[Samba] How should audit logging work?
Jeremy Allison
jra at samba.org
Tue Oct 12 17:43:43 UTC 2021
On Tue, Oct 12, 2021 at 06:38:36PM +0100, Nick Howitt via samba wrote:
>
>So far I see I may want some or all of:
>open
>rename
>unlink
>get_alloc_size #not sure
>file_id_create
>realpath #not sure
>connectpath #not sure
>
>Also what I probably don't want is:
>!sys_acl_get_file
>!get_nt_acl
>!listxattr
>!readdir
>!telldir
>!kernel_flock
>!close
>!get_dos_attributes
>!getxattr
>!chdir
>!strict_lock_check
>!getwd
>
>But there are otherl like "stat" and so on.
You don't want stat or fstat. We use that in
a lot of places as a test for existence.
>Does anyone have any documentation on what all these operations are?
Mostly POSIX operations (i.e. man 2 openat).
>Also does anyone have any suggestions for a good set of operations to
>monitor?
As for "who did what", you probably want modification
operations, not read operations (unless you need to
know who accessed a file also).
More information about the samba
mailing list