Identifying writes to NFS
Matthew Booth
mbooth at redhat.com
Thu May 31 09:34:44 UTC 2007
On Wed, 2007-05-30 at 13:56 -0400, Alexander Viro wrote:
> On Wed, May 30, 2007 at 05:35:28PM +0100, Matthew Booth wrote:
> > I'd like to be able to reliably recognise a PATH record which refers to
> > an NFS mount. It seems that dev=00:xx would be related to the answer.
> > However, each mount seems to have its own value of xx, and other mounts
> > not backed by a block device, eg /proc and /dev, also have dev=00:xx.
> >
> > The answer can't be related to a single system, as the solution has to
> > be rolled out across a large estate with a variety of nfs mounts on
> > particular servers.
> >
> > Any ideas? Thanks,
>
> man statfs, look at f_type field there.
Looking at this again, this field doesn't appear to be in the audit
data. Am I missing it? It's not possible to invoke statfs to determine
this information as the system receiving the data is remote.
Matt
--
Matthew Booth, RHCA, RHCSS
Red Hat, Global Professional Services
M: +44 (0)7977 267231
GPG ID: D33C3490
GPG FPR: 3733 612D 2D05 5458 8A8A 1600 3441 EA19 D33C 3490
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
URL: <http://listman.redhat.com/archives/linux-audit/attachments/20070531/284a6601/attachment.sig>
More information about the Linux-audit
mailing list