Re: auditing automounted filesystems (NFS)
On 2018-04-07 18:38, Frank Thommen wrote:
On 07/04/18 13:56, Richard Guy Briggs wrote:
> On 2018-04-07 04:04, Frank Thommen wrote:
> > Hello,
> >
> > we have started auditing on our systems (file open, close, write etc.). This
> > is no problem on local and on statically mounted NFS systems (-a exit,always
> > -F dir=/a/b/c ...). However for automounted filesystems auditd only reports
> > on system calls on those filesystems which are mounted when auditd starts.
> >
> > Is there a way to make auditd aware of newly mounted NFS filesystems, so
> > that we can audit them, too?
>
> Have you looked at the auditctl "-t" (trim) and "-q"
(equivalent)
> commands? I'm not certain they do exactly what you want, but may help.
Thanks a lot. I don't understand what "trim" means in this context.
Reading
the explanation in the manpage ("Trim the subtrees after a mount command")
I'd expect this to happen after an UNmount, not a mount...?
However -q looks promising. I'll give it a try.
> Warning that remote filesystems can't be expected to audit changes made
> to that filesystem by other systems that have mounted that remote
> filesystem unless those rules are running on that remote system.
All rules are running on the NFS clients, not the NFS servers.
Are *all* the clients running the rules? Since it is the host executing
the action that is the only one that can audit the action.
frank
> > frank
>
> - RGB
- RGB
--
Richard Guy Briggs <rgb(a)redhat.com>
Sr. S/W Engineer, Kernel Security, Base Operating Systems
Remote, Ottawa, Red Hat Canada
IRC: rgb, SunRaycer
Voice: +1.647.777.2635, Internal: (81) 32635