vfs_full_audit(8)

1VFS_FULL_AUDIT(8)                                            VFS_FULL_AUDIT(8)
2
3
4

NAME

6       vfs_full_audit - record Samba VFS operations in the system log
7

SYNOPSIS

9       vfs objects = full_audit
10

DESCRIPTION

12       This VFS module is part of the samba(7) suite.
13
14       The vfs_full_audit VFS module records selected client operations to the
15       system log using syslog(3).
16
17       vfs_full_audit is able to record the complete set of Samba  VFS  opera‐
18       tions:
19
20          aio_cancel
21
22          aio_error
23
24          aio_fsync
25
26          aio_read
27
28          aio_return
29
30          aio_suspend
31
32          aio_write
33
34          chdir
35
36          chflags
37
38          chmod
39
40          chmod_acl
41
42          chown
43
44          close
45
46          closedir
47
48          connect
49
50          disconnect
51
52          disk_free
53
54          fchmod
55
56          fchmod_acl
57
58          fchown
59
60          fget_nt_acl
61
62          fgetxattr
63
64          flistxattr
65
66          fremovexattr
67
68          fset_nt_acl
69
70          fsetxattr
71
72          fstat
73
74          fsync
75
76          ftruncate
77
78          get_nt_acl
79
80          get_quota
81
82          get_shadow_copy_data
83
84          getlock
85
86          getwd
87
88          getxattr
89
90          kernel_flock
91
92          lgetxattr
93
94          link
95
96          linux_setlease
97
98          listxattr
99
100          llistxattr
101
102          lock
103
104          lremovexattr
105
106          lseek
107
108          lsetxattr
109
110          lstat
111
112          mkdir
113
114          mknod
115
116          open
117
118          opendir
119
120          pread
121
122          pwrite
123
124          read
125
126          readdir
127
128          readlink
129
130          realpath
131
132          removexattr
133
134          rename
135
136          rewinddir
137
138          rmdir
139
140          seekdir
141
142          sendfile
143
144          set_nt_acl
145
146          set_quota
147
148          setxattr
149
150          stat
151
152          statvfs
153
154          symlink
155
156          sys_acl_add_perm
157
158          sys_acl_clear_perms
159
160          sys_acl_create_entry
161
162          sys_acl_delete_def_file
163
164          sys_acl_free_acl
165
166          sys_acl_free_qualifier
167
168          sys_acl_free_text
169
170          sys_acl_get_entry
171
172          sys_acl_get_fd
173
174          sys_acl_get_file
175
176          sys_acl_get_perm
177
178          sys_acl_get_permset
179
180          sys_acl_get_qualifier
181
182          sys_acl_get_tag_type
183
184          sys_acl_init
185
186          sys_acl_set_fd
187
188          sys_acl_set_file
189
190          sys_acl_set_permset
191
192          sys_acl_set_qualifier
193
194          sys_acl_set_tag_type
195
196          sys_acl_to_text
197
198          sys_acl_valid
199
200          telldir
201
202          unlink
203
204          utime
205
206          write
207
208       In  addition to these operations, vfs_full_audit recognizes the special
209       operation names "all" and "none ", which refer to all  the  VFS  opera‐
210       tions and none of the VFS operations respectively.
211
212       vfs_full_audit  records operations in fixed format consisting of fields
213       separated by '|' characters. The format is:
214
215
216                 smbd_audit: PREFIX|OPERATION|RESULT|FILE
217
218
219       The record fields are:
220
221       ·  PREFIX - the result of the full_audit:prefix string  after  variable
222          substitutions
223
224       ·  OPERATION - the name of the VFS operation
225
226       ·  RESULT - whether the operation succeeded or failed
227
228       ·  FILE - the name of the file or directory the operation was performed
229          on
230
231       This module is stackable.
232

OPTIONS

234       vfs_full_audit:prefix = STRING
235          Prepend audit messages with STRING. STRING is processed for standard
236          substitution  variables listed in smb.conf(5). The default prefix is
237          "%u|%I".
238
239       vfs_full_audit:success = LIST
240          LIST is a list of VFS operations that should  be  recorded  if  they
241          succeed. Operations are specified using the names listed above.
242
243       vfs_full_audit:failure = LIST
244          LIST  is  a  list  of VFS operations that should be recorded if they
245          failed. Operations are specified using the names listed above.
246
247       full_audit:facility = FACILITY
248          Log messages to the named syslog(3) facility.
249
250       full_audit:priority = PRIORITY
251          Log messages with the named syslog(3) priority.
252

EXAMPLES

254       Log file and directory open operations on the [records] share using the
255       LOCAL7  facility  and  ALERT  priority,  including  the username and IP
256       address:
257
258
259               [records]
260            path = /data/records
261            vfs objects = full_audit
262            full_audit:prefix = %u|%I
263            full_audit:success = open opendir
264            full_audit:failure = all
265            full_audit:facility = LOCAL7
266            full_audit:priority = ALERT
267
268

VERSION

270       This man page is correct for version 3.0.25 of the Samba suite.
271

AUTHOR

273       The original Samba software  and  related  utilities  were  created  by
274       Andrew  Tridgell.  Samba  is now developed by the Samba Team as an Open
275       Source project similar to the way the Linux kernel is developed.
276
277
278
279
280                                                             VFS_FULL_AUDIT(8)