From mboxrd@z Thu Jan  1 00:00:00 1970
From: Matthew Booth <mbooth@redhat.com>
Subject: Re: Identifying writes to NFS
Date: Thu, 31 May 2007 10:34:44 +0100
Message-ID: <1180604084.8044.2.camel@localhost.localdomain>
References: <1180542928.5055.16.camel@localhost.localdomain>
	<20070530175634.GK27042@devserv.devel.redhat.com>
Mime-Version: 1.0
Content-Type: multipart/mixed; boundary="===============0999968762=="
Return-path: <linux-audit-bounces@redhat.com>
In-Reply-To: <20070530175634.GK27042@devserv.devel.redhat.com>
List-Unsubscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/linux-audit>
List-Post: <mailto:linux-audit@redhat.com>
List-Help: <mailto:linux-audit-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=subscribe>
Sender: linux-audit-bounces@redhat.com
Errors-To: linux-audit-bounces@redhat.com
To: Alexander Viro <aviro@redhat.com>
Cc: linux-audit <linux-audit@redhat.com>
List-Id: linux-audit@redhat.com


--===============0999968762==
Content-Type: multipart/signed; micalg=pgp-sha1;
	protocol="application/pgp-signature";
	boundary="=-C0sAfDdPN1w+sgYvvM8E"


--=-C0sAfDdPN1w+sgYvvM8E
Content-Type: text/plain
Content-Transfer-Encoding: quoted-printable

On Wed, 2007-05-30 at 13:56 -0400, Alexander Viro wrote:
> On Wed, May 30, 2007 at 05:35:28PM +0100, Matthew Booth wrote:
> > I'd like to be able to reliably recognise a PATH record which refers to
> > an NFS mount. It seems that dev=3D00:xx would be related to the answer.
> > However, each mount seems to have its own value of xx, and other mounts
> > not backed by a block device, eg /proc and /dev, also have dev=3D00:xx.=
=20
> >=20
> > The answer can't be related to a single system, as the solution has to
> > be rolled out across a large estate with a variety of nfs mounts on
> > particular servers.
> >=20
> > Any ideas? Thanks,
>=20
> man statfs, look at f_type field there.

Looking at this again, this field doesn't appear to be in the audit
data. Am I missing it? It's not possible to invoke statfs to determine
this information as the system receiving the data is remote.

Matt
--=20
Matthew Booth, RHCA, RHCSS
Red Hat, Global Professional Services

M:       +44 (0)7977 267231
GPG ID:  D33C3490
GPG FPR: 3733 612D 2D05 5458 8A8A 1600 3441 EA19 D33C 3490

--=-C0sAfDdPN1w+sgYvvM8E
Content-Type: application/pgp-signature; name=signature.asc
Content-Description: This is a digitally signed message part

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)

iD8DBQBGXpa0NEHqGdM8NJARAq25AJ9IL2aKLY/1KCDX5+ZtjQhdZdDlSwCaA69w
RbzCe3Hq4UnkUcrKCJUe+gU=
=nNos
-----END PGP SIGNATURE-----

--=-C0sAfDdPN1w+sgYvvM8E--


--===============0999968762==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline


--===============0999968762==--