On 2018-04-07 18:38, Frank Thommen wrote: > On 07/04/18 13:56, Richard Guy Briggs wrote: > > On 2018-04-07 04:04, Frank Thommen wrote: > > > Hello, > > > > > > we have started auditing on our systems (file open, close, write etc.). > > > This > > > is no problem on local and on statically mounted NFS systems (-a > > > exit,always > > > -F dir=/a/b/c ...). However for automounted filesystems auditd only > > > reports > > > on system calls on those filesystems which are mounted when auditd starts. > > > > > > Is there a way to make auditd aware of newly mounted NFS filesystems, so > > > that we can audit them, too? > > > > Have you looked at the auditctl "-t" (trim) and "-q" (equivalent) > > commands? I'm not certain they do exactly what you want, but may help. > > Thanks a lot. I don't understand what "trim" means in this context. Reading > the explanation in the manpage ("Trim the subtrees after a mount command") > I'd expect this to happen after an UNmount, not a mount...? > > However -q looks promising. I'll give it a try. > > > Warning that remote filesystems can't be expected to audit changes made > > to that filesystem by other systems that have mounted that remote > > filesystem unless those rules are running on that remote system. > > All rules are running on the NFS clients, not the NFS servers.
Are *all* the clients running the rules? Since it is the host executing the action that is the only one that can audit the action. > frank > > > > frank > > > > - RGB - RGB -- Richard Guy Briggs <r...@redhat.com> Sr. S/W Engineer, Kernel Security, Base Operating Systems Remote, Ottawa, Red Hat Canada IRC: rgb, SunRaycer Voice: +1.647.777.2635, Internal: (81) 32635 -- Linux-audit mailing list Linux-audit@redhat.com https://www.redhat.com/mailman/listinfo/linux-audit