Linux cli command vfs_full_audit

➡ A Linux man page (short for manual page) is a form of software documentation found on Linux and Unix-like operating systems. This man-page explains the command vfs_full_audit and provides detailed information about the command vfs_full_audit, system calls, library functions, and other aspects of the system, including usage, options, and examples of _. You can access this man page by typing man followed by the vfs_full_audit.

  3 minute read  

NAME 🖥️ vfs_full_audit 🖥️

record Samba VFS operations in the system log

SYNOPSIS

vfs objects = full_audit

DESCRIPTION

This VFS module is part of the samba(7) suite.

The vfs_full_audit VFS module records selected client operations to the system log using syslog(3).

vfs_full_audit is able to record the complete set of Samba VFS operations:

aio_force

audit_file

brl_lock_windows

brl_unlock_windows

chdir

close

closedir

connect

connectpath

create_dfs_pathat

create_file

disconnect

disk_free

durable_cookie

durable_disconnect

durable_reconnect

fallocate

fchflags

fchmod

fchown

fcntl

fdopendir

fget_compression

fget_dos_attributes

fget_nt_acl

fgetxattr

file_id_create

filesystem_sharemode

flistxattr

fntimes

freaddir_attr

fremovexattr

fs_capabilities

fsctl

fset_dos_attributes

fset_nt_acl

fsetxattr

fs_file_id

fstat

fstatat

fstreaminfo

fsync_recv

fsync_send

ftruncate

get_alloc_size

get_dfs_referrals

get_dos_attributes_recv

get_dos_attributes_send

getlock

get_quota

get_real_filename

get_real_filename_at

get_shadow_copy_data

getwd

getxattrat_recv

getxattrat_send

is_offline

lchown

linkat

linux_setlease

lock

lseek

lstat

mkdirat

mknodat

ntimes

offload_read_recv

offload_read_send

offload_write_recv

offload_write_send

open

openat

parent_pathname

pread

pread_recv

pread_send

pwrite

pwrite_recv

pwrite_send

read

read_dfs_pathat

readdir

readlinkat

realpath

recvfile

removexattr

renameat

rewinddir

sendfile

set_compression

set_offline

set_quota

snap_check_path

snap_create

snap_delete

stat

statvfs

strict_lock_check

symlinkat

sys_acl_blob_get_fd

sys_acl_delete_def_fd

sys_acl_get_fd

sys_acl_set_fd

translate_name

unlinkat

write

In addition to these operations, vfs_full_audit recognizes the special operation names “all” and “none “, which refer to all the VFS operations and none of the VFS operations respectively.

If an unknown operation name is used (for example an operation name is miss-spelled), the module will fail to load and clients will be refused connections to a share using this module.

vfs_full_audit records operations in fixed format consisting of fields separated by | characters. The format is:

  smbd_audit: PREFIX|OPERATION|RESULT|FILE

The record fields are:

·

PREFIX - the result of the full_audit:prefix string after variable substitutions

·

OPERATION - the name of the VFS operation

·

RESULT - whether the operation succeeded or failed

·

FILE - the name of the file or directory the operation was performed on

This module is stackable.

OPTIONS

full_audit:prefix = STRING

Prepend audit messages with STRING. STRING is processed for standard substitution variables listed in smb.conf(5). The default prefix is “%u|%I”.

full_audit:success = LIST

LIST is a list of VFS operations that should be recorded if they succeed. Operations are specified using the names listed above. Operations can be unset by prefixing the names with “!”. The default is none operations.

full_audit:failure = LIST

LIST is a list of VFS operations that should be recorded if they failed. Operations are specified using the names listed above. Operations can be unset by prefixing the names with “!”. The default is none operations.

full_audit:facility = FACILITY

Log messages to the named syslog(3) facility.

full_audit:priority = PRIORITY

Log messages with the named syslog(3) priority.

full_audit:syslog = true/false

Log messages to syslog (default) or as a debug level 1 message.

full_audit:log_secdesc = true/false

Log an sddl form of the security descriptor coming in when a client sets an acl. Defaults to false.

EXAMPLES

Log file and directory open operations on the [records] share using the LOCAL7 facility and ALERT priority, including the username and IP address. Logging excludes the open VFS function on failures:

    [records]
	path = /data/records
	vfs objects = full_audit
	full_audit:prefix = %u|%I
	full_audit:success = open opendir
	full_audit:failure = all !open
	full_audit:facility = LOCAL7
	full_audit:priority = ALERT

VERSION

This man page is part of version 4.20.1-Debian of the Samba suite.

AUTHOR

The original Samba software and related utilities were created by Andrew Tridgell. Samba is now developed by the Samba Team as an Open Source project similar to the way the Linux kernel is developed.

░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░

  █║▌│║█║▌★ KALI ★ PARROT ★ DEBIAN 🔴 PENTESTING ★ HACKING ★ █║▌│║█║▌

              ██╗ ██╗ ██████╗  ██████╗ ██╗  ██╗███████╗██████╗
             ████████╗██╔══██╗██╔═══██╗╚██╗██╔╝██╔════╝██╔══██╗
             ╚██╔═██╔╝██║  ██║██║   ██║ ╚███╔╝ █████╗  ██║  ██║
             ████████╗██║  ██║██║   ██║ ██╔██╗ ██╔══╝  ██║  ██║
             ╚██╔═██╔╝██████╔╝╚██████╔╝██╔╝ ██╗███████╗██████╔╝
              ╚═╝ ╚═╝ ╚═════╝  ╚═════╝ ╚═╝  ╚═╝╚══════╝╚═════╝

               █║▌│║█║▌ WITH COMMANDLINE-KUNGFU POWER █║▌│║█║▌

░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░