Skip site navigation (1)Skip section navigation (2)

FreeBSD Manual Pages

  
 
  

home | help 
VFS_FULL_AUDIT(8)	  System Administration	tools	     VFS_FULL_AUDIT(8)

NAME
       vfs_full_audit -	record Samba VFS operations in the system log

SYNOPSIS

       vfs objects = full_audit

DESCRIPTION
       This VFS	module is part of the samba(7) suite.

       The vfs_full_audit VFS module records selected client operations	to the
       system log using	syslog(3).

       vfs_full_audit is able to record	the complete set of Samba VFS
       operations:
	   aio_force
	   audit_file
	   brl_lock_windows
	   brl_unlock_windows
	   chdir
	   close
	   closedir
	   connect
	   connectpath
	   create_dfs_pathat
	   create_file
	   disconnect
	   disk_free
	   durable_cookie
	   durable_disconnect
	   durable_reconnect
	   fallocate
	   fchflags
	   fchmod
	   fchown
	   fcntl
	   fdopendir
	   fget_compression
	   fget_dos_attributes
	   fget_nt_acl
	   fgetxattr
	   file_id_create
	   filesystem_sharemode
	   flistxattr
	   fntimes
	   freaddir_attr
	   fremovexattr
	   fs_capabilities
	   fsctl
	   fset_dos_attributes
	   fset_nt_acl
	   fsetxattr
	   fs_file_id
	   fstat
	   fstatat
	   fstreaminfo
	   fsync_recv
	   fsync_send
	   ftruncate
	   get_alloc_size
	   get_dfs_referrals
	   get_dos_attributes_recv
	   get_dos_attributes_send
	   getlock
	   get_quota
	   get_real_filename
	   get_real_filename_at
	   get_shadow_copy_data
	   getwd
	   getxattrat_recv
	   getxattrat_send
	   is_offline
	   lchown
	   linkat
	   linux_setlease
	   lock
	   lseek
	   lstat
	   mkdirat
	   mknodat
	   ntimes
	   offload_read_recv
	   offload_read_send
	   offload_write_recv
	   offload_write_send
	   open
	   openat
	   parent_pathname
	   pread
	   pread_recv
	   pread_send
	   pwrite
	   pwrite_recv
	   pwrite_send
	   read
	   read_dfs_pathat
	   readdir
	   readlinkat
	   realpath
	   recvfile
	   removexattr
	   renameat
	   rewinddir
	   sendfile
	   set_compression
	   set_offline
	   set_quota
	   snap_check_path
	   snap_create
	   snap_delete
	   stat
	   statvfs
	   strict_lock_check
	   symlinkat
	   sys_acl_blob_get_fd
	   sys_acl_delete_def_fd
	   sys_acl_get_fd
	   sys_acl_set_fd
	   translate_name
	   unlinkat
	   write

       In addition to these operations,	vfs_full_audit recognizes the special
       operation names "all" and "none ", which	refer to all the VFS
       operations and none of the VFS operations respectively.

       If an unknown operation name is used (for example an operation name is
       miss-spelled), the module will fail to load and clients will be refused
       connections to a	share using this module.

       vfs_full_audit records operations in fixed format consisting of fields
       separated by '|'	characters. The	format is:

		     smbd_audit: PREFIX|OPERATION|RESULT|FILE

       The record fields are:

	      	  PREFIX - the result of the full_audit:prefix string after
		  variable substitutions

	      	  OPERATION - the name of the VFS operation

	      	  RESULT - whether the operation succeeded or failed

	      	  FILE - the name of the file or directory the operation was
		  performed on

       This module is stackable.

OPTIONS
       full_audit:prefix = STRING
	   Prepend audit messages with STRING. STRING is processed for
	   standard substitution variables listed in smb.conf(5). The default
	   prefix is "%u|%I".

       full_audit:success = LIST
	   LIST	is a list of VFS operations that should	be recorded if they
	   succeed. Operations are specified using the names listed above.
	   Operations can be unset by prefixing	the names with "!". The
	   default is none operations.

       full_audit:failure = LIST
	   LIST	is a list of VFS operations that should	be recorded if they
	   failed. Operations are specified using the names listed above.
	   Operations can be unset by prefixing	the names with "!". The
	   default is none operations.

       full_audit:facility = FACILITY
	   Log messages	to the named syslog(3) facility.

       full_audit:priority = PRIORITY
	   Log messages	with the named syslog(3) priority.

       full_audit:syslog = true/false
	   Log messages	to syslog (default) or as a debug level	1 message.

       full_audit:log_secdesc =	true/false
	   Log an sddl form of the security descriptor coming in when a	client
	   sets	an acl.	Defaults to false.

EXAMPLES
       Log file	and directory open operations on the [records] share using the
       LOCAL7 facility and ALERT priority, including the username and IP
       address.	Logging	excludes the open VFS function on failures:

		   [records]
		path = /data/records
		vfs objects = full_audit
		full_audit:prefix = %u|%I
		full_audit:success = open opendir
		full_audit:failure = all !open
		full_audit:facility = LOCAL7
		full_audit:priority = ALERT

VERSION
       This man	page is	part of	version	4.20.7 of the Samba suite.

AUTHOR
       The original Samba software and related utilities were created by
       Andrew Tridgell.	Samba is now developed by the Samba Team as an Open
       Source project similar to the way the Linux kernel is developed.

Samba 4.20.7			  04/14/2025		     VFS_FULL_AUDIT(8)

Want to link to this manual page? Use this URL:
<https://man.freebsd.org/cgi/man.cgi?query=vfs_full_audit&sektion=8&manpath=FreeBSD+Ports+14.3.quarterly>

home | help