RE: EXTERNAL: Re: Audit watches on NFS mounts
Thanks for the quick response. That makes sense.
One other thing, on Redhat 6.4 if the watch dir does not exist, ie automount NFS, then
auditd will bomb out and not even start.
On Redhat 6.8, it seems to not care and start up anyway (better). Kernel or Auditd?
-----Original Message-----
From: Steve Grubb [mailto:sgrubb@redhat.com]
Sent: Thursday, October 20, 2016 10:38 AM
To: Vaughn, Chad M (US) <chad.m.vaughn(a)lmco.com>
Cc: linux-audit(a)redhat.com
Subject: EXTERNAL: Re: Audit watches on NFS mounts
On Thursday, October 20, 2016 2:42:07 PM EDT Vaughn, Chad M wrote:
I noticed a weird behavior. I NFS mount /usr/local on my Redhat
machines.
If I put a watch for a directory in that NFS mount:
-w /usr/local/mywatchdir/ -p rwxa -F exit!=-ENODATA -F success!=1 -k
watch
On Redhat 6.4, I don't see audit events when trying to remove or
change files in that dir. On Redhat 6.8, I do see the audit events
when trying to remove or changes files in that dir.
Any ideas of possible features added to auditd between those releases?
I would like to be able to speak to it for security audits.
Auditd is just the collector. The events are generated by the kernel. So, it would be a
kernel change that may have allowed that. I don't know what was changed or which
version did it. I do know that in the past it was not possible to audit nfs or fuse based
file systems.
-Steve