[Samba] Full audit - permission changes
Alan Evangelista
alan.vitor at gmail.com
Tue Feb 16 10:08:30 UTC 2021
I want to track permission changes done in a Windows shared drive that is
mapped to a directory in a physical disk managed by Linux. This mapping is
done via Samba. I have enabled auditing with the following settings in
/etc/samba/smb.conf:
[shareddir]
(...)
vfs objects = full_audit
# audit settings
full_audit:success = chmod open mkdir rmdir rename create_file fchmod
fchown linkat unlinkat
full_audit:prefix = %u|%I|%m|%S
full_audit:failure = none
full_audit:facility = local5
full_audit:priority = notice
recycle:repository = /home/recycle/
recycle:keeptree = yes
recycle:versions = yes
When I change permissions on files on the Windows network disk, I expected
to see chmod or fchmod events in the log, but I see none. I only see
permissions retrieval events such as get_nt_acl (even though I have not
requested them in smb.conf), but no fset_nt_acl or the chmod/fchmod events
I requested in the first place. Should I add additional events to the
full_audit:success list or is that behavior expected?
Thanks in advance!
More information about the samba
mailing list