Re: auditd not logging file operations thru NFS

From: Miroslav Lachman <000.fbsd_at_quip.cz>
Date: Sat, 03 Aug 2024 19:37:46 UTC
On 03/08/2024 17:06, Alan Somers wrote:
> On Sat, Aug 3, 2024 at 7:52 AM Miroslav Lachman <000.fbsd@quip.cz> wrote:
>>
>> I have auditd running on two machines with a configuration to monitor
>> all changes in files on the filesystem. If I write to the file from the
>> localhost (on machine A), everything works and the record appears in the
>> logfile. However, if a directory is exported via NFS, mounted on another
>> machine (machine B), and I write to the file on the machine B, then no
>> record appears in the audit log on machine A.
>> Is there a way to configure auditd to log these events too?
>>
>> /etc/security/audit_user is empty
>> /etc/security/audit_event is default
>> /etc/security/audit_class is default
>>
>> # cat /etc/security/audit_control
>> #
>> # $FreeBSD: releng/10.3/contrib/openbsm/etc/audit_control 293161
>> 2016-01-04 16:32:21Z brueffer $
>> #
>> dir:/var/audit
>> dist:off
>> flags:lo,aa,ad,fw,fm,fc,fd
>> minfree:5
>> naflags:lo,aa,ad,fw,fm,fc,fd
>> policy:cnt,argv
>> filesz:50M
>> expire-after:600s
>>
>> Kind regards
>> Miroslav Lachman
> 
> Nope.  That's a known limitation of auditd.  It works at a higher
> level than nfs.  If you want to audit operations over NFS, currently
> you must run auditd on the NFS client.  There was actually a GSoC
> project that tried to fix this a few years ago, but it ran into too
> many problems and was ultimately unsuccessful.

Thank you very much for the explanation.
I wouldn't have thought that auditd doesn't support it. From my point of 
view, it's a pretty fundamental bug. If I'm deploying a system for 
auditing access and changes, I would expect it to be able to record 
really all accesses to files, but this way all it takes is "some daemon" 
(NFS) and changes to files can take place without there being an audit 
trail.
Of course, I don't understand these system issues at all and have no 
idea how difficult it is to fix this deficiency, but I would be happy if 
the fix could be sponsored by the FreeBSD Foundation.
And I would also like to see it mentioned in the manual and handbook. 
Nowhere did I find mention that the inability to log events through NFS 
is a long known problem.

In this case, fortunately I have access to both machines - the NFS 
server and the NFS client, so I can take audit logs from the client as 
well, but in some other cases I am managing an NFS server for foreign 
clients where I am not able to set up auditd on the client side.

Kind regards
Miroslav Lachman