-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
samba 4.7.1 on centos 7
vfs_audit log used to show the full path name. I am not sure when that
changed, but now open only logs the last component (like basename).
Rename still logs both old and new full pathnames. Is there some config
entry that needs to be set to get the full pathnames logged?
[global]
full_audit:priority = notice
full_audit:facility = local1
full_audit:success = open rename
full_audit:failure = connect
full_audit:prefix = %u|%I|%S
[sname]
path = /home/usr
vfs objects = full_audit
Actual results:
ryan|$IP|sname|rename|ok|a/b/c.tmp|a/b/c.xlsx
ryan|$IP|sname|open|ok|r|c.xlsx
Expected results:
ryan|$IP|sname|rename|ok|a/b/c.tmp|a/b/c.xlsx
ryan|$IP|sname|open|ok|r|a/b/c.xlsx
Looking at vfs_full_audit.c, smb_full_audit_open() and
smb_full_audit_rename() are very similar, using smb_fname_str_do_log()
to format the file name string for logging. Apparently the difference is
at a higher level. Can we assume that the filename should be prefixed
with the current directory, or might the current directory have been
changed by the time the audit log is called?
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.14 (GNU/Linux)
iEYEAREKAAYFAltY+ycACgkQL6j7milTFsES7QCfXNYxMfF7Pszr67RlgWiSGOZL
k7EAn3Fr3BhLjilp5k0GsRb9KCRbQWqZ
=4uyy
-----END PGP SIGNATURE-----
