Discussion:
auditing automounted filesystems (NFS)
Frank Thommen
2018-04-07 02:04:00 UTC
Permalink
Hello,

we have started auditing on our systems (file open, close, write etc.).
This is no problem on local and on statically mounted NFS systems (-a
exit,always -F dir=/a/b/c ...). However for automounted filesystems
auditd only reports on system calls on those filesystems which are
mounted when auditd starts.

Is there a way to make auditd aware of newly mounted NFS filesystems, so
that we can audit them, too?

Cheers
frank
Richard Guy Briggs
2018-04-07 11:56:05 UTC
Permalink
Post by Frank Thommen
Hello,
we have started auditing on our systems (file open, close, write etc.). This
is no problem on local and on statically mounted NFS systems (-a exit,always
-F dir=/a/b/c ...). However for automounted filesystems auditd only reports
on system calls on those filesystems which are mounted when auditd starts.
Is there a way to make auditd aware of newly mounted NFS filesystems, so
that we can audit them, too?
Have you looked at the auditctl "-t" (trim) and "-q" (equivalent)
commands? I'm not certain they do exactly what you want, but may help.

Warning that remote filesystems can't be expected to audit changes made
to that filesystem by other systems that have mounted that remote
filesystem unless those rules are running on that remote system.
Post by Frank Thommen
frank
- RGB

--
Richard Guy Briggs <***@redhat.com>
Sr. S/W Engineer, Kernel Security, Base Operating Systems
Remote, Ottawa, Red Hat Canada
IRC: rgb, SunRaycer
Voice: +1.647.777.2635, Internal: (81) 32635
Frank Thommen
2018-04-07 16:38:07 UTC
Permalink
Post by Richard Guy Briggs
Post by Frank Thommen
Hello,
we have started auditing on our systems (file open, close, write etc.). This
is no problem on local and on statically mounted NFS systems (-a exit,always
-F dir=/a/b/c ...). However for automounted filesystems auditd only reports
on system calls on those filesystems which are mounted when auditd starts.
Is there a way to make auditd aware of newly mounted NFS filesystems, so
that we can audit them, too?
Have you looked at the auditctl "-t" (trim) and "-q" (equivalent)
commands? I'm not certain they do exactly what you want, but may help.
Thanks a lot. I don't understand what "trim" means in this context.
Reading the explanation in the manpage ("Trim the subtrees after a mount
command") I'd expect this to happen after an UNmount, not a mount...?

However -q looks promising. I'll give it a try.
Post by Richard Guy Briggs
Warning that remote filesystems can't be expected to audit changes made
to that filesystem by other systems that have mounted that remote
filesystem unless those rules are running on that remote system.
All rules are running on the NFS clients, not the NFS servers.

frank
Post by Richard Guy Briggs
Post by Frank Thommen
frank
- RGB
--
Sr. S/W Engineer, Kernel Security, Base Operating Systems
Remote, Ottawa, Red Hat Canada
IRC: rgb, SunRaycer
Voice: +1.647.777.2635, Internal: (81) 32635
--
Frank Thommen | HD-HuB / DKFZ Heidelberg
| ***@dkfz-heidelberg.de
Richard Guy Briggs
2018-04-08 01:08:56 UTC
Permalink
Post by Richard Guy Briggs
Post by Frank Thommen
Hello,
we have started auditing on our systems (file open, close, write etc.). This
is no problem on local and on statically mounted NFS systems (-a exit,always
-F dir=/a/b/c ...). However for automounted filesystems auditd only reports
on system calls on those filesystems which are mounted when auditd starts.
Is there a way to make auditd aware of newly mounted NFS filesystems, so
that we can audit them, too?
Have you looked at the auditctl "-t" (trim) and "-q" (equivalent)
commands? I'm not certain they do exactly what you want, but may help.
Thanks a lot. I don't understand what "trim" means in this context. Reading
the explanation in the manpage ("Trim the subtrees after a mount command")
I'd expect this to happen after an UNmount, not a mount...?
However -q looks promising. I'll give it a try.
Post by Richard Guy Briggs
Warning that remote filesystems can't be expected to audit changes made
to that filesystem by other systems that have mounted that remote
filesystem unless those rules are running on that remote system.
All rules are running on the NFS clients, not the NFS servers.
Are *all* the clients running the rules? Since it is the host executing
the action that is the only one that can audit the action.
frank
Post by Richard Guy Briggs
Post by Frank Thommen
frank
- RGB
- RGB

