Hello all,
We would like to audit samba file access on our Solaris 10 using vfs module full_audit ( http://www.samba.org/samba/docs/man/manpages-3/vfs_full_audit.8.html)
smbd -D : Version 3.6.8
ls /usr/lib/samba/vfs :
[...]
full_audit.so
[...]
Conf is pretty simple :
In smb.conf, add these lines to [global] :
[global]
# Audit settings
full_audit:prefix = %u|%I|%S
full_audit:failure = connect
full_audit:success = connect disconnect opendir mkdir rmdir closedir open close read pread write pwrite sendfile rename unlink chmod
fchmod chown fchown chdir ftruncate lock symlink readlink link mknod realpath
full_audit:facility = local5
full_audit:priority = notice
Then, add vfs objects = full_audit to each share
[public]
comment = Public Stuff
path = /home/samba/public
public = yes
vfs object = full_audit
In syslog.conf, add local5.notice /var/adm/log.audit
Then restart samba with
svcadm disable samba wins
svcadm enable samba wins
Then restart syslog with
svcadm restart svc:/system/system-log:default
or
svcadm refresh svc:/system/system-log
But log.audit file is not created. I created it but after have reloaded samba and syslog (and even rebooted) he is still empty...
I tried to use full_audit module in Ubuntu (which use rsyslog) and it works well ...
Any suggestions ?
Thx for your help :-)