Discussion:
auditd not logging file operations thru NFS
(too old to reply)
Miroslav Lachman
2024-08-03 13:52:25 UTC
Permalink
I have auditd running on two machines with a configuration to monitor
all changes in files on the filesystem. If I write to the file from the
localhost (on machine A), everything works and the record appears in the
logfile. However, if a directory is exported via NFS, mounted on another
machine (machine B), and I write to the file on the machine B, then no
record appears in the audit log on machine A.
Is there a way to configure auditd to log these events too?

/etc/security/audit_user is empty
/etc/security/audit_event is default
/etc/security/audit_class is default

# cat /etc/security/audit_control
#
# $FreeBSD: releng/10.3/contrib/openbsm/etc/audit_control 293161
2016-01-04 16:32:21Z brueffer $
#
dir:/var/audit
dist:off
flags:lo,aa,ad,fw,fm,fc,fd
minfree:5
naflags:lo,aa,ad,fw,fm,fc,fd
policy:cnt,argv
filesz:50M
expire-after:600s

Kind regards
Miroslav Lachman


--
Posted automagically by a mail2news gateway at muc.de e.V.
Please direct questions, flames, donations, etc. to news-***@muc.de
Alan Somers
2024-08-03 15:06:28 UTC
Permalink
Post by Miroslav Lachman
I have auditd running on two machines with a configuration to monitor
all changes in files on the filesystem. If I write to the file from the
localhost (on machine A), everything works and the record appears in the
logfile. However, if a directory is exported via NFS, mounted on another
machine (machine B), and I write to the file on the machine B, then no
record appears in the audit log on machine A.
Is there a way to configure auditd to log these events too?
/etc/security/audit_user is empty
/etc/security/audit_event is default
/etc/security/audit_class is default
# cat /etc/security/audit_control
#
# $FreeBSD: releng/10.3/contrib/openbsm/etc/audit_control 293161
2016-01-04 16:32:21Z brueffer $
#
dir:/var/audit
dist:off
flags:lo,aa,ad,fw,fm,fc,fd
minfree:5
naflags:lo,aa,ad,fw,fm,fc,fd
policy:cnt,argv
filesz:50M
expire-after:600s
Kind regards
Miroslav Lachman
Nope. That's a known limitation of auditd. It works at a higher
level than nfs. If you want to audit operations over NFS, currently
you must run auditd on the NFS client. There was actually a GSoC
project that tried to fix this a few years ago, but it ran into too
many problems and was ultimately unsuccessful.


--
Posted automagically by a mail2news gateway at muc.de e.V.
Please direct questions, flames, donations, etc. to news-***@muc.de
Alan Somers
2024-08-03 20:34:20 UTC
Permalink
Post by Alan Somers
Post by Miroslav Lachman
I have auditd running on two machines with a configuration to monitor
all changes in files on the filesystem. If I write to the file from the
localhost (on machine A), everything works and the record appears in the
logfile. However, if a directory is exported via NFS, mounted on another
machine (machine B), and I write to the file on the machine B, then no
record appears in the audit log on machine A.
Is there a way to configure auditd to log these events too?
/etc/security/audit_user is empty
/etc/security/audit_event is default
/etc/security/audit_class is default
# cat /etc/security/audit_control
#
# $FreeBSD: releng/10.3/contrib/openbsm/etc/audit_control 293161
2016-01-04 16:32:21Z brueffer $
#
dir:/var/audit
dist:off
flags:lo,aa,ad,fw,fm,fc,fd
minfree:5
naflags:lo,aa,ad,fw,fm,fc,fd
policy:cnt,argv
filesz:50M
expire-after:600s
Kind regards
Miroslav Lachman
Nope. That's a known limitation of auditd. It works at a higher
level than nfs. If you want to audit operations over NFS, currently
you must run auditd on the NFS client. There was actually a GSoC
project that tried to fix this a few years ago, but it ran into too
many problems and was ultimately unsuccessful.
Thank you very much for the explanation.
I wouldn't have thought that auditd doesn't support it. From my point of
view, it's a pretty fundamental bug. If I'm deploying a system for
auditing access and changes, I would expect it to be able to record
really all accesses to files, but this way all it takes is "some daemon"
(NFS) and changes to files can take place without there being an audit
trail.
Of course, I don't understand these system issues at all and have no
idea how difficult it is to fix this deficiency, but I would be happy if
the fix could be sponsored by the FreeBSD Foundation.
And I would also like to see it mentioned in the manual and handbook.
Nowhere did I find mention that the inability to log events through NFS
is a long known problem.
In this case, fortunately I have access to both machines - the NFS
server and the NFS client, so I can take audit logs from the client as
well, but in some other cases I am managing an NFS server for foreign
clients where I am not able to set up auditd on the client side.
Kind regards
Miroslav Lachman
Yep yep yep. It's definitely surprising. Too bad it isn't easier to fix.


--
Posted automagically by a mail2news gateway at muc.de e.V.
Please direct questions, flames, donations, etc. to news-***@muc.de
Loading...