'\" t .\" Title: vfs_full_audit .\" Author: [see the "AUTHOR" section] .\" Generator: DocBook XSL Stylesheets vsnapshot .\" Date: 04/08/2024 .\" Manual: System Administration tools .\" Source: Samba 4.19.6-Debian .\" Language: English .\" .TH "VFS_FULL_AUDIT" "8" "04/08/2024" "Samba 4\&.19\&.6\-Debian" "System Administration tools" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- .\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ .\" http://bugs.debian.org/507673 .\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html .\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ .ie \n(.g .ds Aq \(aq .el .ds Aq ' .\" ----------------------------------------------------------------- .\" * set default formatting .\" ----------------------------------------------------------------- .\" disable hyphenation .nh .\" disable justification (adjust text to left margin only) .ad l .\" ----------------------------------------------------------------- .\" * MAIN CONTENT STARTS HERE * .\" ----------------------------------------------------------------- .SH "NAME" vfs_full_audit \- record Samba VFS operations in the system log .SH "SYNOPSIS" .HP \w'\ 'u vfs objects = full_audit .SH "DESCRIPTION" .PP This VFS module is part of the \fBsamba\fR(7) suite\&. .PP The vfs_full_audit VFS module records selected client operations to the system log using \fBsyslog\fR(3)\&. .PP vfs_full_audit is able to record the complete set of Samba VFS operations: .RS 4 aio_force .RE .RS 4 audit_file .RE .RS 4 brl_lock_windows .RE .RS 4 brl_unlock_windows .RE .RS 4 chdir .RE .RS 4 close .RE .RS 4 closedir .RE .RS 4 connect .RE .RS 4 connectpath .RE .RS 4 create_dfs_pathat .RE .RS 4 create_file .RE .RS 4 disconnect .RE .RS 4 disk_free .RE .RS 4 durable_cookie .RE .RS 4 durable_disconnect .RE .RS 4 durable_reconnect .RE .RS 4 fallocate .RE .RS 4 fchflags .RE .RS 4 fchmod .RE .RS 4 fchown .RE .RS 4 fcntl .RE .RS 4 fdopendir .RE .RS 4 fget_compression .RE .RS 4 fget_dos_attributes .RE .RS 4 fget_nt_acl .RE .RS 4 fgetxattr .RE .RS 4 file_id_create .RE .RS 4 filesystem_sharemode .RE .RS 4 flistxattr .RE .RS 4 fntimes .RE .RS 4 freaddir_attr .RE .RS 4 fremovexattr .RE .RS 4 fs_capabilities .RE .RS 4 fsctl .RE .RS 4 fset_dos_attributes .RE .RS 4 fset_nt_acl .RE .RS 4 fsetxattr .RE .RS 4 fs_file_id .RE .RS 4 fstat .RE .RS 4 fstatat .RE .RS 4 fstreaminfo .RE .RS 4 fsync_recv .RE .RS 4 fsync_send .RE .RS 4 ftruncate .RE .RS 4 get_alloc_size .RE .RS 4 get_dfs_referrals .RE .RS 4 get_dos_attributes_recv .RE .RS 4 get_dos_attributes_send .RE .RS 4 getlock .RE .RS 4 get_quota .RE .RS 4 get_real_filename .RE .RS 4 get_real_filename_at .RE .RS 4 get_shadow_copy_data .RE .RS 4 getwd .RE .RS 4 getxattrat_recv .RE .RS 4 getxattrat_send .RE .RS 4 is_offline .RE .RS 4 lchown .RE .RS 4 linkat .RE .RS 4 linux_setlease .RE .RS 4 lock .RE .RS 4 lseek .RE .RS 4 lstat .RE .RS 4 mkdirat .RE .RS 4 mknodat .RE .RS 4 ntimes .RE .RS 4 offload_read_recv .RE .RS 4 offload_read_send .RE .RS 4 offload_write_recv .RE .RS 4 offload_write_send .RE .RS 4 open .RE .RS 4 openat .RE .RS 4 parent_pathname .RE .RS 4 pread .RE .RS 4 pread_recv .RE .RS 4 pread_send .RE .RS 4 pwrite .RE .RS 4 pwrite_recv .RE .RS 4 pwrite_send .RE .RS 4 read .RE .RS 4 read_dfs_pathat .RE .RS 4 readdir .RE .RS 4 readlinkat .RE .RS 4 realpath .RE .RS 4 recvfile .RE .RS 4 removexattr .RE .RS 4 renameat .RE .RS 4 rewinddir .RE .RS 4 sendfile .RE .RS 4 set_compression .RE .RS 4 set_offline .RE .RS 4 set_quota .RE .RS 4 snap_check_path .RE .RS 4 snap_create .RE .RS 4 snap_delete .RE .RS 4 stat .RE .RS 4 statvfs .RE .RS 4 