--
Richard Guy Briggs <***@redhat.com>
Sr. S/W Engineer, Kernel Security, Base Operating Systems
Remote, Ottawa, Red Hat Canada
IRC: rgb, SunRaycer
Voice: +1.647.777.2635, Internal: (81) 32635
Frank Thommen
2018-04-08 18:33:02 UTC
Permalink
Post by Richard Guy Briggs
Post by Richard Guy Briggs
Post by Frank Thommen
Hello,
we have started auditing on our systems (file open, close, write etc.). This
is no problem on local and on statically mounted NFS systems (-a exit,always
-F dir=/a/b/c ...). However for automounted filesystems auditd only reports
on system calls on those filesystems which are mounted when auditd starts.
Is there a way to make auditd aware of newly mounted NFS filesystems, so
that we can audit them, too?
Have you looked at the auditctl "-t" (trim) and "-q" (equivalent)
commands? I'm not certain they do exactly what you want, but may help.
Thanks a lot. I don't understand what "trim" means in this context. Reading
the explanation in the manpage ("Trim the subtrees after a mount command")
I'd expect this to happen after an UNmount, not a mount...?
However -q looks promising. I'll give it a try.
Post by Richard Guy Briggs
Warning that remote filesystems can't be expected to audit changes made
to that filesystem by other systems that have mounted that remote
filesystem unless those rules are running on that remote system.
All rules are running on the NFS clients, not the NFS servers.
Are *all* the clients running the rules? Since it is the host executing
the action that is the only one that can audit the action.
yes, all clients are running the rules

frank
Frank Thommen
2018-04-09 17:45:44 UTC
Permalink
Post by Richard Guy Briggs
Post by Frank Thommen
Hello,
we have started auditing on our systems (file open, close, write etc.). This
is no problem on local and on statically mounted NFS systems (-a exit,always
-F dir=/a/b/c ...).  However for automounted filesystems auditd only
reports
on system calls on those filesystems which are mounted when auditd starts.
Is there a way to make auditd aware of newly mounted NFS filesystems, so
that we can audit them, too?
Have you looked at the auditctl "-t" (trim) and "-q" (equivalent)
commands?  I'm not certain they do exactly what you want, but may help.
Thanks a lot.  I don't understand what "trim" means in this context.
Reading the explanation in the manpage ("Trim the subtrees after a mount
command") I'd expect this to happen after an UNmount, not a mount...?
However -q looks promising.  I'll give it a try.
Unfortunately this didn't work. Either our config is wrong or I
misunderstand what "-q" does:

Example: /mnt/test is automounted (/etc/auto.mnt: test -vers=3
fs:/export/test)

In /etc/audit/audit.rules we have

-------------------
[...]
-a always,exit -F dir=/mnt -F arch=b64 -S write -S open -S close -S
rename -S mkdir -S chmod -S chown -S rmdir -S unlink -S unlinkat -S
renameat -S fchmod -S fchown -S symlink -S symlinkat -S readlink -S link
-S readlinkat -S linkat -S fchmodat -S fchownat -k fs-XXXX
-q /mnt,/mnt/test
-------------------

when I unmount /mnt/test, restart auditd and then do e.g. a `cat
/mnt/test/myfile`, then I get the following entries in the audit log:

-------------------
type=SYSCALL msg=audit(1523295277.512:3124883): arch=c000003e syscall=89
success=no exit=-22 a0=7ffeac151c70 a1=7ffeac150c20 a2=1000
a3=7ffeac1509b0 items=1 ppid=15487 pid=11761 auid=4294967295 uid=0 gid=0
euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295
comm="mount" exe="/usr/bin/mount" key="fs-XXXX"
type=PATH msg=audit(1523295277.512:3124883): item=0 name="/mnt"
inode=57521 dev=00:74 mode=040755 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL
type=SYSCALL msg=audit(1523295277.512:3124884): arch=c000003e syscall=89
success=no exit=-22 a0=7ffeac151c70 a1=7ffeac150c20 a2=1000
a3=7ffeac1509b0 items=1 ppid=15487 pid=11761 auid=4294967295 uid=0 gid=0
euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295
comm="mount" exe="/usr/bin/mount" key="fs-XXXX"
type=PATH msg=audit(1523295277.512:3124884): item=0 name="/mnt/test"
inode=1049245405 dev=00:74 mode=040555 ouid=0 ogid=0 rdev=00:00
nametype=NORMAL
type=SYSCALL msg=audit(1523295277.516:3124885): arch=c000003e syscall=89
success=no exit=-22 a0=7ffe3dc73d80 a1=7ffe3dc72d30 a2=1000
a3=7ffe3dc72ac0 items=1 ppid=11761 pid=11769 auid=4294967295 uid=0 gid=0
euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295
comm="mount.nfs" exe="/sbin/mount.nfs" key="fs-XXXX"
type=PATH msg=audit(1523295277.516:3124885): item=0 name="/mnt"
inode=57521 dev=00:74 mode=040755 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL
type=SYSCALL msg=audit(1523295277.516:3124886): arch=c000003e syscall=89
success=no exit=-22 a0=7ffe3dc73d80 a1=7ffe3dc72d30 a2=1000
a3=7ffe3dc72ac0 items=1 ppid=11761 pid=11769 auid=4294967295 uid=0 gid=0
euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295
comm="mount.nfs" exe="/sbin/mount.nfs" key="fs-XXXX"
type=PATH msg=audit(1523295277.516:3124886): item=0 name="/mnt/test"
inode=1049245405 dev=00:74 mode=040555 ouid=0 ogid=0 rdev=00:00
nametype=NORMAL
-------------------

