[Linux-aus] Samba auditing
Russell Coker
russell at coker.com.au
Mon Jan 20 18:02:50 AEDT 2025
On Monday, 20 January 2025 17:25:44 AEDT Russell Coker wrote:
> vfs objects = full_audit
> full_audit:prefix = %u|%I|%S
> full_audit:success = renameat rename unlinkat create_dfs_pathat create_file
> unlink write pwrite
> full_audit:failure = renameat rename unlinkat create_dfs_pathat create_file
> unlink write pwrite
> full_audit:facility = local5
> full_audit:priority = notice
The above audit lines were from one of my later attempts, where I added
"unlink" not realising that "unlinkat" covers it and "unlink" is invalid.
Below is what I'm using now:
full_audit:success = renameat unlinkat create_dfs_pathat create_file write
pwrite mkdirat linkat
full_audit:failure = renameat unlinkat create_dfs_pathat create_file write
pwrite mkdirat linkat
--
My Main Blog http://etbe.coker.com.au/
My Documents Blog http://doc.coker.com.au/
More information about the linux-aus
mailing list