[Samba] full_audit uncertainties
o1e9.cherkasov at yandex.com
Fri Jul 30 13:06:25 UTC 2021
On 28.06.2021 14:54, mj via samba wrote:
> We have full_audit configured like this, for testing:
>> # full_audit:success = mkdirat renameat unlinkat open connect
>> full_audit:success = none
>> # full_audit:failure = mkdirat renameat unlinkat connect
>> full_audit:failure = none
>> full_audit:prefix = IP=%I | USER=%u | MACHINE=%m | VOLUME=%S
>> full_audit:facility = local7
>> full_audit:priority = NOTICE
> We set both success and failure temporarily to NONE, since our
> (original, commented out) full_audit config was causing way to much
> So we set everything to NONE expecting that nothing would be logged, and
> we could slowly enable specific items again, and monitor.
> However, much to our surprise with the above full_audit NONE config,
> full_audit is still generating *a lot* of logging, like this:
The same is over here after upgrading to 4.12.15 and eventually to
4.13.8. It seems full_audit:success and full_audit:failure accept only
NONE. Any other then NONE fallback to ALL.
vfs_full_audit is unusable in 4.12 and 4.13 and fallback to 4.11.
More information about the samba