Access to the file itself is not logged. When I restart auditd while
/mnt/test /is/ mounted, then a `cat /mnt/test/myfile` results in

-------------------
type=SYSCALL msg=audit(1523295467.808:3125055): arch=c000003e syscall=2
success=yes exit=3 a0=7ffffa9c424c a1=0 a2=1fffffffffff0000
a3=7ffffa9c2560 items=1 ppid=22404 pid=4794 auid=22189 uid=22189
gid=1110 euid=22189 suid=22189 fsuid=22189 egid=1110 sgid=1110
fsgid=1110 tty=pts7 ses=662075 comm="cat" exe="/usr/bin/cat" key="fs-XXXX"
type=PATH msg=audit(1523295467.808:3125055): item=0
name="/mnt/test/myfile" inode=13 dev=00:80 mode=0100764 ouid=6836
ogid=2515 rdev=00:00 nametype=NORMAL
-------------------

in the logfile. That's the entries I'd like to see even when /mnt/test
is unmounted when auditd is started.

Can that be done at all?

Cheers
frank
Frank Thommen
2018-04-19 13:21:19 UTC
Permalink
Hi,
Post by Richard Guy Briggs
Post by Frank Thommen
Hello,
we have started auditing on our systems (file open, close, write etc.). This
is no problem on local and on statically mounted NFS systems (-a exit,always
-F dir=/a/b/c ...).  However for automounted filesystems auditd only
reports
on system calls on those filesystems which are mounted when auditd starts.
Is there a way to make auditd aware of newly mounted NFS
filesystems, so
that we can audit them, too?
Have you looked at the auditctl "-t" (trim) and "-q" (equivalent)
commands?  I'm not certain they do exactly what you want, but may help.
Thanks a lot.  I don't understand what "trim" means in this context.
Reading the explanation in the manpage ("Trim the subtrees after a
mount command") I'd expect this to happen after an UNmount, not a
mount...?
However -q looks promising.  I'll give it a try.
Unfortunately this didn't work.  Either our config is wrong or I
Example: /mnt/test is automounted (/etc/auto.mnt: test -vers=3
fs:/export/test)
In /etc/audit/audit.rules we have
-------------------
[...]
-a always,exit -F dir=/mnt -F arch=b64 -S write -S open -S close -S
rename -S mkdir -S chmod -S chown -S rmdir -S unlink -S unlinkat -S
renameat -S fchmod -S fchown -S symlink -S symlinkat -S readlink -S link
-S readlinkat -S linkat -S fchmodat -S fchownat -k fs-XXXX
-q /mnt,/mnt/test
-------------------
when I unmount /mnt/test, restart auditd and then do e.g. a `cat
-------------------
type=SYSCALL msg=audit(1523295277.512:3124883): arch=c000003e syscall=89
success=no exit=-22 a0=7ffeac151c70 a1=7ffeac150c20 a2=1000
a3=7ffeac1509b0 items=1 ppid=15487 pid=11761 auid=4294967295 uid=0 gid=0
euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295
comm="mount" exe="/usr/bin/mount" key="fs-XXXX"
