Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
[Samba] File deletion auditing
617 views
Skip to first unread message
Dante Colo
May 28, 2014, 8:40:01 AM5/28/14
to
Hello everyone
I'm testing the module vfs_full_audit on samba 4.0.17 under FreeBSD 10, i couldn't figure out how to audit file deletions only directories, is this possible ? This is my share setup.
[share1]
vfs objects = aio_pthread,zfsacl
aio read size = 32768
aio write size = 32768
full_audit:success = write mkdir rmdir pwrite rename
full_audit:failure = write mkdir rmdir pwrite rename
full_audit:facility = LOCAL0
full_audit:priority = NOTICE
path=/samba-rb/test_share
writable = yes
browsable = yes
inherit owner = yes
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
I'm testing the module vfs_full_audit on samba 4.0.17 under FreeBSD 10, i couldn't figure out how to audit file deletions only directories, is this possible ? This is my share setup.
[share1]
vfs objects = aio_pthread,zfsacl
aio read size = 32768
aio write size = 32768
full_audit:success = write mkdir rmdir pwrite rename
full_audit:failure = write mkdir rmdir pwrite rename
full_audit:facility = LOCAL0
full_audit:priority = NOTICE
path=/samba-rb/test_share
writable = yes
browsable = yes
inherit owner = yes
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
David Disseldorp
May 28, 2014, 8:50:02 AM5/28/14
to
Hi Dante,
On Wed, 28 May 2014 09:30:48 -0300 (BRT), Dante Colo wrote:
> I'm testing the module vfs_full_audit on samba 4.0.17 under FreeBSD 10, i couldn't figure out how to audit file deletions only directories, is this possible ? This is my share setup.
>
>
> [share1]
> vfs objects = aio_pthread,zfsacl
The full audit VFS module needs to be enabled for the share, e.g.
vfs objects = full_audit aio_pthread zfsacl
Cheers, David
On Wed, 28 May 2014 09:30:48 -0300 (BRT), Dante Colo wrote:
> I'm testing the module vfs_full_audit on samba 4.0.17 under FreeBSD 10, i couldn't figure out how to audit file deletions only directories, is this possible ? This is my share setup.
>
>
> [share1]
> vfs objects = aio_pthread,zfsacl
vfs objects = full_audit aio_pthread zfsacl
Cheers, David
Dante Colo
May 28, 2014, 9:20:01 AM5/28/14
to
Hi David .
I'm sorry, i deleted the word "full_audit" accidentally before copy and paste in the email here , i can audit directory deletion, file write, file rename but not file deletion.
[share1]
vfs objects = aio_pthread,zfsacl,full_audit
I'm sorry, i deleted the word "full_audit" accidentally before copy and paste in the email here , i can audit directory deletion, file write, file rename but not file deletion.
[share1]
vfs objects = aio_pthread,zfsacl,full_audit
aio read size = 32768
aio write size = 32768
full_audit:success = write mkdir rmdir pwrite rename
full_audit:failure = write mkdir rmdir pwrite rename
full_audit:facility = LOCAL0
full_audit:priority = NOTICE
path=/samba-rb/test_share
writable = yes
browsable = yes
inherit owner = yes
----- Original Message -----
aio write size = 32768
full_audit:success = write mkdir rmdir pwrite rename
full_audit:failure = write mkdir rmdir pwrite rename
full_audit:facility = LOCAL0
full_audit:priority = NOTICE
path=/samba-rb/test_share
writable = yes
browsable = yes
inherit owner = yes
David Disseldorp
May 28, 2014, 9:40:03 AM5/28/14
to
On Wed, 28 May 2014 10:06:43 -0300 (BRT), Dante Colo wrote:
> Hi David .
>
>
> I'm sorry, i deleted the word "full_audit" accidentally before copy and paste in the email here , i can audit directory deletion, file write, file rename but not file deletion.
File deletion is handled by the "unlink" audit path. E.g:
> Hi David .
>
>
> I'm sorry, i deleted the word "full_audit" accidentally before copy and paste in the email here , i can audit directory deletion, file write, file rename but not file deletion.
full_audit:success = write mkdir rmdir pwrite rename unlink
full_audit:failure = write mkdir rmdir pwrite rename unlink
One note, be careful when combining the full audit module with others,
as opaque modules will not pass through the event for auditing.
full_audit should therefore be listed first in the VFS module list.
0 new messages