Samba auditing issue

2648698

Hello all,

We would like to audit samba file access on our Solaris 10 using vfs module full_audit ( http://www.samba.org/samba/docs/man/manpages-3/vfs_full_audit.8.html)

smbd -D : Version 3.6.8

ls /usr/lib/samba/vfs :

[...]

full_audit.so

[...]

Conf is pretty simple :

In smb.conf, add these lines to [global] :

[global]

# Audit settings

full_audit:prefix = %u|%I|%S

full_audit:failure = connect

full_audit:success = connect disconnect opendir mkdir rmdir closedir open close read pread write pwrite sendfile rename unlink chmod

fchmod chown fchown chdir ftruncate lock symlink readlink link mknod realpath

full_audit:facility = local5

full_audit:priority = notice

Then, add vfs objects = full_audit to each share

[public]

comment = Public Stuff

path = /home/samba/public

public = yes

vfs object = full_audit

In syslog.conf, add local5.notice     /var/adm/log.audit

Then restart samba with

svcadm disable samba wins

svcadm enable samba wins

Then restart syslog with

svcadm restart svc:/system/system-log:default

or

svcadm refresh svc:/system/system-log

But log.audit file is not created. I created it but after have reloaded samba and syslog (and even rebooted)  he is still empty...

I tried to use full_audit module in Ubuntu (which use rsyslog) and it works well ...

Any suggestions ?

Thx for your help :-)

2648698

No answer ? Does anybody have succeed to use full_audit module in Solaris 10 ?