type=PATH msg=audit(1523295277.512:3124883): item=0 name="/mnt"
inode=57521 dev=00:74 mode=040755 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL
type=SYSCALL msg=audit(1523295277.512:3124884): arch=c000003e syscall=89
success=no exit=-22 a0=7ffeac151c70 a1=7ffeac150c20 a2=1000
a3=7ffeac1509b0 items=1 ppid=15487 pid=11761 auid=4294967295 uid=0 gid=0
euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295
comm="mount" exe="/usr/bin/mount" key="fs-XXXX"
type=PATH msg=audit(1523295277.512:3124884): item=0 name="/mnt/test"
inode=1049245405 dev=00:74 mode=040555 ouid=0 ogid=0 rdev=00:00
nametype=NORMAL
type=SYSCALL msg=audit(1523295277.516:3124885): arch=c000003e syscall=89
success=no exit=-22 a0=7ffe3dc73d80 a1=7ffe3dc72d30 a2=1000
a3=7ffe3dc72ac0 items=1 ppid=11761 pid=11769 auid=4294967295 uid=0 gid=0
euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295
comm="mount.nfs" exe="/sbin/mount.nfs" key="fs-XXXX"
type=PATH msg=audit(1523295277.516:3124885): item=0 name="/mnt"
inode=57521 dev=00:74 mode=040755 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL
type=SYSCALL msg=audit(1523295277.516:3124886): arch=c000003e syscall=89
success=no exit=-22 a0=7ffe3dc73d80 a1=7ffe3dc72d30 a2=1000
a3=7ffe3dc72ac0 items=1 ppid=11761 pid=11769 auid=4294967295 uid=0 gid=0
euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295
comm="mount.nfs" exe="/sbin/mount.nfs" key="fs-XXXX"
type=PATH msg=audit(1523295277.516:3124886): item=0 name="/mnt/test"
inode=1049245405 dev=00:74 mode=040555 ouid=0 ogid=0 rdev=00:00
nametype=NORMAL
-------------------
Access to the file itself is not logged.  When I restart auditd while
/mnt/test /is/ mounted, then a `cat /mnt/test/myfile` results in
-------------------
type=SYSCALL msg=audit(1523295467.808:3125055): arch=c000003e syscall=2
success=yes exit=3 a0=7ffffa9c424c a1=0 a2=1fffffffffff0000
a3=7ffffa9c2560 items=1 ppid=22404 pid=4794 auid=22189 uid=22189
gid=1110 euid=22189 suid=22189 fsuid=22189 egid=1110 sgid=1110
fsgid=1110 tty=pts7 ses=662075 comm="cat" exe="/usr/bin/cat" key="fs-XXXX"
type=PATH msg=audit(1523295467.808:3125055): item=0
name="/mnt/test/myfile" inode=13 dev=00:80 mode=0100764 ouid=6836
ogid=2515 rdev=00:00 nametype=NORMAL
-------------------
in the logfile.  That's the entries I'd like to see even when /mnt/test
is unmounted when auditd is started.
Can that be done at all?
Since there were no more suggestions from the list, must I assume, that
it is not possible to configure auditd to recursively check filesystems,
which have been mounted /after/ auditd has been started?

Is there any workaround, which combines autofs and auditd?

