[Linux-aus] Samba auditing
Russell Coker
russell at coker.com.au
Mon Jan 20 17:25:44 AEDT 2025
vfs objects = full_audit
full_audit:prefix = %u|%I|%S
full_audit:success = renameat rename unlinkat create_dfs_pathat create_file
unlink write pwrite
full_audit:failure = renameat rename unlinkat create_dfs_pathat create_file
unlink write pwrite
full_audit:facility = local5
full_audit:priority = notice
I've setup Samba auditing with the above as the main config with the below as
the documentation I used.
https://access.redhat.com/solutions/7011345
https://tinyurl.com/27eeo32s
I'm getting hundreds of thousands of audit entries like the following:
2025-01-16T14:45:27.232887+11:00 $SERVER smbd_audit: $USER|$IP|$SHARENAME|
create_file|ok|0x100081|file|open|$DIRNAME
It gives this about create_file on directories. Why does it do that?
--
My Main Blog http://etbe.coker.com.au/
My Documents Blog http://doc.coker.com.au/
More information about the linux-aus
mailing list