auditing automounted filesystems (NFS)
Richard Guy Briggs
rgb at redhat.com
Sun Apr 8 01:08:56 UTC 2018
On 2018-04-07 18:38, Frank Thommen wrote:
> On 07/04/18 13:56, Richard Guy Briggs wrote:
> > On 2018-04-07 04:04, Frank Thommen wrote:
> > > Hello,
> > >
> > > we have started auditing on our systems (file open, close, write etc.). This
> > > is no problem on local and on statically mounted NFS systems (-a exit,always
> > > -F dir=/a/b/c ...). However for automounted filesystems auditd only reports
> > > on system calls on those filesystems which are mounted when auditd starts.
> > >
> > > Is there a way to make auditd aware of newly mounted NFS filesystems, so
> > > that we can audit them, too?
> >
> > Have you looked at the auditctl "-t" (trim) and "-q" (equivalent)
> > commands? I'm not certain they do exactly what you want, but may help.
>
> Thanks a lot. I don't understand what "trim" means in this context. Reading
> the explanation in the manpage ("Trim the subtrees after a mount command")
> I'd expect this to happen after an UNmount, not a mount...?
>
> However -q looks promising. I'll give it a try.
>
> > Warning that remote filesystems can't be expected to audit changes made
> > to that filesystem by other systems that have mounted that remote
> > filesystem unless those rules are running on that remote system.
>
> All rules are running on the NFS clients, not the NFS servers.
Are *all* the clients running the rules? Since it is the host executing
the action that is the only one that can audit the action.
> frank
>
> > > frank
> >
> > - RGB
- RGB
--
Richard Guy Briggs <rgb at redhat.com>
Sr. S/W Engineer, Kernel Security, Base Operating Systems
Remote, Ottawa, Red Hat Canada
IRC: rgb, SunRaycer
Voice: +1.647.777.2635, Internal: (81) 32635
More information about the Linux-audit
mailing list