1<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>vfs_full_audit</title><link rel="stylesheet" href="samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.71.0"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry" lang="en"><a name="vfs_full_audit.8"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>vfs_full_audit — record Samba VFS operations in the system log</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><div class="cmdsynopsis"><p><code class="literal">vfs objects = full_audit</code></p></div></div><div class="refsect1" lang="en"><a name="id291819"></a><h2>DESCRIPTION</h2><p>This VFS module is part of the 2 <a href="samba.7.html"><span class="citerefentry"><span class="refentrytitle">samba</span>(7)</span></a> suite.</p><p>The <code class="literal">vfs_full_audit</code> VFS module records selected 3 client operations to the system log using 4 <a href="syslog.3.html"><span class="citerefentry"><span class="refentrytitle">syslog</span>(3)</span></a>.</p><p><code class="literal">vfs_full_audit</code> is able to record the 5 complete set of Samba VFS operations:</p><table class="simplelist" border="0" summary="Simple list"><tr><td>aio_cancel</td></tr><tr><td>aio_error</td></tr><tr><td>aio_fsync</td></tr><tr><td>aio_read</td></tr><tr><td>aio_return</td></tr><tr><td>aio_suspend</td></tr><tr><td>aio_write</td></tr><tr><td>chdir</td></tr><tr><td>chflags</td></tr><tr><td>chmod</td></tr><tr><td>chmod_acl</td></tr><tr><td>chown</td></tr><tr><td>close</td></tr><tr><td>closedir</td></tr><tr><td>connect</td></tr><tr><td>disconnect</td></tr><tr><td>disk_free</td></tr><tr><td>fchmod</td></tr><tr><td>fchmod_acl</td></tr><tr><td>fchown</td></tr><tr><td>fget_nt_acl</td></tr><tr><td>fgetxattr</td></tr><tr><td>flistxattr</td></tr><tr><td>fremovexattr</td></tr><tr><td>fset_nt_acl</td></tr><tr><td>fsetxattr</td></tr><tr><td>fstat</td></tr><tr><td>fsync</td></tr><tr><td>ftruncate</td></tr><tr><td>get_nt_acl</td></tr><tr><td>get_quota</td></tr><tr><td>get_shadow_copy_data</td></tr><tr><td>getlock</td></tr><tr><td>getwd</td></tr><tr><td>getxattr</td></tr><tr><td>kernel_flock</td></tr><tr><td>lgetxattr</td></tr><tr><td>link</td></tr><tr><td>linux_setlease</td></tr><tr><td>listxattr</td></tr><tr><td>llistxattr</td></tr><tr><td>lock</td></tr><tr><td>lremovexattr</td></tr><tr><td>lseek</td></tr><tr><td>lsetxattr</td></tr><tr><td>lstat</td></tr><tr><td>mkdir</td></tr><tr><td>mknod</td></tr><tr><td>open</td></tr><tr><td>opendir</td></tr><tr><td>pread</td></tr><tr><td>pwrite</td></tr><tr><td>read</td></tr><tr><td>readdir</td></tr><tr><td>readlink</td></tr><tr><td>realpath</td></tr><tr><td>removexattr</td></tr><tr><td>rename</td></tr><tr><td>rewinddir</td></tr><tr><td>rmdir</td></tr><tr><td>seekdir</td></tr><tr><td>sendfile</td></tr><tr><td>set_nt_acl</td></tr><tr><td>set_quota</td></tr><tr><td>setxattr</td></tr><tr><td>stat</td></tr><tr><td>statvfs</td></tr><tr><td>symlink</td></tr><tr><td>sys_acl_add_perm</td></tr><tr><td>sys_acl_clear_perms</td></tr><tr><td>sys_acl_create_entry</td></tr><tr><td>sys_acl_delete_def_file</td></tr><tr><td>sys_acl_free_acl</td></tr><tr><td>sys_acl_free_qualifier</td></tr><tr><td>sys_acl_free_text</td></tr><tr><td>sys_acl_get_entry</td></tr><tr><td>sys_acl_get_fd</td></tr><tr><td>sys_acl_get_file</td></tr><tr><td>sys_acl_get_perm</td></tr><tr><td>sys_acl_get_permset</td></tr><tr><td>sys_acl_get_qualifier</td></tr><tr><td>sys_acl_get_tag_type</td></tr><tr><td>sys_acl_init</td></tr><tr><td>sys_acl_set_fd</td></tr><tr><td>sys_acl_set_file</td></tr><tr><td>sys_acl_set_permset</td></tr><tr><td>sys_acl_set_qualifier</td></tr><tr><td>sys_acl_set_tag_type</td></tr><tr><td>sys_acl_to_text</td></tr><tr><td>sys_acl_valid</td></tr><tr><td>telldir</td></tr><tr><td>unlink</td></tr><tr><td>utime</td></tr><tr><td>write</td></tr></table><p>In addition to these operations, 6 <code class="literal">vfs_full_audit</code> recognizes the special operation 7 names "all" and "none ", which refer to all 8 the VFS operations and none of the VFS operations respectively. 