summaryrefslogtreecommitdiffstats
path: root/docs-xml/manpages/vfs_full_audit.8.xml
diff options
context:
space:
mode:
Diffstat (limited to 'docs-xml/manpages/vfs_full_audit.8.xml')
-rw-r--r--docs-xml/manpages/vfs_full_audit.8.xml308
1 files changed, 308 insertions, 0 deletions
diff --git a/docs-xml/manpages/vfs_full_audit.8.xml b/docs-xml/manpages/vfs_full_audit.8.xml
new file mode 100644
index 0000000..dcd71fa
--- /dev/null
+++ b/docs-xml/manpages/vfs_full_audit.8.xml
@@ -0,0 +1,308 @@
+<?xml version="1.0" encoding="iso-8859-1"?>
+<!DOCTYPE refentry PUBLIC "-//Samba-Team//DTD DocBook V4.2-Based Variant V1.0//EN" "http://www.samba.org/samba/DTD/samba-doc">
+<refentry id="vfs_full_audit.8">
+
+<refmeta>
+ <refentrytitle>vfs_full_audit</refentrytitle>
+ <manvolnum>8</manvolnum>
+ <refmiscinfo class="source">Samba</refmiscinfo>
+ <refmiscinfo class="manual">System Administration tools</refmiscinfo>
+ <refmiscinfo class="version">&doc.version;</refmiscinfo>
+</refmeta>
+
+
+<refnamediv>
+ <refname>vfs_full_audit</refname>
+ <refpurpose>record Samba VFS operations in the system log</refpurpose>
+</refnamediv>
+
+<refsynopsisdiv>
+ <cmdsynopsis>
+ <command>vfs objects = full_audit</command>
+ </cmdsynopsis>
+</refsynopsisdiv>
+
+<refsect1>
+ <title>DESCRIPTION</title>
+
+ <para>This VFS module is part of the
+ <citerefentry><refentrytitle>samba</refentrytitle>
+ <manvolnum>7</manvolnum></citerefentry> suite.</para>
+
+ <para>The <command>vfs_full_audit</command> VFS module records selected
+ client operations to the system log using
+ <citerefentry><refentrytitle>syslog</refentrytitle>
+ <manvolnum>3</manvolnum></citerefentry>.</para>
+
+ <para><command>vfs_full_audit</command> is able to record the
+ complete set of Samba VFS operations:</para>
+
+ <simplelist>
+ <member>aio_force</member>
+ <member>audit_file</member>
+ <member>brl_lock_windows</member>
+ <member>brl_unlock_windows</member>
+ <member>chdir</member>
+ <member>chflags</member>
+ <member>chmod</member>
+ <member>close</member>
+ <member>closedir</member>
+ <member>connect</member>
+ <member>connectpath</member>
+ <member>create_dfs_pathat</member>
+ <member>create_file</member>
+ <member>disconnect</member>
+ <member>disk_free</member>
+ <member>durable_cookie</member>
+ <member>durable_disconnect</member>
+ <member>durable_reconnect</member>
+ <member>fallocate</member>
+ <member>fchmod</member>
+ <member>fchown</member>
+ <member>fdopendir</member>
+ <member>fget_compression</member>
+ <member>fget_dos_attributes</member>
+ <member>fget_nt_acl_at</member>
+ <member>fgetxattr</member>
+ <member>file_id_create</member>
+ <member>flistxattr</member>
+ <member>fremovexattr</member>
+ <member>fs_capabilities</member>
+ <member>fsctl</member>
+ <member>fset_dos_attributes</member>
+ <member>fset_nt_acl</member>
+ <member>fsetxattr</member>
+ <member>fs_file_id</member>
+ <member>fstat</member>
+ <member>fsync</member>
+ <member>fsync_recv</member>
+ <member>fsync_send</member>
+ <member>ftruncate</member>
+ <member>get_alloc_size</member>
+ <member>get_dfs_referrals</member>
+ <member>get_dos_attributes</member>
+ <member>get_dos_attributes_recv</member>
+ <member>get_dos_attributes_send</member>
+ <member>getlock</member>
+ <member>get_nt_acl</member>
+ <member>get_quota</member>
+ <member>get_real_filename</member>
+ <member>get_shadow_copy_data</member>
+ <member>getwd</member>
+ <member>getxattr</member>
+ <member>getxattrat_recv</member>
+ <member>getxattrat_send</member>
+ <member>is_offline</member>
+ <member>filesystem_sharemode</member>
+ <member>lchown</member>
+ <member>linkat</member>
+ <member>linux_setlease</member>
+ <member>listxattr</member>
+ <member>lock</member>
+ <member>lseek</member>
+ <member>lstat</member>
+ <member>mkdirat</member>
+ <member>mknodat</member>
+ <member>ntimes</member>
+ <member>offload_read_recv</member>
+ <member>offload_read_send</member>
+ <member>offload_write_recv</member>
+ <member>offload_write_send</member>
+ <member>open</member>
+ <member>pread</member>
+ <member>pread_recv</member>
+ <member>pread_send</member>
+ <member>pwrite</member>
+ <member>pwrite_recv</member>
+ <member>pwrite_send</member>
+ <member>read</member>
+ <member>readdir</member>
+ <member>readdir_attr</member>
+ <member>readlinkat</member>
+ <member>realpath</member>
+ <member>recvfile</member>
+ <member>removexattr</member>
+ <member>renameat</member>
+ <member>rewinddir</member>
+ <member>seekdir</member>
+ <member>sendfile</member>
+ <member>set_compression</member>
+ <member>set_dos_attributes</member>
+ <member>set_offline</member>
+ <member>set_quota</member>
+ <member>setxattr</member>
+ <member>snap_check_path</member>
+ <member>snap_create</member>
+ <member>snap_delete</member>
+ <member>stat</member>
+ <member>statvfs</member>
+ <member>streaminfo</member>
+ <member>strict_lock_check</member>
+ <member>symlinkat</member>
+ <member>sys_acl_blob_get_fd</member>
+ <member>sys_acl_blob_get_file</member>
+ <member>sys_acl_get_fd</member>
+ <member>sys_acl_get_file</member>
+ <member>sys_acl_set_fd</member>
+ <member>telldir</member>
+ <member>translate_name</member>
+ <member>unlinkat</member>
+ <member>write</member>
+ </simplelist>
+
+ <para>In addition to these operations,
+ <command>vfs_full_audit</command> recognizes the special operation
+ names &quot;all&quot; and &quot;none &quot;, which refer to all
+ the VFS operations and none of the VFS operations respectively.
