Re: auditd not logging file operations thru NFS

From: Alan Somers <asomers_at_freebsd.org>
Date: Sat, 03 Aug 2024 15:06:28 UTC
On Sat, Aug 3, 2024 at 7:52 AM Miroslav Lachman <000.fbsd@quip.cz> wrote:
>
> I have auditd running on two machines with a configuration to monitor
> all changes in files on the filesystem. If I write to the file from the
> localhost (on machine A), everything works and the record appears in the
> logfile. However, if a directory is exported via NFS, mounted on another
> machine (machine B), and I write to the file on the machine B, then no
> record appears in the audit log on machine A.
> Is there a way to configure auditd to log these events too?
>
> /etc/security/audit_user is empty
> /etc/security/audit_event is default
> /etc/security/audit_class is default
>
> # cat /etc/security/audit_control
> #
> # $FreeBSD: releng/10.3/contrib/openbsm/etc/audit_control 293161
> 2016-01-04 16:32:21Z brueffer $
> #
> dir:/var/audit
> dist:off
> flags:lo,aa,ad,fw,fm,fc,fd
> minfree:5
> naflags:lo,aa,ad,fw,fm,fc,fd
> policy:cnt,argv
> filesz:50M
> expire-after:600s
>
> Kind regards
> Miroslav Lachman

Nope.  That's a known limitation of auditd.  It works at a higher
level than nfs.  If you want to audit operations over NFS, currently
you must run auditd on the NFS client.  There was actually a GSoC
project that tried to fix this a few years ago, but it ran into too
many problems and was ultimately unsuccessful.