auditing automounted filesystems (NFS)
Frank Thommen
f.thommen at dkfz-heidelberg.de
Sat Apr 7 16:38:07 UTC 2018
On 07/04/18 13:56, Richard Guy Briggs wrote:
> On 2018-04-07 04:04, Frank Thommen wrote:
>> Hello,
>>
>> we have started auditing on our systems (file open, close, write etc.). This
>> is no problem on local and on statically mounted NFS systems (-a exit,always
>> -F dir=/a/b/c ...). However for automounted filesystems auditd only reports
>> on system calls on those filesystems which are mounted when auditd starts.
>>
>> Is there a way to make auditd aware of newly mounted NFS filesystems, so
>> that we can audit them, too?
>
> Have you looked at the auditctl "-t" (trim) and "-q" (equivalent)
> commands? I'm not certain they do exactly what you want, but may help.
Thanks a lot. I don't understand what "trim" means in this context.
Reading the explanation in the manpage ("Trim the subtrees after a mount
command") I'd expect this to happen after an UNmount, not a mount...?
However -q looks promising. I'll give it a try.
> Warning that remote filesystems can't be expected to audit changes made
> to that filesystem by other systems that have mounted that remote
> filesystem unless those rules are running on that remote system.
All rules are running on the NFS clients, not the NFS servers.
frank
>
>> frank
>
> - RGB
>
> --
> Richard Guy Briggs <rgb at redhat.com>
> Sr. S/W Engineer, Kernel Security, Base Operating Systems
> Remote, Ottawa, Red Hat Canada
> IRC: rgb, SunRaycer
> Voice: +1.647.777.2635, Internal: (81) 32635
>
--
Frank Thommen | HD-HuB / DKFZ Heidelberg
| f.thommen at dkfz-heidelberg.de
More information about the Linux-audit
mailing list