+ </para>
+
+ <para>If an unknown operation name is used (for example an operation name
+ is miss-spelled), the module will fail to load and clients will
+ be refused connections to a share using this module.
+ </para>
+
+ <para><command>vfs_full_audit</command> records operations in fixed
+ format consisting of fields separated by '|' characters. The
+ format is: </para>
+ <programlisting>
+ smbd_audit: PREFIX|OPERATION|RESULT|FILE
+ </programlisting>
+
+ <para>The record fields are:</para>
+
+ <itemizedlist>
+ <listitem><para><command>PREFIX</command> - the result of the full_audit:prefix string after variable substitutions</para></listitem>
+ <listitem><para><command>OPERATION</command> - the name of the VFS operation</para></listitem>
+ <listitem><para><command>RESULT</command> - whether the operation succeeded or failed</para></listitem>
+ <listitem><para><command>FILE</command> - the name of the file or directory the operation was performed on</para></listitem>
+
+ </itemizedlist>
+
+ <para>This module is stackable.</para>
+
+</refsect1>
+
+
+<refsect1>
+ <title>OPTIONS</title>
+
+ <variablelist>
+
+ <varlistentry>
+ <term>full_audit:prefix = STRING</term>
+ <listitem>
+ <para>Prepend audit messages with STRING. STRING is
+ processed for standard substitution variables listed in
+ <citerefentry><refentrytitle>smb.conf</refentrytitle>
+ <manvolnum>5</manvolnum></citerefentry>. The default
+ prefix is &quot;%u|%I&quot;. </para>
+
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>full_audit:success = LIST</term>
+ <listitem>
+ <para>LIST is a list of VFS operations that should be
+ recorded if they succeed. Operations are specified using
+ the names listed above. Operations can be unset by prefixing
+ the names with "!". The default is none operations.
+ </para>
+
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>full_audit:failure = LIST</term>
+ <listitem>
+ <para>LIST is a list of VFS operations that should be
+ recorded if they failed. Operations are specified using
+ the names listed above. Operations can be unset by prefixing
+ the names with "!". The default is none operations.
+ </para>
+
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>full_audit:facility = FACILITY</term>
+ <listitem>
+ <para>Log messages to the named
+ <citerefentry><refentrytitle>syslog</refentrytitle>
+ <manvolnum>3</manvolnum></citerefentry> facility.
+
+ </para>
+
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>full_audit:priority = PRIORITY</term>
+ <listitem>
+ <para>Log messages with the named
+ <citerefentry><refentrytitle>syslog</refentrytitle>
+ <manvolnum>3</manvolnum></citerefentry> priority.
+ </para>
+
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>full_audit:syslog = true/false</term>
+ <listitem>
+ <para>Log messages to syslog (default) or as a debug level 1
+ message.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>full_audit:log_secdesc = true/false</term>
+ <listitem>
+ <para>Log an sddl form of the security descriptor coming in
+ when a client sets an acl. Defaults to false.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ </variablelist>
+</refsect1>
+
+<refsect1>
+ <title>EXAMPLES</title>
+
+ <para>Log file and directory open operations on the [records]
+ share using the LOCAL7 facility and ALERT priority, including
+ the username and IP address. Logging excludes the open VFS function
+ on failures:</para>
+
+<programlisting>
+ <smbconfsection name="[records]"/>
+ <smbconfoption name="path">/data/records</smbconfoption>
+ <smbconfoption name="vfs objects">full_audit</smbconfoption>
+ <smbconfoption name="full_audit:prefix">%u|%I</smbconfoption>
+ <smbconfoption name="full_audit:success">open opendir</smbconfoption>
+ <smbconfoption name="full_audit:failure">all !open</smbconfoption>
+ <smbconfoption name="full_audit:facility">LOCAL7</smbconfoption>
+ <smbconfoption name="full_audit:priority">ALERT</smbconfoption>
+</programlisting>
+
+</refsect1>
+
+<refsect1>
+ <title>VERSION</title>
+ <para>This man page is part of version &doc.version; of the Samba suite.
+ </para>
+</refsect1>
+
+<refsect1>
+ <title>AUTHOR</title>
+
+ <para>The original Samba software and related utilities
+ were created by Andrew Tridgell. Samba is now developed
+ by the Samba Team as an Open Source project similar
+ to the way the Linux kernel is developed.</para>
+
+</refsect1>
+
+</refentry>
generated by cgit v1.2.3 (git 2.39.1) at 2024-12-22 20:28:01 +0000