strict_lock_check .RE .RS 4 symlinkat .RE .RS 4 sys_acl_blob_get_fd .RE .RS 4 sys_acl_delete_def_fd .RE .RS 4 sys_acl_get_fd .RE .RS 4 sys_acl_set_fd .RE .RS 4 translate_name .RE .RS 4 unlinkat .RE .RS 4 write .RE .PP In addition to these operations, vfs_full_audit recognizes the special operation names "all" and "none ", which refer to all the VFS operations and none of the VFS operations respectively\&. .PP If an unknown operation name is used (for example an operation name is miss\-spelled), the module will fail to load and clients will be refused connections to a share using this module\&. .PP vfs_full_audit records operations in fixed format consisting of fields separated by \*(Aq|\*(Aq characters\&. The format is: .sp .if n \{\ .RS 4 .\} .nf smbd_audit: PREFIX|OPERATION|RESULT|FILE .fi .if n \{\ .RE .\} .PP The record fields are: .RS .sp .RS 4 .ie n \{\ \h'-04'\(bu\h'+03'\c .\} .el \{\ .sp -1 .IP \(bu 2.3 .\} PREFIX \- the result of the full_audit:prefix string after variable substitutions .RE .sp .RS 4 .ie n \{\ \h'-04'\(bu\h'+03'\c .\} .el \{\ .sp -1 .IP \(bu 2.3 .\} OPERATION \- the name of the VFS operation .RE .sp .RS 4 .ie n \{\ \h'-04'\(bu\h'+03'\c .\} .el \{\ .sp -1 .IP \(bu 2.3 .\} RESULT \- whether the operation succeeded or failed .RE .sp .RS 4 .ie n \{\ \h'-04'\(bu\h'+03'\c .\} .el \{\ .sp -1 .IP \(bu 2.3 .\} FILE \- the name of the file or directory the operation was performed on .RE .sp .RE .PP This module is stackable\&. .SH "OPTIONS" .PP full_audit:prefix = STRING .RS 4 Prepend audit messages with STRING\&. STRING is processed for standard substitution variables listed in \fBsmb.conf\fR(5)\&. The default prefix is "%u|%I"\&. .RE .PP full_audit:success = LIST .RS 4 LIST is a list of VFS operations that should be recorded if they succeed\&. Operations are specified using the names listed above\&. Operations can be unset by prefixing the names with "!"\&. The default is none operations\&. .RE .PP full_audit:failure = LIST .RS 4 LIST is a list of VFS operations that should be recorded if they failed\&. Operations are specified using the names listed above\&. Operations can be unset by prefixing the names with "!"\&. The default is none operations\&. .RE .PP full_audit:facility = FACILITY .RS 4 Log messages to the named \fBsyslog\fR(3) facility\&. .RE .PP full_audit:priority = PRIORITY .RS 4 Log messages with the named \fBsyslog\fR(3) priority\&. .RE .PP full_audit:syslog = true/false .RS 4 Log messages to syslog (default) or as a debug level 1 message\&. .RE .PP full_audit:log_secdesc = true/false .RS 4 Log an sddl form of the security descriptor coming in when a client sets an acl\&. Defaults to false\&. .RE .SH "EXAMPLES" .PP Log file and directory open operations on the [records] share using the LOCAL7 facility and ALERT priority, including the username and IP address\&. Logging excludes the open VFS function on failures: .sp .if n \{\ .RS 4 .\} .nf \fI[records]\fR \m[blue]\fBpath = /data/records\fR\m[] \m[blue]\fBvfs objects = full_audit\fR\m[] \m[blue]\fBfull_audit:prefix = %u|%I\fR\m[] \m[blue]\fBfull_audit:success = open opendir\fR\m[] \m[blue]\fBfull_audit:failure = all !open\fR\m[] \m[blue]\fBfull_audit:facility = LOCAL7\fR\m[] \m[blue]\fBfull_audit:priority = ALERT\fR\m[] .fi .if n \{\ .RE .\} .SH "VERSION" .PP This man page is part of version 4\&.19\&.6\-Debian of the Samba suite\&. .SH "AUTHOR" .PP The original Samba software and related utilities were created by Andrew Tridgell\&. Samba is now developed by the Samba Team as an Open Source project similar to the way the Linux kernel is developed\&.