vfs_audit log does not show full path names
Carl Byington
carl at five-ten-sg.com
Mon Jul 30 15:55:37 UTC 2018
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
samba 4.7.1 on centos 7
vfs_audit log used to show the full path name. I am not sure when that
changed, but now open only logs the last component (like basename).
Rename still logs both old and new full pathnames. Is there some config
entry that needs to be set to get the full pathnames logged?
[global]
full_audit:priority = notice
full_audit:facility = local1
full_audit:success = open rename
full_audit:failure = connect
full_audit:prefix = %u|%I|%S
[sname]
path = /home/usr
vfs objects = full_audit
Actual results:
ryan|$IP|sname|rename|ok|a/b/c.tmp|a/b/c.xlsx
ryan|$IP|sname|open|ok|r|c.xlsx
Expected results:
ryan|$IP|sname|rename|ok|a/b/c.tmp|a/b/c.xlsx
ryan|$IP|sname|open|ok|r|a/b/c.xlsx
With the current code, we don't know which one of the possibly many
c.xlsx files were read.
Looking at vfs_full_audit.c, smb_full_audit_open() and
smb_full_audit_rename() are very similar, using smb_fname_str_do_log()
to format the file name string for logging. Apparently the difference is
at a higher level. Can we assume that the filename should be prefixed
with the current directory, or might the current directory have been
changed by the time the audit log is called?
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.14 (GNU/Linux)
iEYEAREKAAYFAltfNPEACgkQL6j7milTFsEPFwCdHJ7JPVORf9mByQJlmQU/ufT/
a0sAnRxsIAMA7skpkT7FPTjV79s6Y+A7
=2Exl
-----END PGP SIGNATURE-----
More information about the samba-technical
mailing list