Discussions
Categories
- 17.9K All Categories
- 3.4K Industry Applications
- 3.4K Intelligent Advisor
- 75 Insurance
- 537.7K On-Premises Infrastructure
- 138.7K Analytics Software
- 38.6K Application Development Software
- 6.1K Cloud Platform
- 109.6K Database Software
- 17.6K Enterprise Manager
- 8.8K Hardware
- 71.3K Infrastructure Software
- 105.4K Integration
- 41.6K Security Software
Samba auditing issue

Hello all,
We would like to audit samba file access on our Solaris 10 using vfs module full_audit ( http://www.samba.org/samba/docs/man/manpages-3/vfs_full_audit.8.html)
smbd -D : Version 3.6.8
ls /usr/lib/samba/vfs :
[...]
full_audit.so
[...]
Conf is pretty simple :
In smb.conf, add these lines to [global] :
[global]
# Audit settings
full_audit:prefix = %u|%I|%S
full_audit:failure = connect
full_audit:success = connect disconnect opendir mkdir rmdir closedir open close read pread write pwrite sendfile rename unlink chmod
fchmod chown fchown chdir ftruncate lock symlink readlink link mknod realpath
full_audit:facility = local5
full_audit:priority = notice
Then, add vfs objects = full_audit to each share
[public]
comment = Public Stuff
path = /home/samba/public
public = yes
vfs object = full_audit
In syslog.conf, add local5.notice /var/adm/log.audit
Then restart samba with
svcadm disable samba wins
svcadm enable samba wins
Then restart syslog with
svcadm restart svc:/system/system-log:default
or
svcadm refresh svc:/system/system-log
But log.audit file is not created. I created it but after have reloaded samba and syslog (and even rebooted) he is still empty...
I tried to use full_audit module in Ubuntu (which use rsyslog) and it works well ...
Any suggestions ?
Thx for your help :-)
Answers
-
No answer ? Does anybody have succeed to use full_audit module in Solaris 10 ?