auditing automounted filesystems (NFS)
Frank Thommen
f.thommen at dkfz-heidelberg.de
Sun Apr 8 18:33:02 UTC 2018
On 08/04/18 03:08, Richard Guy Briggs wrote:
> On 2018-04-07 18:38, Frank Thommen wrote:
>> On 07/04/18 13:56, Richard Guy Briggs wrote:
>>> On 2018-04-07 04:04, Frank Thommen wrote:
>>>> Hello,
>>>>
>>>> we have started auditing on our systems (file open, close, write etc.). This
>>>> is no problem on local and on statically mounted NFS systems (-a exit,always
>>>> -F dir=/a/b/c ...). However for automounted filesystems auditd only reports
>>>> on system calls on those filesystems which are mounted when auditd starts.
>>>>
>>>> Is there a way to make auditd aware of newly mounted NFS filesystems, so
>>>> that we can audit them, too?
>>>
>>> Have you looked at the auditctl "-t" (trim) and "-q" (equivalent)
>>> commands? I'm not certain they do exactly what you want, but may help.
>>
>> Thanks a lot. I don't understand what "trim" means in this context. Reading
>> the explanation in the manpage ("Trim the subtrees after a mount command")
>> I'd expect this to happen after an UNmount, not a mount...?
>>
>> However -q looks promising. I'll give it a try.
>>
>>> Warning that remote filesystems can't be expected to audit changes made
>>> to that filesystem by other systems that have mounted that remote
>>> filesystem unless those rules are running on that remote system.
>>
>> All rules are running on the NFS clients, not the NFS servers.
>
> Are *all* the clients running the rules? Since it is the host executing
> the action that is the only one that can audit the action.
yes, all clients are running the rules
frank
More information about the Linux-audit
mailing list