Hi,
On 04/09/2018 07:45 PM, Frank Thommen wrote:
 On 04/07/2018 06:38 PM, Frank Thommen wrote:
> On 07/04/18 13:56, Richard Guy Briggs wrote:
>> On 2018-04-07 04:04, Frank Thommen wrote:
>>> Hello,
>>>
>>> we have started auditing on our systems (file open, close, write 
>>> etc.). This
>>> is no problem on local and on statically mounted NFS systems (-a 
>>> exit,always
>>> -F dir=/a/b/c ...).  However for automounted filesystems auditd only 
>>> reports
>>> on system calls on those filesystems which are mounted when auditd 
>>> starts.
>>>
>>> Is there a way to make auditd aware of newly mounted NFS 
>>> filesystems, so
>>> that we can audit them, too?
>>
>> Have you looked at the auditctl "-t" (trim) and "-q"
(equivalent)
>> commands?  I'm not certain they do exactly what you want, but may help.
>
> Thanks a lot.  I don't understand what "trim" means in this context. 
> Reading the explanation in the manpage ("Trim the subtrees after a 
> mount command") I'd expect this to happen after an UNmount, not a 
> mount...?
>
> However -q looks promising.  I'll give it a try.
 
 Unfortunately this didn't work.  Either our config is wrong or I 
 misunderstand what "-q" does:
 
 Example: /mnt/test is automounted (/etc/auto.mnt: test -vers=3 
 fs:/export/test)
 
 In /etc/audit/audit.rules we have
 
 -------------------
 [...]
 -a always,exit -F dir=/mnt -F arch=b64 -S write -S open -S close -S 
 rename -S mkdir -S chmod -S chown -S rmdir -S unlink -S unlinkat -S 
 renameat -S fchmod -S fchown -S symlink -S symlinkat -S readlink -S link 
 -S readlinkat -S linkat -S fchmodat -S fchownat -k fs-XXXX
 -q /mnt,/mnt/test
 -------------------
 
 when I unmount /mnt/test, restart auditd and then do e.g. a `cat 
 /mnt/test/myfile`, then I get the following entries in the audit log:
 
 -------------------
 type=SYSCALL msg=audit(1523295277.512:3124883): arch=c000003e syscall=89 
 success=no exit=-22 a0=7ffeac151c70 a1=7ffeac150c20 a2=1000 
 a3=7ffeac1509b0 items=1 ppid=15487 pid=11761 auid=4294967295 uid=0 gid=0 
 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 
 comm="mount" exe="/usr/bin/mount" key="fs-XXXX"
 type=PATH msg=audit(1523295277.512:3124883): item=0 name="/mnt" 
 inode=57521 dev=00:74 mode=040755 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL
 type=SYSCALL msg=audit(1523295277.512:3124884): arch=c000003e syscall=89 
 success=no exit=-22 a0=7ffeac151c70 a1=7ffeac150c20 a2=1000 
 a3=7ffeac1509b0 items=1 ppid=15487 pid=11761 auid=4294967295 uid=0 gid=0 
 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 
 comm="mount" exe="/usr/bin/mount" key="fs-XXXX"
 type=PATH msg=audit(1523295277.512:3124884): item=0 name="/mnt/test" 
 inode=1049245405 dev=00:74 mode=040555 ouid=0 ogid=0 rdev=00:00 
 nametype=NORMAL
 type=SYSCALL msg=audit(1523295277.516:3124885): arch=c000003e syscall=89 
 success=no exit=-22 a0=7ffe3dc73d80 a1=7ffe3dc72d30 a2=1000 
 a3=7ffe3dc72ac0 items=1 ppid=11761 pid=11769 auid=4294967295 uid=0 gid=0 
 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 
 comm="mount.nfs" exe="/sbin/mount.nfs" key="fs-XXXX"
 type=PATH msg=audit(1523295277.516:3124885): item=0 name="/mnt" 
 inode=57521 dev=00:74 mode=040755 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL
 type=SYSCALL msg=audit(1523295277.516:3124886): arch=c000003e syscall=89 
 success=no exit=-22 a0=7ffe3dc73d80 a1=7ffe3dc72d30 a2=1000 
 a3=7ffe3dc72ac0 items=1 ppid=11761 pid=11769 auid=4294967295 uid=0 gid=0 
 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 
 comm="mount.nfs" exe="/sbin/mount.nfs" key="fs-XXXX"
 type=PATH msg=audit(1523295277.516:3124886): item=0 name="/mnt/test" 
 inode=1049245405 dev=00:74 mode=040555 ouid=0 ogid=0 rdev=00:00 
 nametype=NORMAL
 -------------------
 
 Access to the file itself is not logged.  When I restart auditd while 
 /mnt/test /is/ mounted, then a `cat /mnt/test/myfile` results in
 
 -------------------
 type=SYSCALL msg=audit(1523295467.808:3125055): arch=c000003e syscall=2 
 success=yes exit=3 a0=7ffffa9c424c a1=0 a2=1fffffffffff0000 
 a3=7ffffa9c2560 items=1 ppid=22404 pid=4794 auid=22189 uid=22189 
 gid=1110 euid=22189 suid=22189 fsuid=22189 egid=1110 sgid=1110 
 fsgid=1110 tty=pts7 ses=662075 comm="cat" exe="/usr/bin/cat"
key="fs-XXXX"
 type=PATH msg=audit(1523295467.808:3125055): item=0 
 name="/mnt/test/myfile" inode=13 dev=00:80 mode=0100764 ouid=6836 
 ogid=2515 rdev=00:00 nametype=NORMAL
 -------------------
 
 in the logfile.  That's the entries I'd like to see even when /mnt/test 
 is unmounted when auditd is started.
 
 Can that be done at all? 
Since there were no more suggestions from the list, must I assume, that 
it is not possible to configure auditd to recursively check filesystems, 
which have been mounted /after/ auditd has been started?
Is there any workaround, which combines autofs and auditd?
Cheers
frank
 
 Cheers
 frank