Samba - Audit
by rollopack from LinuxQuestions.org on (#5NH6K)
Hi, in recent versions samba has changed the list of operations that can be monitored with fs_full_audit.
I adapted the smb.com file from:
full_audit: success = mkdir rmdir pwrite rename unlink
to:
full_audit: success = mkdirat unlinkat renameat setxattr
From the updated list of operations I did not find which one to use to monitor the creation of new files, I fell back on setxattr which is also called when creating the file, but it is also used for other operations.
Do you know a better solution?
I adapted the smb.com file from:
full_audit: success = mkdir rmdir pwrite rename unlink
to:
full_audit: success = mkdirat unlinkat renameat setxattr
From the updated list of operations I did not find which one to use to monitor the creation of new files, I fell back on setxattr which is also called when creating the file, but it is also used for other operations.
Do you know a better solution?