8

I have multiple servers mounting a NFS shared called /opt/WHATEVER from Server X.

Server X has auditd enables with rule: sudo /sbin/auditctl -w /opt/WHATEVER -p rwxa

When events occur on Server X on that folder, it works great. However, when any other machines accesses or change anything nothing is reported. Server X and others have the same path. i.e /opt/WHATEVER

How can you enable auditd to track events from NFS?

Scott Pack
  • 15,167
  • 5
  • 61
  • 91
Takadonet
  • 81
  • 1
  • 2

1 Answers1

4

Much like recursion, in order to understand auditd you must first understand auditd. Auditd is the front-end to a kernel module that intercepts/monitors system calls and reports on them. That is to say, the -w option doesn't continuously perform an ls, md5sum, or similar on the target, it instructs the kernel module to report on attempts to perform file access calls, such as open() or creat(), on the target. Translating this information back to your question, this means that auditd can't detect changes being made by remote hosts in this way. Those system calls are occurring on the remote system.

To do the kind of monitoring you want you'll need to configure auditd on the remote hosts to monitor the nfs mount locally. What you should do then is log all the hosts running auditd to a central log host, using something like audisp-remote. Then the logs can be more easily searched and correlated.

Scott Pack
  • 15,167
  • 5
  • 61
  • 91
  • 1
    Would certain syscall on a file served by NFS not also be called on the server? For instance, if I `chown` a file on an NFS client does that mean `chown` must also be called on the server by the NFS daemon? – Dev Jan 17 '17 at 21:36
  • @Dev You would think so, but as far as I can tell, NFS bypasses the logging. – Wayne Conrad Aug 08 '17 at 16:23