I’m setting up full auditing under TrueNAS-12.0-U6.1 on a SMB share and finding that I’m not able to enable multiple VFS modules without the share becoming inaccessible.
Currently what is working under share aux parameters,
vfs objects = zfsacl full_audit
full_audit:prefix = %u | %I | %m | %S
full_audit:failure = connect
full_audit:success = connect
full_audit:facility = LOCAL7
full_audit:priority = NOTICE
and this works,
vfs objects = zfsacl full_audit
full_audit:prefix = %u | %I | %m | %S
full_audit:failure = connect
full_audit:success = all
full_audit:facility = LOCAL7
full_audit:priority = NOTICE
However, auditsuccess = all is to much logging and only want the following for success below. Essentially looking to monitor Create files /write data Create folders /append data.
full_audit:success = create_file write renameat mkdirat unlinkat
This however doesn’t work and will cause the SMB share to become unavailable after restarting SMB service. I’m referencing Samba full audit settings from here so the above should be valid to use.
vfs_full_audit (samba.org)
Currently what is working under share aux parameters,
vfs objects = zfsacl full_audit
full_audit:prefix = %u | %I | %m | %S
full_audit:failure = connect
full_audit:success = connect
full_audit:facility = LOCAL7
full_audit:priority = NOTICE
and this works,
vfs objects = zfsacl full_audit
full_audit:prefix = %u | %I | %m | %S
full_audit:failure = connect
full_audit:success = all
full_audit:facility = LOCAL7
full_audit:priority = NOTICE
However, auditsuccess = all is to much logging and only want the following for success below. Essentially looking to monitor Create files /write data Create folders /append data.
full_audit:success = create_file write renameat mkdirat unlinkat
This however doesn’t work and will cause the SMB share to become unavailable after restarting SMB service. I’m referencing Samba full audit settings from here so the above should be valid to use.
vfs_full_audit (samba.org)