Date: Sat, 3 Aug 2024 21:37:46 +0200 From: Miroslav Lachman <000.fbsd@quip.cz> To: Alan Somers <asomers@freebsd.org> Cc: freebsd-hackers@freebsd.org Subject: Re: auditd not logging file operations thru NFS Message-ID: <98abd3b2-5d57-439b-aafb-9a497a08e712@quip.cz> In-Reply-To: <CAOtMX2iYfLQiXgqJNsB%2B3Am1FOkaip2Oduojv89E23PTv65E0Q@mail.gmail.com> References: <b9baa170-557b-4bb8-ba0e-6be45a3966d4@quip.cz> <CAOtMX2iYfLQiXgqJNsB%2B3Am1FOkaip2Oduojv89E23PTv65E0Q@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On 03/08/2024 17:06, Alan Somers wrote: > On Sat, Aug 3, 2024 at 7:52 AM Miroslav Lachman <000.fbsd@quip.cz> wrote: >> >> I have auditd running on two machines with a configuration to monitor >> all changes in files on the filesystem. If I write to the file from the >> localhost (on machine A), everything works and the record appears in the >> logfile. However, if a directory is exported via NFS, mounted on another >> machine (machine B), and I write to the file on the machine B, then no >> record appears in the audit log on machine A. >> Is there a way to configure auditd to log these events too? >> >> /etc/security/audit_user is empty >> /etc/security/audit_event is default >> /etc/security/audit_class is default >> >> # cat /etc/security/audit_control >> # >> # $FreeBSD: releng/10.3/contrib/openbsm/etc/audit_control 293161 >> 2016-01-04 16:32:21Z brueffer $ >> # >> dir:/var/audit >> dist:off >> flags:lo,aa,ad,fw,fm,fc,fd >> minfree:5 >> naflags:lo,aa,ad,fw,fm,fc,fd >> policy:cnt,argv >> filesz:50M >> expire-after:600s >> >> Kind regards >> Miroslav Lachman > > Nope. That's a known limitation of auditd. It works at a higher > level than nfs. If you want to audit operations over NFS, currently > you must run auditd on the NFS client. There was actually a GSoC > project that tried to fix this a few years ago, but it ran into too > many problems and was ultimately unsuccessful. Thank you very much for the explanation. I wouldn't have thought that auditd doesn't support it. From my point of view, it's a pretty fundamental bug. If I'm deploying a system for auditing access and changes, I would expect it to be able to record really all accesses to files, but this way all it takes is "some daemon" (NFS) and changes to files can take place without there being an audit trail. Of course, I don't understand these system issues at all and have no idea how difficult it is to fix this deficiency, but I would be happy if the fix could be sponsored by the FreeBSD Foundation. And I would also like to see it mentioned in the manual and handbook. Nowhere did I find mention that the inability to log events through NFS is a long known problem. In this case, fortunately I have access to both machines - the NFS server and the NFS client, so I can take audit logs from the client as well, but in some other cases I am managing an NFS server for foreign clients where I am not able to set up auditd on the client side. Kind regards Miroslav Lachman
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?98abd3b2-5d57-439b-aafb-9a497a08e712>