auditing automounted filesystems (NFS)

Frank Thommen f.thommen at dkfz-heidelberg.de
Mon Apr 9 17:45:44 UTC 2018 

On 04/07/2018 06:38 PM, Frank Thommen wrote:
> On 07/04/18 13:56, Richard Guy Briggs wrote:
>> On 2018-04-07 04:04, Frank Thommen wrote:
>>> Hello,
>>>
>>> we have started auditing on our systems (file open, close, write 
>>> etc.). This
>>> is no problem on local and on statically mounted NFS systems (-a 
>>> exit,always
>>> -F dir=/a/b/c ...).  However for automounted filesystems auditd only 
>>> reports
>>> on system calls on those filesystems which are mounted when auditd 
>>> starts.
>>>
>>> Is there a way to make auditd aware of newly mounted NFS filesystems, so
>>> that we can audit them, too?
>>
>> Have you looked at the auditctl "-t" (trim) and "-q" (equivalent)
>> commands?  I'm not certain they do exactly what you want, but may help.
> 
> Thanks a lot.  I don't understand what "trim" means in this context. 
> Reading the explanation in the manpage ("Trim the subtrees after a mount 
> command") I'd expect this to happen after an UNmount, not a mount...?
> 
> However -q looks promising.  I'll give it a try.

Unfortunately this didn't work.  Either our config is wrong or I 
misunderstand what "-q" does:

Example: /mnt/test is automounted (/etc/auto.mnt: test -vers=3 
fs:/export/test)

In /etc/audit/audit.rules we have

-------------------
[...]
-a always,exit -F dir=/mnt -F arch=b64 -S write -S open -S close -S 
rename -S mkdir -S chmod -S chown -S rmdir -S unlink -S unlinkat -S 
renameat -S fchmod -S fchown -S symlink -S symlinkat -S readlink -S link 
-S readlinkat -S linkat -S fchmodat -S fchownat -k fs-XXXX
-q /mnt,/mnt/test
-------------------

when I unmount /mnt/test, restart auditd and then do e.g. a `cat 
/mnt/test/myfile`, then I get the following entries in the audit log:

-------------------
type=SYSCALL msg=audit(1523295277.512:3124883): arch=c000003e syscall=89 
success=no exit=-22 a0=7ffeac151c70 a1=7ffeac150c20 a2=1000 
a3=7ffeac1509b0 items=1 ppid=15487 pid=11761 auid=4294967295 uid=0 gid=0 
euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 
comm="mount" exe="/usr/bin/mount" key="fs-XXXX"
type=PATH msg=audit(1523295277.512:3124883): item=0 name="/mnt" 
inode=57521 dev=00:74 mode=040755 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL
type=SYSCALL msg=audit(1523295277.512:3124884): arch=c000003e syscall=89 
success=no exit=-22 a0=7ffeac151c70 a1=7ffeac150c20 a2=1000 
a3=7ffeac1509b0 items=1 ppid=15487 pid=11761 auid=4294967295 uid=0 gid=0 
euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 
comm="mount" exe="/usr/bin/mount" key="fs-XXXX"
type=PATH msg=audit(1523295277.512:3124884): item=0 name="/mnt/test" 
inode=1049245405 dev=00:74 mode=040555 ouid=0 ogid=0 rdev=00:00 
nametype=NORMAL
type=SYSCALL msg=audit(1523295277.516:3124885): arch=c000003e syscall=89 
success=no exit=-22 a0=7ffe3dc73d80 a1=7ffe3dc72d30 a2=1000 
a3=7ffe3dc72ac0 items=1 ppid=11761 pid=11769 auid=4294967295 uid=0 gid=0 
euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 
comm="mount.nfs" exe="/sbin/mount.nfs" key="fs-XXXX"
type=PATH msg=audit(1523295277.516:3124885): item=0 name="/mnt" 
inode=57521 dev=00:74 mode=040755 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL
type=SYSCALL msg=audit(1523295277.516:3124886): arch=c000003e syscall=89 
success=no exit=-22 a0=7ffe3dc73d80 a1=7ffe3dc72d30 a2=1000 
a3=7ffe3dc72ac0 items=1 ppid=11761 pid=11769 auid=4294967295 uid=0 gid=0 
euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 
comm="mount.nfs" exe="/sbin/mount.nfs" key="fs-XXXX"
type=PATH msg=audit(1523295277.516:3124886): item=0 name="/mnt/test" 
inode=1049245405 dev=00:74 mode=040555 ouid=0 ogid=0 rdev=00:00 
nametype=NORMAL
-------------------

Access to the file itself is not logged.  When I restart auditd while 
/mnt/test /is/ mounted, then a `cat /mnt/test/myfile` results in

-------------------
type=SYSCALL msg=audit(1523295467.808:3125055): arch=c000003e syscall=2 
success=yes exit=3 a0=7ffffa9c424c a1=0 a2=1fffffffffff0000 
a3=7ffffa9c2560 items=1 ppid=22404 pid=4794 auid=22189 uid=22189 
gid=1110 euid=22189 suid=22189 fsuid=22189 egid=1110 sgid=1110 
fsgid=1110 tty=pts7 ses=662075 comm="cat" exe="/usr/bin/cat" key="fs-XXXX"
type=PATH msg=audit(1523295467.808:3125055): item=0 
name="/mnt/test/myfile" inode=13 dev=00:80 mode=0100764 ouid=6836 
ogid=2515 rdev=00:00 nametype=NORMAL
-------------------

in the logfile.  That's the entries I'd like to see even when /mnt/test 
is unmounted when auditd is started.

Can that be done at all?

Cheers
frank

More information about the Linux-audit mailing list