'\" t .\" Title: vfs_full_audit .\" Author: [see the "AUTHOR" section] .\" Generator: DocBook XSL Stylesheets v1.76.1 .\" Date: 02/24/2015 .\" Manual: System Administration tools .\" Source: Samba 4.0 .\" Language: English .\" .TH "VFS_FULL_AUDIT" "8" "02/24/2015" "Samba 4\&.0" "System Administration tools" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- .\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ .\" http://bugs.debian.org/507673 .\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html .\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ .ie \n(.g .ds Aq \(aq .el .ds Aq ' .\" ----------------------------------------------------------------- .\" * set default formatting .\" ----------------------------------------------------------------- .\" disable hyphenation .nh .\" disable justification (adjust text to left margin only) .ad l .\" ----------------------------------------------------------------- .\" * MAIN CONTENT STARTS HERE * .\" ----------------------------------------------------------------- .SH "NAME" vfs_full_audit \- record Samba VFS operations in the system log .SH "SYNOPSIS" .HP \w'\ 'u vfs objects = full_audit .SH "DESCRIPTION" .PP This VFS module is part of the \fBsamba\fR(7) suite\&. .PP The vfs_full_audit VFS module records selected client operations to the system log using \fBsyslog\fR(3)\&. .PP vfs_full_audit is able to record the complete set of Samba VFS operations: .RS 4 chdir .RE .RS 4 chflags .RE .RS 4 chmod .RE .RS 4 chmod_acl .RE .RS 4 chown .RE .RS 4 close .RE .RS 4 closedir .RE .RS 4 connect .RE .RS 4 copy_chunk_send .RE .RS 4 copy_chunk_recv .RE .RS 4 disconnect .RE .RS 4 disk_free .RE .RS 4 fchmod .RE .RS 4 fchmod_acl .RE .RS 4 fchown .RE .RS 4 fget_nt_acl .RE .RS 4 fgetxattr .RE .RS 4 flistxattr .RE .RS 4 fremovexattr .RE .RS 4 fset_nt_acl .RE .RS 4 fsetxattr .RE .RS 4 fstat .RE .RS 4 fsync .RE .RS 4 ftruncate .RE .RS 4 get_nt_acl .RE .RS 4 get_quota .RE .RS 4 get_shadow_copy_data .RE .RS 4 getlock .RE .RS 4 getwd .RE .RS 4 getxattr .RE .RS 4 kernel_flock .RE .RS 4 link .RE .RS 4 linux_setlease .RE .RS 4 listxattr .RE .RS 4 lock .RE .RS 4 lseek .RE .RS 4 lstat .RE .RS 4 mkdir .RE .RS 4 mknod .RE .RS 4 open .RE .RS 4 opendir .RE .RS 4 pread .RE .RS 4 pwrite .RE .RS 4 read .RE .RS 4 readdir .RE .RS 4 readlink .RE .RS 4 realpath .RE .RS 4 removexattr .RE .RS 4 rename .RE .RS 4 rewinddir .RE .RS 4 rmdir .RE .RS 4 seekdir .RE .RS 4 sendfile .RE .RS 4 set_nt_acl .RE .RS 4 set_quota .RE .RS 4 setxattr .RE .RS 4 stat .RE .RS 4 statvfs .RE .RS 4 symlink .RE .RS 4 sys_acl_delete_def_file .RE .RS 4 sys_acl_get_fd .RE .RS 4 sys_acl_get_file .RE .RS 4 sys_acl_set_fd .RE .RS 4 sys_acl_set_file .RE .RS 4 telldir .RE .RS 4 unlink .RE .RS 4 utime .RE .RS 4 write .RE .PP In addition to these operations, vfs_full_audit recognizes the special operation names "all" and "none ", which refer to all the VFS operations and none of the VFS operations respectively\&. .PP vfs_full_audit records operations in fixed format consisting of fields separated by \*(Aq|\*(Aq characters\&. The format is: .sp .if n \{\ .RS 4 .\} .nf smbd_audit: PREFIX|OPERATION|RESULT|FILE .fi .if n \{\ .RE .\} .PP The record fields are: .sp .RS 4 .ie n \{\ \h'-04'\(bu\h'+03'\c .\} .el \{\ .sp -1 .IP \(bu 2.3 .\} PREFIX \- the result of the full_audit:prefix string after variable substitutions .RE .sp .RS 4 .ie n \{\ \h'-04'\(bu\h'+03'\c .\} .el \{\ .sp -1 .IP \(bu 2.3 .\} OPERATION \- the name of the VFS operation .RE .sp .RS 4 .ie n \{\ \h'-04'\(bu\h'+03'\c .\} .el \{\ .sp -1 .IP \(bu 2.3 .\} RESULT \- whether the operation succeeded or failed .RE .sp .RS 4 .ie n \{\ \h'-04'\(bu\h'+03'\c .\} .el \{\ .sp -1 .IP \(bu 2.3 .\} FILE \- the name of the file or directory the operation was performed on .RE .sp .RE .PP This module is stackable\&. .SH "OPTIONS" .PP vfs_full_audit:prefix = STRING .RS 4 Prepend audit messages with STRING\&. STRING is processed for standard substitution variables listed in \fBsmb.conf\fR(5)\&. The default prefix is "%u|%I"\&. .RE .PP full_audit:success = LIST .RS 4 LIST is a list of VFS operations that should be recorded if they succeed\&. Operations are specified using the names listed above\&. Operations can be unset by prefixing the names with "!"\&. The default is all operations\&. .RE .PP full_audit:failure = LIST .RS 4 LIST is a list of VFS operations that should be recorded if they failed\&. Operations are specified using the names listed above\&. Operations can be unset by prefixing the names with "!"\&. The default is all operations\&. .RE .PP full_audit:facility = FACILITY .RS 4 Log messages to the named \fBsyslog\fR(3) facility\&. .RE .PP full_audit:priority = PRIORITY .RS 4 Log messages with the named \fBsyslog\fR(3) priority\&. .RE .SH "EXAMPLES" .PP Log file and directory open operations on the [records] share using the LOCAL7 facility and ALERT priority, including the username and IP address\&. Logging excludes the open VFS function on failures: .sp .if n \{\ .RS 4 .\} .nf \fI[records]\fR \m[blue]\fBpath = /data/records\fR\m[] \m[blue]\fBvfs objects = full_audit\fR\m[] \m[blue]\fBfull_audit:prefix = %u|%I\fR\m[] \m[blue]\fBfull_audit:success = open opendir\fR\m[] \m[blue]\fBfull_audit:failure = all !open\fR\m[] \m[blue]\fBfull_audit:facility = LOCAL7\fR\m[] \m[blue]\fBfull_audit:priority = ALERT\fR\m[] .fi .if n \{\ .RE .\} .SH "VERSION" .PP This man page is correct for version 3\&.0\&.25 of the Samba suite\&. .SH "AUTHOR" .PP The original Samba software and related utilities were created by Andrew Tridgell\&. Samba is now developed by the Samba Team as an Open Source project similar to the way the Linux kernel is developed\&.