auditing automounted filesystems (NFS)
Richard Guy Briggs
rgb at redhat.com
Sat Apr 7 11:56:05 UTC 2018
On 2018-04-07 04:04, Frank Thommen wrote:
> Hello,
>
> we have started auditing on our systems (file open, close, write etc.). This
> is no problem on local and on statically mounted NFS systems (-a exit,always
> -F dir=/a/b/c ...). However for automounted filesystems auditd only reports
> on system calls on those filesystems which are mounted when auditd starts.
>
> Is there a way to make auditd aware of newly mounted NFS filesystems, so
> that we can audit them, too?
Have you looked at the auditctl "-t" (trim) and "-q" (equivalent)
commands? I'm not certain they do exactly what you want, but may help.
Warning that remote filesystems can't be expected to audit changes made
to that filesystem by other systems that have mounted that remote
filesystem unless those rules are running on that remote system.
> frank
- RGB
--
Richard Guy Briggs <rgb at redhat.com>
Sr. S/W Engineer, Kernel Security, Base Operating Systems
Remote, Ottawa, Red Hat Canada
IRC: rgb, SunRaycer
Voice: +1.647.777.2635, Internal: (81) 32635
More information about the Linux-audit
mailing list