Samba and AuditD

Wednesday, 10 February 2021

I have installed audit 2.8.5 on a CentOS 7 and set up the following rule in
/etc/audit/rules.d/audit.rules:

-w /data

/data is shared via Samba to a Windows Server 2016 system. If I write to
/data in the CentOS7 system, I get the open syscall event in the auditd
log. If I write to the same directory in the Windows Server 2016, I see the
file in the /data directory in the CentOS7 system, but the event is not
logged by audit. Is that the expected behavior?

Thanks in advance.

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

2004

Samba and AuditD