Audit watches on NFS mounts
Steve Grubb
sgrubb at redhat.com
Thu Oct 20 15:37:33 UTC 2016
On Thursday, October 20, 2016 2:42:07 PM EDT Vaughn, Chad M wrote:
> I noticed a weird behavior. I NFS mount /usr/local on my Redhat machines.
>
> If I put a watch for a directory in that NFS mount:
>
> -w /usr/local/mywatchdir/ -p rwxa -F exit!=-ENODATA -F success!=1 -k watch
>
> On Redhat 6.4, I don't see audit events when trying to remove or change
> files in that dir. On Redhat 6.8, I do see the audit events when trying to
> remove or changes files in that dir.
>
> Any ideas of possible features added to auditd between those releases? I
> would like to be able to speak to it for security audits.
Auditd is just the collector. The events are generated by the kernel. So, it
would be a kernel change that may have allowed that. I don't know what was
changed or which version did it. I do know that in the past it was not
possible to audit nfs or fuse based file systems.
-Steve
More information about the Linux-audit
mailing list