Date: Sat, 3 Aug 2024 14:34:20 -0600 From: Alan Somers <asomers@freebsd.org> To: Miroslav Lachman <000.fbsd@quip.cz> Cc: freebsd-hackers@freebsd.org Subject: Re: auditd not logging file operations thru NFS Message-ID: <CAOtMX2i5VUCMJs9%2BVP_2R_tnt6iVZxKG-RYBqfDnuFegXi1z_g@mail.gmail.com> In-Reply-To: <98abd3b2-5d57-439b-aafb-9a497a08e712@quip.cz> References: <b9baa170-557b-4bb8-ba0e-6be45a3966d4@quip.cz> <CAOtMX2iYfLQiXgqJNsB%2B3Am1FOkaip2Oduojv89E23PTv65E0Q@mail.gmail.com> <98abd3b2-5d57-439b-aafb-9a497a08e712@quip.cz>
next in thread | previous in thread | raw e-mail | index | archive | help
On Sat, Aug 3, 2024 at 1:37=E2=80=AFPM Miroslav Lachman <000.fbsd@quip.cz> = wrote: > > On 03/08/2024 17:06, Alan Somers wrote: > > On Sat, Aug 3, 2024 at 7:52=E2=80=AFAM Miroslav Lachman <000.fbsd@quip.= cz> wrote: > >> > >> I have auditd running on two machines with a configuration to monitor > >> all changes in files on the filesystem. If I write to the file from th= e > >> localhost (on machine A), everything works and the record appears in t= he > >> logfile. However, if a directory is exported via NFS, mounted on anoth= er > >> machine (machine B), and I write to the file on the machine B, then no > >> record appears in the audit log on machine A. > >> Is there a way to configure auditd to log these events too? > >> > >> /etc/security/audit_user is empty > >> /etc/security/audit_event is default > >> /etc/security/audit_class is default > >> > >> # cat /etc/security/audit_control > >> # > >> # $FreeBSD: releng/10.3/contrib/openbsm/etc/audit_control 293161 > >> 2016-01-04 16:32:21Z brueffer $ > >> # > >> dir:/var/audit > >> dist:off > >> flags:lo,aa,ad,fw,fm,fc,fd > >> minfree:5 > >> naflags:lo,aa,ad,fw,fm,fc,fd > >> policy:cnt,argv > >> filesz:50M > >> expire-after:600s > >> > >> Kind regards > >> Miroslav Lachman > > > > Nope. That's a known limitation of auditd. It works at a higher > > level than nfs. If you want to audit operations over NFS, currently > > you must run auditd on the NFS client. There was actually a GSoC > > project that tried to fix this a few years ago, but it ran into too > > many problems and was ultimately unsuccessful. > > Thank you very much for the explanation. > I wouldn't have thought that auditd doesn't support it. From my point of > view, it's a pretty fundamental bug. If I'm deploying a system for > auditing access and changes, I would expect it to be able to record > really all accesses to files, but this way all it takes is "some daemon" > (NFS) and changes to files can take place without there being an audit > trail. > Of course, I don't understand these system issues at all and have no > idea how difficult it is to fix this deficiency, but I would be happy if > the fix could be sponsored by the FreeBSD Foundation. > And I would also like to see it mentioned in the manual and handbook. > Nowhere did I find mention that the inability to log events through NFS > is a long known problem. > > In this case, fortunately I have access to both machines - the NFS > server and the NFS client, so I can take audit logs from the client as > well, but in some other cases I am managing an NFS server for foreign > clients where I am not able to set up auditd on the client side. > > Kind regards > Miroslav Lachman Yep yep yep. It's definitely surprising. Too bad it isn't easier to fix.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAOtMX2i5VUCMJs9%2BVP_2R_tnt6iVZxKG-RYBqfDnuFegXi1z_g>