auditing automounted filesystems (NFS)

Frank Thommen f.thommen at dkfz-heidelberg.de
Thu Apr 19 13:21:19 UTC 2018


Hi,

On 04/09/2018 07:45 PM, Frank Thommen wrote:
> On 04/07/2018 06:38 PM, Frank Thommen wrote:
>> On 07/04/18 13:56, Richard Guy Briggs wrote:
>>> On 2018-04-07 04:04, Frank Thommen wrote:
>>>> Hello,
>>>>
>>>> we have started auditing on our systems (file open, close, write 
>>>> etc.). This
>>>> is no problem on local and on statically mounted NFS systems (-a 
>>>> exit,always
>>>> -F dir=/a/b/c ...).  However for automounted filesystems auditd only 
>>>> reports
>>>> on system calls on those filesystems which are mounted when auditd 
>>>> starts.
>>>>
>>>> Is there a way to make auditd aware of newly mounted NFS 
>>>> filesystems, so
>>>> that we can audit them, too?
>>>
>>> Have you looked at the auditctl "-t" (trim) and "-q" (equivalent)
>>> commands?  I'm not certain they do exactly what you want, but may help.
>>
>> Thanks a lot.  I don't understand what "trim" means in this context. 
>> Reading the explanation in the manpage ("Trim the subtrees after a 
>> mount command") I'd expect this to happen after an UNmount, not a 
>> mount...?
>>
>> However -q looks promising.  I'll give it a try.
> 
> Unfortunately this didn't work.  Either our config is wrong or I 
> misunderstand what "-q" does:
> 
> Example: /mnt/test is automounted (/etc/auto.mnt: test -vers=3 
> fs:/export/test)
> 
> In /etc/audit/audit.rules we have
> 
> -------------------
> [...]
> -a always,exit -F dir=/mnt -F arch=b64 -S write -S open -S close -S 
> rename -S mkdir -S chmod -S chown -S rmdir -S unlink -S unlinkat -S 
> renameat -S fchmod -S fchown -S symlink -S symlinkat -S readlink -S link 
> -S readlinkat -S linkat -S fchmodat -S fchownat -k fs-XXXX
> -q /mnt,/mnt/test
> -------------------
> 
> when I unmount /mnt/test, restart auditd and then do e.g. a `cat 
> /mnt/test/myfile`, then I get the following entries in the audit log:
> 
> -------------------
> type=SYSCALL msg=audit(1523295277.512:3124883): arch=c000003e syscall=89 
> success=no exit=-22 a0=7ffeac151c70 a1=7ffeac150c20 a2=1000 
> a3=7ffeac1509b0 items=1 ppid=15487 pid=11761 auid=4294967295 uid=0 gid=0 
> euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 
> comm="mount" exe="/usr/bin/mount" key="fs-XXXX"
> type=PATH msg=audit(1523295277.512:3124883): item=0 name="/mnt" 
> inode=57521 dev=00:74 mode=040755 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL
> type=SYSCALL msg=audit(1523295277.512:3124884): arch=c000003e syscall=89 
> success=no exit=-22 a0=7ffeac151c70 a1=7ffeac150c20 a2=1000 
> a3=7ffeac1509b0 items=1 ppid=15487 pid=11761 auid=4294967295 uid=0 gid=0 
> euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 
> comm="mount" exe="/usr/bin/mount" key="fs-XXXX"
> type=PATH msg=audit(1523295277.512:3124884): item=0 name="/mnt/test" 
> inode=1049245405 dev=00:74 mode=040555 ouid=0 ogid=0 rdev=00:00 
> nametype=NORMAL
> type=SYSCALL msg=audit(1523295277.516:3124885): arch=c000003e syscall=89 
> success=no exit=-22 a0=7ffe3dc73d80 a1=7ffe3dc72d30 a2=1000 
> a3=7ffe3dc72ac0 items=1 ppid=11761 pid=11769 auid=4294967295 uid=0 gid=0 
> euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 
> comm="mount.nfs" exe="/sbin/mount.nfs" key="fs-XXXX"
> type=PATH msg=audit(1523295277.516:3124885): item=0 name="/mnt" 
> inode=57521 dev=00:74 mode=040755 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL
> type=SYSCALL msg=audit(1523295277.516:3124886): arch=c000003e syscall=89 
> success=no exit=-22 a0=7ffe3dc73d80 a1=7ffe3dc72d30 a2=1000 
> a3=7ffe3dc72ac0 items=1 ppid=11761 pid=11769 auid=4294967295 uid=0 gid=0 
> euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 
> comm="mount.nfs" exe="/sbin/mount.nfs" key="fs-XXXX"
> type=PATH msg=audit(1523295277.516:3124886): item=0 name="/mnt/test" 
> inode=1049245405 dev=00:74 mode=040555 ouid=0 ogid=0 rdev=00:00 
> nametype=NORMAL
> -------------------
> 
> Access to the file itself is not logged.  When I restart auditd while 
> /mnt/test /is/ mounted, then a `cat /mnt/test/myfile` results in
> 
> -------------------
> type=SYSCALL msg=audit(1523295467.808:3125055): arch=c000003e syscall=2 
> success=yes exit=3 a0=7ffffa9c424c a1=0 a2=1fffffffffff0000 
> a3=7ffffa9c2560 items=1 ppid=22404 pid=4794 auid=22189 uid=22189 
> gid=1110 euid=22189 suid=22189 fsuid=22189 egid=1110 sgid=1110 
> fsgid=1110 tty=pts7 ses=662075 comm="cat" exe="/usr/bin/cat" key="fs-XXXX"
> type=PATH msg=audit(1523295467.808:3125055): item=0 
> name="/mnt/test/myfile" inode=13 dev=00:80 mode=0100764 ouid=6836 
> ogid=2515 rdev=00:00 nametype=NORMAL
> -------------------
> 
> in the logfile.  That's the entries I'd like to see even when /mnt/test 
> is unmounted when auditd is started.
> 
> Can that be done at all?

Since there were no more suggestions from the list, must I assume, that 
it is not possible to configure auditd to recursively check filesystems, 
which have been mounted /after/ auditd has been started?

Is there any workaround, which combines autofs and auditd?

Cheers
frank


> 
> Cheers
> frank




More information about the Linux-audit mailing list