[Samba] Full audit - logged unrequested events
Alan Evangelista
alan.vitor at gmail.com
Tue Feb 16 09:58:36 UTC 2021
I want to track filesystem operations done in a Linux directory which is
shared with a Windows Server box via Samba. I have enabled auditing with
the following settings in /etc/samba/smb.conf:
[shareddir]
(...)
vfs objects = full_audit
# audit settings
full_audit:success = chmod open mkdir rmdir rename create_file fchmod
fchown linkat unlinkat
full_audit:prefix = %u|%I|%m|%S
full_audit:failure = none
full_audit:facility = local5
full_audit:priority = notice
recycle:repository = /home/recycle/
recycle:keeptree = yes
recycle:versions = yes
I also create a rsyslog rule to output the logged events to a log file and
that works fine.
However, several events which I have not defined in full_audit:success and
full_audit:failure are logged. Example:
Feb 16 04:40:49 AXLAB01 smbd_audit:
aevangelista|172.28.11.12|172.28.11.12|sasdata|connect|ok|sasdata
Feb 16 04:40:49 AXLAB01 smbd_audit:
aevangelista|172.28.11.12|172.28.11.12|sasdata|realpath|ok|/sasdata
Feb 16 04:40:49 AXLAB01 smbd_audit:
aevangelista|172.28.11.12|172.28.11.12|sasdata|realpath|ok|/sasdata
Feb 16 04:40:49 AXLAB01 smbd_audit:
aevangelista|172.28.11.12|172.28.11.12|sasdata|stat|ok|/sasdata
Feb 16 04:40:49 AXLAB01 smbd_audit:
aevangelista|172.28.11.12|172.28.11.12|sasdata|statvfs|ok|
Feb 16 04:40:49 AXLAB01 smbd_audit:
aevangelista|172.28.11.12|172.28.11.12|sasdata|stat|ok|/sasdata
Feb 16 04:40:49 AXLAB01 smbd_audit:
aevangelista|172.28.11.12|172.28.11.12|sasdata|fs_capabilities|ok|
Feb 16 04:40:49 AXLAB01 smbd_audit:
aevangelista|172.28.11.12|172.28.11.12|sasdata|chdir|ok|chdir|/sasdata
Feb 16 04:40:49 AXLAB01 smbd_audit:
aevangelista|172.28.11.12|172.28.11.12|sasdata|stat|ok|/sasdata
Feb 16 04:40:49 AXLAB01 smbd_audit:
aevangelista|172.28.11.12|172.28.11.12|sasdata|file_id_create|ok|804:603decc:0
Feb 16 04:40:49 AXLAB01 smbd_audit:
aevangelista|172.28.11.12|172.28.11.12|sasdata|getwd|ok|/sasdata
Feb 16 04:40:49 AXLAB01 smbd_audit:
aevangelista|172.28.11.12|172.28.11.12|sasdata|file_id_create|ok|804:603decc:0
Feb 16 04:40:49 AXLAB01 smbd_audit:
aevangelista|172.28.11.12|172.28.11.12|sasdata|stat|ok|/sasdata
Feb 16 04:40:49 AXLAB01 smbd_audit:
aevangelista|172.28.11.12|172.28.11.12|sasdata|realpath|ok|.
Feb 16 04:40:49 AXLAB01 smbd_audit:
aevangelista|172.28.11.12|172.28.11.12|sasdata|connectpath|ok|.
Feb 16 04:40:49 AXLAB01 smbd_audit:
aevangelista|172.28.11.12|172.28.11.12|sasdata|file_id_create|ok|804:603decc:0
Feb 16 04:40:49 AXLAB01 smbd_audit:
aevangelista|172.28.11.12|172.28.11.12|sasdata|file_id_create|ok|804:603decc:0
Feb 16 04:40:49 AXLAB01 smbd_audit:
aevangelista|172.28.11.12|172.28.11.12|sasdata|stat|ok|/sasdata
Feb 16 04:40:49 AXLAB01 smbd_audit:
aevangelista|172.28.11.12|172.28.11.12|sasdata|sys_acl_get_file|ok|.
Feb 16 04:40:49 AXLAB01 smbd_audit:
aevangelista|172.28.11.12|172.28.11.12|sasdata|sys_acl_get_file|ok|.
Feb 16 04:40:49 AXLAB01 smbd_audit:
aevangelista|172.28.11.12|172.28.11.12|sasdata|get_nt_acl|ok|/sasdata
Feb 16 04:40:49 AXLAB01 smbd_audit:
aevangelista|172.28.11.12|172.28.11.12|sasdata|connectpath|ok|.
Is that expected? Am I missing some configuration?
Thanks in advance!
More information about the samba
mailing list