[Linux-aus] Samba auditing
Adam Nielsen
a.nielsen at shikadi.net
Mon Jan 20 19:31:45 AEDT 2025
> I'm getting hundreds of thousands of audit entries like the following:
>
> 2025-01-16T14:45:27.232887+11:00 $SERVER smbd_audit: $USER|$IP|$SHARENAME|
> create_file|ok|0x100081|file|open|$DIRNAME
>
> It gives this about create_file on directories. Why does it do that?
It's been a while, but I think the "create file" call is a universal
one that lets you create new and open existing files. So I'm guessing
every time a user goes into a folder, the folder needs to be opened
(with create_file) in order to get a directory listing. You're seeing
one of those entries each time a user navigates to a different folder.
A quick Google shows there is a list of possible options in the
vfs_full_audit manpage, so it looks like removing create_file and
adding more specific options that suits your needs is probably the way
to go.
Cheers,
Adam.
More information about the linux-aus
mailing list