Re: auditd not logging file operations thru NFS

In reply to: Miroslav Lachman : "Re: auditd not logging file operations thru NFS"
Go to: [ bottom of page ] [ top of archives ] [ this month ]
From: Alan Somers <asomers_at_freebsd.org>
Date: Sat, 03 Aug 2024 20:34:20 UTC
On Sat, Aug 3, 2024 at 1:37 PM Miroslav Lachman <000.fbsd@quip.cz> wrote:
>
> On 03/08/2024 17:06, Alan Somers wrote:
> > On Sat, Aug 3, 2024 at 7:52 AM Miroslav Lachman <000.fbsd@quip.cz> wrote:
> >>
> >> I have auditd running on two machines with a configuration to monitor
> >> all changes in files on the filesystem. If I write to the file from the
> >> localhost (on machine A), everything works and the record appears in the
> >> logfile. However, if a directory is exported via NFS, mounted on another
> >> machine (machine B), and I write to the file on the machine B, then no
> >> record appears in the audit log on machine A.
> >> Is there a way to configure auditd to log these events too?
> >>
> >> /etc/security/audit_user is empty
> >> /etc/security/audit_event is default
> >> /etc/security/audit_class is default
> >>
> >> # cat /etc/security/audit_control
> >> #
> >> # $FreeBSD: releng/10.3/contrib/openbsm/etc/audit_control 293161
> >> 2016-01-04 16:32:21Z brueffer $
> >> #
> >> dir:/var/audit
> >> dist:off
> >> flags:lo,aa,ad,fw,fm,fc,fd
> >> minfree:5
> >> naflags:lo,aa,ad,fw,fm,fc,fd
> >> policy:cnt,argv
> >> filesz:50M
> >> expire-after:600s
> >>
> >> Kind regards
> >> Miroslav Lachman
> >
> > Nope.  That's a known limitation of auditd.  It works at a higher
> > level than nfs.  If you want to audit operations over NFS, currently
> > you must run auditd on the NFS client.  There was actually a GSoC
> > project that tried to fix this a few years ago, but it ran into too
> > many problems and was ultimately unsuccessful.
>
> Thank you very much for the explanation.
> I wouldn't have thought that auditd doesn't support it. From my point of
> view, it's a pretty fundamental bug. If I'm deploying a system for
> auditing access and changes, I would expect it to be able to record
> really all accesses to files, but this way all it takes is "some daemon"
> (NFS) and changes to files can take place without there being an audit
> trail.
> Of course, I don't understand these system issues at all and have no
> idea how difficult it is to fix this deficiency, but I would be happy if
> the fix could be sponsored by the FreeBSD Foundation.
> And I would also like to see it mentioned in the manual and handbook.
> Nowhere did I find mention that the inability to log events through NFS
> is a long known problem.
>
> In this case, fortunately I have access to both machines - the NFS
> server and the NFS client, so I can take audit logs from the client as
> well, but in some other cases I am managing an NFS server for foreign
> clients where I am not able to set up auditd on the client side.
>
> Kind regards
> Miroslav Lachman

Yep yep yep.  It's definitely surprising.  Too bad it isn't easier to fix.