[Samba] vfs_full_audit only files modification
Jeremy Allison
jra at samba.org
Fri Oct 8 17:25:00 UTC 2021
On Fri, Oct 08, 2021 at 02:59:18PM +0200, Janusz Bliźniak via samba wrote:
>>in a way that can translate into code.
>>
>I would like to know which user has opened a file in order to read or
>edit it.
>I know that the directory where the file is located must be opened,
>and that is clear to me
>but I would like to exclude this information from the log because
>there is a lot of it, which makes the log unreadable.
>Below are logs where I opened from Windows 10
>/mnt/test/Folder1/Folder1_1/file.ods on the share "/mnt/test/"
>I logged only operations: open, opendir
>I thought "open" would only appear on files and "opendir" on
>directories, but it's different.
>
>Instead of the above, I would like to get something like this
>
>Oct 8 12:45:23 srv-test smbd_audit:
>...|open|ok|r|/mnt/test/Folder1/Folder1_1/file.ods
>Oct 8 12:45:23 srv-test smbd_audit:
>...|open|ok|w|/mnt/test/Folder1/Folder1_1/file.ods
>Oct 8 12:45:23 srv-test smbd_audit:
>...|open|ok|w|/mnt/test/Folder1/Folder1_1/.~lock.file.ods#
I don't think out of the box autit is going to
do that for you. You could do a simple code change
to smb_full_audit_openat() to only log opens if
O_DIRECTORY is not set in the flags parameter.
More information about the samba
mailing list