From nobody Sat Aug 03 13:52:25 2024 X-Original-To: freebsd-hackers@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4WbkfP5RR6z5STdc for ; Sat, 03 Aug 2024 13:52:29 +0000 (UTC) (envelope-from SRS0=oXap=PC=quip.cz=000.fbsd@elsa.codelab.cz) Received: from elsa.codelab.cz (elsa.codelab.cz [94.124.105.4]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 4WbkfN4KTZz4Cq7 for ; Sat, 3 Aug 2024 13:52:28 +0000 (UTC) (envelope-from SRS0=oXap=PC=quip.cz=000.fbsd@elsa.codelab.cz) Authentication-Results: mx1.freebsd.org; dkim=pass header.d=quip.cz header.s=private header.b=EIeLCTBy; dkim=pass header.d=quip.cz header.s=private header.b=P3dKqpY+; dmarc=none; spf=none (mx1.freebsd.org: domain of "SRS0=oXap=PC=quip.cz=000.fbsd@elsa.codelab.cz" has no SPF policy when checking 94.124.105.4) smtp.mailfrom="SRS0=oXap=PC=quip.cz=000.fbsd@elsa.codelab.cz" Received: from elsa.codelab.cz (localhost [127.0.0.1]) by elsa.codelab.cz (Postfix) with ESMTP id 6EC82D788C for ; Sat, 3 Aug 2024 15:52:26 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=quip.cz; s=private; t=1722693146; bh=1lwB9RvNL9o/PwS3SkiefmCvOuX2KlHS7DZ+IUj0Gx0=; h=Date:To:From:Subject; b=EIeLCTByqfSMT9m4qUB3y5jVpDxAhyZmYncjVF3iPoNyHusAtjcmk7xJkS7r/Gnte Yx9dLmSLjesRb7y0XVOCL+kIuTaZR+Rsn4k9VEYHtPJTbSXQ3Tb6KvhLu1jSxUZ5uK SHOxHwwodLU5nobK/W7/Pf8LF+6tp4BAdinGf3DY= Received: from [192.168.145.49] (ip-89-177-27-225.bb.vodafone.cz [89.177.27.225]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by elsa.codelab.cz (Postfix) with ESMTPSA id A50E9D788A for ; Sat, 3 Aug 2024 15:52:25 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=quip.cz; s=private; t=1722693145; bh=1lwB9RvNL9o/PwS3SkiefmCvOuX2KlHS7DZ+IUj0Gx0=; h=Date:To:From:Subject; b=P3dKqpY+lnhTj9Y4rUntk/gBWJMZNLH49Pt71MMMcroavq0S48ELjkmPCVOizso10 M8N7xEV8h0d4Do51My1UDq3vL3EVCPQo2Nbbibf6rAW4Pu9AS7Sdz/CAxv2yASqJ42 uG3Ds9dRXTYTLrdlsk1ALHjTOBuP4Lwcn+qhGJy0= Message-ID: Date: Sat, 3 Aug 2024 15:52:25 +0200 List-Id: Technical discussions relating to FreeBSD List-Archive: https://lists.freebsd.org/archives/freebsd-hackers List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-hackers@FreeBSD.org MIME-Version: 1.0 User-Agent: Mozilla Thunderbird To: freebsd-hackers@FreeBSD.org Content-Language: en-US From: Miroslav Lachman <000.fbsd@quip.cz> Subject: auditd not logging file operations thru NFS Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit X-Spamd-Bar: -- X-Spamd-Result: default: False [-2.97 / 15.00]; NEURAL_HAM_MEDIUM(-1.00)[-1.000]; NEURAL_HAM_LONG(-1.00)[-1.000]; NEURAL_HAM_SHORT(-0.98)[-0.977]; FORGED_SENDER(0.30)[000.fbsd@quip.cz,SRS0=oXap=PC=quip.cz=000.fbsd@elsa.codelab.cz]; R_DKIM_ALLOW(-0.20)[quip.cz:s=private]; MIME_GOOD(-0.10)[text/plain]; XM_UA_NO_VERSION(0.01)[]; R_SPF_NA(0.00)[no SPF record]; RCVD_VIA_SMTP_AUTH(0.00)[]; RCPT_COUNT_ONE(0.00)[1]; DMARC_NA(0.00)[quip.cz]; MIME_TRACE(0.00)[0:+]; ASN(0.00)[asn:42000, ipnet:94.124.104.0/21, country:CZ]; MID_RHS_MATCH_FROM(0.00)[]; ARC_NA(0.00)[]; MLMMJ_DEST(0.00)[freebsd-hackers@FreeBSD.org]; FROM_NEQ_ENVFROM(0.00)[000.fbsd@quip.cz,SRS0=oXap=PC=quip.cz=000.fbsd@elsa.codelab.cz]; FROM_HAS_DN(0.00)[]; RCVD_TLS_LAST(0.00)[]; RCVD_COUNT_TWO(0.00)[2]; TO_MATCH_ENVRCPT_ALL(0.00)[]; TO_DN_NONE(0.00)[]; PREVIOUSLY_DELIVERED(0.00)[freebsd-hackers@freebsd.org]; DKIM_TRACE(0.00)[quip.cz:+] X-Rspamd-Queue-Id: 4WbkfN4KTZz4Cq7 I have auditd running on two machines with a configuration to monitor all changes in files on the filesystem. If I write to the file from the localhost (on machine A), everything works and the record appears in the logfile. However, if a directory is exported via NFS, mounted on another machine (machine B), and I write to the file on the machine B, then no record appears in the audit log on machine A. Is there a way to configure auditd to log these events too? /etc/security/audit_user is empty /etc/security/audit_event is default /etc/security/audit_class is default # cat /etc/security/audit_control # # $FreeBSD: releng/10.3/contrib/openbsm/etc/audit_control 293161 2016-01-04 16:32:21Z brueffer $ # dir:/var/audit dist:off flags:lo,aa,ad,fw,fm,fc,fd minfree:5 naflags:lo,aa,ad,fw,fm,fc,fd policy:cnt,argv filesz:50M expire-after:600s Kind regards Miroslav Lachman