9 </p><p><code class="literal">vfs_full_audit</code> records operations in fixed 10 format consisting of fields separated by '|' characters. The 11 format is: </p><pre class="programlisting"> 12 smbd_audit: PREFIX|OPERATION|RESULT|FILE 13 </pre><p>The record fields are:</p><div class="itemizedlist"><ul type="disc"><li><p><code class="literal">PREFIX</code> - the result of the full_audit:prefix string after variable substitutions</p></li><li><p><code class="literal">OPERATION</code> - the name of the VFS operation</p></li><li><p><code class="literal">RESULT</code> - whether the operation succeeded or failed</p></li><li><p><code class="literal">FILE</code> - the name of the file or directory the operation was performed on</p></li></ul></div><p>This module is stackable.</p></div><div class="refsect1" lang="en"><a name="id300478"></a><h2>OPTIONS</h2><div class="variablelist"><dl><dt><span class="term">vfs_full_audit:prefix = STRING</span></dt><dd><p>Prepend audit messages with STRING. STRING is 14 processed for standard substitution variables listed in 15 <a href="smb.conf.5.html"><span class="citerefentry"><span class="refentrytitle">smb.conf</span>(5)</span></a>. The default 16 prefix is "%u|%I". </p></dd><dt><span class="term">vfs_full_audit:success = LIST</span></dt><dd><p>LIST is a list of VFS operations that should be 17 recorded if they succeed. Operations are specified using 18 the names listed above. 19 </p></dd><dt><span class="term">vfs_full_audit:failure = LIST</span></dt><dd><p>LIST is a list of VFS operations that should be 20 recorded if they failed. Operations are specified using 21 the names listed above. 22 </p></dd><dt><span class="term">full_audit:facility = FACILITY</span></dt><dd><p>Log messages to the named 23 <a href="syslog.3.html"><span class="citerefentry"><span class="refentrytitle">syslog</span>(3)</span></a> facility. 24 25 </p></dd><dt><span class="term">full_audit:priority = PRIORITY</span></dt><dd><p>Log messages with the named 26 <a href="syslog.3.html"><span class="citerefentry"><span class="refentrytitle">syslog</span>(3)</span></a> priority. 27 </p></dd></dl></div></div><div class="refsect1" lang="en"><a name="id300582"></a><h2>EXAMPLES</h2><p>Log file and directory open operations on the [records] 28 share using the LOCAL7 facility and ALERT priority, including 29 the username and IP address:</p><pre class="programlisting"> 30 <em class="parameter"><code>[records]</code></em> 31 <a class="indexterm" name="id300603"></a>path = /data/records 32 <a class="indexterm" name="id300610"></a>vfs objects = full_audit 33 <a class="indexterm" name="id300617"></a>full_audit:prefix = %u|%I 34 <a class="indexterm" name="id300624"></a>full_audit:success = open opendir 35 <a class="indexterm" name="id300631"></a>full_audit:failure = all 36 <a class="indexterm" name="id300638"></a>full_audit:facility = LOCAL7 37 <a class="indexterm" name="id300646"></a>full_audit:priority = ALERT 38</pre></div><div class="refsect1" lang="en"><a name="id300655"></a><h2>VERSION</h2><p>This man page is correct for version 3.0.25 of the Samba suite. 39 </p></div><div class="refsect1" lang="en"><a name="id300666"></a><h2>AUTHOR</h2><p>The original Samba software and related utilities 40 were created by Andrew Tridgell. Samba is now developed 41 by the Samba Team as an Open Source project similar 42 to the way the Linux kernel is developed.</p></div></div></body></html> 43