Re: auditd not logging file operations thru NFS
- Reply: Miroslav Lachman : "Re: auditd not logging file operations thru NFS"
- In reply to: Miroslav Lachman : "auditd not logging file operations thru NFS"
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Sat, 03 Aug 2024 15:06:28 UTC
On Sat, Aug 3, 2024 at 7:52 AM Miroslav Lachman <000.fbsd@quip.cz> wrote: > > I have auditd running on two machines with a configuration to monitor > all changes in files on the filesystem. If I write to the file from the > localhost (on machine A), everything works and the record appears in the > logfile. However, if a directory is exported via NFS, mounted on another > machine (machine B), and I write to the file on the machine B, then no > record appears in the audit log on machine A. > Is there a way to configure auditd to log these events too? > > /etc/security/audit_user is empty > /etc/security/audit_event is default > /etc/security/audit_class is default > > # cat /etc/security/audit_control > # > # $FreeBSD: releng/10.3/contrib/openbsm/etc/audit_control 293161 > 2016-01-04 16:32:21Z brueffer $ > # > dir:/var/audit > dist:off > flags:lo,aa,ad,fw,fm,fc,fd > minfree:5 > naflags:lo,aa,ad,fw,fm,fc,fd > policy:cnt,argv > filesz:50M > expire-after:600s > > Kind regards > Miroslav Lachman Nope. That's a known limitation of auditd. It works at a higher level than nfs. If you want to audit operations over NFS, currently you must run auditd on the NFS client. There was actually a GSoC project that tried to fix this a few years ago, but it ran into too many problems and was ultimately unsuccessful.