE
142 The record fields are:
145 • PREFIX - the result of the full_audit:prefix string after
147 variable substitutions
148 • OPERATION - the name of the VFS operation
150 • RESULT - whether the operation succeeded or failed
152 • FILE - the name of the file or directory the operation was
154 performed on
155 This module is stackable.
158
160 full_audit:prefix = STRING
161 Prepend audit messages with STRING. STRING is processed for
162 standard substitution variables listed in smb.conf(5). The default
163 prefix is "%u|%I".
164 full_audit:success = LIST
166 LIST is a list of VFS operations that should be recorded if they
167 succeed. Operations are specified using the names listed above.
168 Operations can be unset by prefixing the names with "!". The
169 default is none operations.
170 full_audit:failure = LIST
172 LIST is a list of VFS operations that should be recorded if they
173 failed. Operations are specified using the names listed above.
174 Operations can be unset by prefixing the names with "!". The
175 default is none operations.
176 full_audit:facility = FACILITY
178 Log messages to the named syslog(3) facility.
179 full_audit:priority = PRIORITY
181 Log messages with the named syslog(3) priority.
182 full_audit:syslog = true/false
184 Log messages to syslog (default) or as a debug level 1 message.
185 full_audit:log_secdesc = true/false
187 Log an sddl form of the security descriptor coming in when a client
188 sets an acl. Defaults to false.
189
191 Log file and directory open operations on the [records] share using the
192 LOCAL7 facility and ALERT priority, including the username and IP
193 address. Logging excludes the open VFS function on failures:
194 [records]
196 path = /data/records
197 vfs objects = full_audit
198 full_audit:prefix = %u|%I
199 full_audit:success = open opendir
200 full_audit:failure = all !open
201 full_audit:facility = LOCAL7
202 full_audit:priority = ALERT
203
205 This man page is part of version 4.17.5 of the Samba suite.
206
208 The original Samba software and related utilities were created by
209 Andrew Tridgell. Samba is now developed by the Samba Team as an Open
210 Source project similar to the way the Linux kernel is developed.
211Samba 4.17.5 01/26/2023 VFS_FULL_AUDIT(8)