Cheers
frank
Cheers
frank
Steve Grubb
2018-04-19 13:40:29 UTC
Permalink
Post by Frank Thommen
Hi,
Post by Frank Thommen
Post by Frank Thommen
Post by Richard Guy Briggs
Post by Frank Thommen
Hello,
we have started auditing on our systems (file open, close, write etc.). This
is no problem on local and on statically mounted NFS systems (-a exit,always
-F dir=/a/b/c ...). However for automounted filesystems auditd only
reports
on system calls on those filesystems which are mounted when auditd starts.
Is there a way to make auditd aware of newly mounted NFS
filesystems, so
that we can audit them, too?
Have you looked at the auditctl "-t" (trim) and "-q" (equivalent)
commands? I'm not certain they do exactly what you want, but may help.
Thanks a lot. I don't understand what "trim" means in this context.
Reading the explanation in the manpage ("Trim the subtrees after a
mount command") I'd expect this to happen after an UNmount, not a
mount...?
However -q looks promising. I'll give it a try.
Unfortunately this didn't work. Either our config is wrong or I
Example: /mnt/test is automounted (/etc/auto.mnt: test -vers=3
fs:/export/test)
In /etc/audit/audit.rules we have
-------------------
[...]
-a always,exit -F dir=/mnt -F arch=b64 -S write -S open -S close -S
rename -S mkdir -S chmod -S chown -S rmdir -S unlink -S unlinkat -S
renameat -S fchmod -S fchown -S symlink -S symlinkat -S readlink -S link
-S readlinkat -S linkat -S fchmodat -S fchownat -k fs-XXXX
-q /mnt,/mnt/test
-------------------
when I unmount /mnt/test, restart auditd and then do e.g. a `cat
-------------------
type=SYSCALL msg=audit(1523295277.512:3124883): arch=c000003e syscall=89
success=no exit=-22 a0=7ffeac151c70 a1=7ffeac150c20 a2=1000
a3=7ffeac1509b0 items=1 ppid=15487 pid=11761 auid=4294967295 uid=0 gid=0
euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295
comm="mount" exe="/usr/bin/mount" key="fs-XXXX"
type=PATH msg=audit(1523295277.512:3124883): item=0 name="/mnt"
inode=57521 dev=00:74 mode=040755 ouid=0 ogid=0 rdev=00:00
nametype=NORMAL
type=SYSCALL msg=audit(1523295277.512:3124884): arch=c000003e syscall=89
success=no exit=-22 a0=7ffeac151c70 a1=7ffeac150c20 a2=1000
a3=7ffeac1509b0 items=1 ppid=15487 pid=11761 auid=4294967295 uid=0 gid=0
euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295
comm="mount" exe="/usr/bin/mount" key="fs-XXXX"
type=PATH msg=audit(1523295277.512:3124884): item=0 name="/mnt/test"
inode=1049245405 dev=00:74 mode=040555 ouid=0 ogid=0 rdev=00:00
nametype=NORMAL
type=SYSCALL msg=audit(1523295277.516:3124885): arch=c000003e syscall=89
success=no exit=-22 a0=7ffe3dc73d80 a1=7ffe3dc72d30 a2=1000
a3=7ffe3dc72ac0 items=1 ppid=11761 pid=11769 auid=4294967295 uid=0 gid=0
euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295
comm="mount.nfs" exe="/sbin/mount.nfs" key="fs-XXXX"
type=PATH msg=audit(1523295277.516:3124885): item=0 name="/mnt"
inode=57521 dev=00:74 mode=040755 ouid=0 ogid=0 rdev=00:00
nametype=NORMAL
type=SYSCALL msg=audit(1523295277.516:3124886): arch=c000003e syscall=89
success=no exit=-22 a0=7ffe3dc73d80 a1=7ffe3dc72d30 a2=1000
a3=7ffe3dc72ac0 items=1 ppid=11761 pid=11769 auid=4294967295 uid=0 gid=0
euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295
comm="mount.nfs" exe="/sbin/mount.nfs" key="fs-XXXX"
type=PATH msg=audit(1523295277.516:3124886): item=0 name="/mnt/test"
inode=1049245405 dev=00:74 mode=040555 ouid=0 ogid=0 rdev=00:00
nametype=NORMAL
-------------------
Access to the file itself is not logged. When I restart auditd while
/mnt/test /is/ mounted, then a `cat /mnt/test/myfile` results in
-------------------
type=SYSCALL msg=audit(1523295467.808:3125055): arch=c000003e syscall=2
success=yes exit=3 a0=7ffffa9c424c a1=0 a2=1fffffffffff0000
a3=7ffffa9c2560 items=1 ppid=22404 pid=4794 auid=22189 uid=22189
gid=1110 euid=22189 suid=22189 fsuid=22189 egid=1110 sgid=1110
fsgid=1110 tty=pts7 ses=662075 comm="cat" exe="/usr/bin/cat"
key="fs-XXXX"
type=PATH msg=audit(1523295467.808:3125055): item=0
name="/mnt/test/myfile" inode=13 dev=00:80 mode=0100764 ouid=6836
ogid=2515 rdev=00:00 nametype=NORMAL
-------------------
in the logfile. That's the entries I'd like to see even when /mnt/test
is unmounted when auditd is started.
Can that be done at all?
Since there were no more suggestions from the list, must I assume, that
it is not possible to configure auditd to recursively check filesystems,
which have been mounted /after/ auditd has been started?
auditd does not check anything. It records what the kernel sends it. The
kernel can be configured at any time by running the auditctl command. It
could be possible that auditctl -R /etc/audit/audit.d/nfs.rules be applied.
You would have to work out some way to make that happen. I don't know if
autofs has hooks where you can ask it to run a script after mounting.
Post by Frank Thommen
Is there any workaround, which combines autofs and auditd?
I have never investigated it. Maybe someone else has and can chime in.

-Steve

Loading...