Re: auditing automounted filesystems (NFS)
On 04/07/2018 06:38 PM, Frank Thommen wrote:
On 07/04/18 13:56, Richard Guy Briggs wrote:
> On 2018-04-07 04:04, Frank Thommen wrote:
>> Hello,
>>
>> we have started auditing on our systems (file open, close, write
>> etc.). This
>> is no problem on local and on statically mounted NFS systems (-a
>> exit,always
>> -F dir=/a/b/c ...). However for automounted filesystems auditd only
>> reports
>> on system calls on those filesystems which are mounted when auditd
>> starts.
>>
>> Is there a way to make auditd aware of newly mounted NFS filesystems, so
>> that we can audit them, too?
>
> Have you looked at the auditctl "-t" (trim) and "-q"
(equivalent)
> commands? I'm not certain they do exactly what you want, but may help.
Thanks a lot. I don't understand what "trim" means in this context.
Reading the explanation in the manpage ("Trim the subtrees after a mount
command") I'd expect this to happen after an UNmount, not a mount...?
However -q looks promising. I'll give it a try.
Unfortunately this didn't work. Either our config is wrong or I
misunderstand what "-q" does:
Example: /mnt/test is automounted (/etc/auto.mnt: test -vers=3
fs:/export/test)
In /etc/audit/audit.rules we have
-------------------
[...]
-a always,exit -F dir=/mnt -F arch=b64 -S write -S open -S close -S
rename -S mkdir -S chmod -S chown -S rmdir -S unlink -S unlinkat -S
renameat -S fchmod -S fchown -S symlink -S symlinkat -S readlink -S link
-S readlinkat -S linkat -S fchmodat -S fchownat -k fs-XXXX
-q /mnt,/mnt/test
-------------------
when I unmount /mnt/test, restart auditd and then do e.g. a `cat
/mnt/test/myfile`, then I get the following entries in the audit log:
-------------------
type=SYSCALL msg=audit(1523295277.512:3124883): arch=c000003e syscall=89
success=no exit=-22 a0=7ffeac151c70 a1=7ffeac150c20 a2=1000
a3=7ffeac1509b0 items=1 ppid=15487 pid=11761 auid=4294967295 uid=0 gid=0
euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295
comm="mount" exe="/usr/bin/mount" key="fs-XXXX"
type=PATH msg=audit(1523295277.512:3124883): item=0 name="/mnt"
inode=57521 dev=00:74 mode=040755 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL
type=SYSCALL msg=audit(1523295277.512:3124884): arch=c000003e syscall=89
success=no exit=-22 a0=7ffeac151c70 a1=7ffeac150c20 a2=1000
a3=7ffeac1509b0 items=1 ppid=15487 pid=11761 auid=4294967295 uid=0 gid=0
euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295
comm="mount" exe="/usr/bin/mount" key="fs-XXXX"
type=PATH msg=audit(1523295277.512:3124884): item=0 name="/mnt/test"
inode=1049245405 dev=00:74 mode=040555 ouid=0 ogid=0 rdev=00:00
nametype=NORMAL
type=SYSCALL msg=audit(1523295277.516:3124885): arch=c000003e syscall=89
success=no exit=-22 a0=7ffe3dc73d80 a1=7ffe3dc72d30 a2=1000
a3=7ffe3dc72ac0 items=1 ppid=11761 pid=11769 auid=4294967295 uid=0 gid=0
euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295
comm="mount.nfs" exe="/sbin/mount.nfs" key="fs-XXXX"
type=PATH msg=audit(1523295277.516:3124885): item=0 name="/mnt"
inode=57521 dev=00:74 mode=040755 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL
type=SYSCALL msg=audit(1523295277.516:3124886): arch=c000003e syscall=89
success=no exit=-22 a0=7ffe3dc73d80 a1=7ffe3dc72d30 a2=1000
a3=7ffe3dc72ac0 items=1 ppid=11761 pid=11769 auid=4294967295 uid=0 gid=0
euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295
comm="mount.nfs" exe="/sbin/mount.nfs" key="fs-XXXX"
type=PATH msg=audit(1523295277.516:3124886): item=0 name="/mnt/test"
inode=1049245405 dev=00:74 mode=040555 ouid=0 ogid=0 rdev=00:00
nametype=NORMAL
-------------------
Access to the file itself is not logged. When I restart auditd while
/mnt/test /is/ mounted, then a `cat /mnt/test/myfile` results in
-------------------
type=SYSCALL msg=audit(1523295467.808:3125055): arch=c000003e syscall=2
success=yes exit=3 a0=7ffffa9c424c a1=0 a2=1fffffffffff0000
a3=7ffffa9c2560 items=1 ppid=22404 pid=4794 auid=22189 uid=22189
gid=1110 euid=22189 suid=22189 fsuid=22189 egid=1110 sgid=1110
fsgid=1110 tty=pts7 ses=662075 comm="cat" exe="/usr/bin/cat"
key="fs-XXXX"
type=PATH msg=audit(1523295467.808:3125055): item=0
name="/mnt/test/myfile" inode=13 dev=00:80 mode=0100764 ouid=6836
ogid=2515 rdev=00:00 nametype=NORMAL
-------------------
in the logfile. That's the entries I'd like to see even when /mnt/test
is unmounted when auditd is started.
Can that be done at all?
Cheers
frank