Re: auditing automounted filesystems (NFS)

On 2018-04-07 18:38, Frank Thommen wrote: > On 07/04/18 13:56, Richard Guy Briggs wrote: >> On 2018-04-07 04:04, Frank Thommen wrote: >>> Hello, >>> >>> we have started auditing on our systems (file open, close, write etc.). This >>> is no problem on local and on statically mounted NFS systems (-a exit,always >>> -F dir=/a/b/c ...). However for automounted filesystems auditd only reports >>> on system calls on those filesystems which are mounted when auditd starts. >>> >>> Is there a way to make auditd aware of newly mounted NFS filesystems, so >>> that we can audit them, too? >> >> Have you looked at the auditctl "-t" (trim) and "-q" (equivalent) >> commands? I'm not certain they do exactly what you want, but may help. > > Thanks a lot. I don't understand what "trim" means in this context. Reading > the explanation in the manpage ("Trim the subtrees after a mount command") > I'd expect this to happen after an UNmount, not a mount...? > > However -q looks promising. I'll give it a try. > >> Warning that remote filesystems can't be expected to audit changes made >> to that filesystem by other systems that have mounted that remote >> filesystem unless those rules are running on that remote system. > > All rules are running on the NFS clients, not the NFS servers. Are *all* the clients running the rules? Since it is the host executing the action that is the only one that can audit the action.