From mboxrd@z Thu Jan  1 00:00:00 1970
From: Steve Grubb <sgrubb@redhat.com>
Subject: Re: Audit watches on NFS mounts
Date: Thu, 20 Oct 2016 11:37:33 -0400
Message-ID: <14342226.LmfWeh2Ifs@x2>
References: <E594E682CA7FE04DAD586665D2142F742D6C60FA@HDXDSP53.us.lmco.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Return-path: <linux-audit-bounces@redhat.com>
In-Reply-To: <E594E682CA7FE04DAD586665D2142F742D6C60FA@HDXDSP53.us.lmco.com>
List-Unsubscribe: <https://www.redhat.com/mailman/options/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/linux-audit>
List-Post: <mailto:linux-audit@redhat.com>
List-Help: <mailto:linux-audit-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=subscribe>
Sender: linux-audit-bounces@redhat.com
Errors-To: linux-audit-bounces@redhat.com
To: "Vaughn, Chad M" <chad.m.vaughn@lmco.com>
Cc: "linux-audit@redhat.com" <linux-audit@redhat.com>
List-Id: linux-audit@redhat.com

On Thursday, October 20, 2016 2:42:07 PM EDT Vaughn, Chad M wrote:
> I noticed a weird behavior. I NFS mount /usr/local on my Redhat machines.
> 
> If I put a watch for a directory in that NFS mount:
> 
> -w /usr/local/mywatchdir/ -p rwxa -F exit!=-ENODATA -F success!=1 -k watch
> 
> On Redhat 6.4, I don't see audit events when trying to remove or change
> files in that dir. On Redhat 6.8, I do see the audit events when trying to
> remove or changes files in that dir.
> 
> Any ideas of possible features added to auditd between those releases?  I
> would like to be able to speak to it for security audits.

Auditd is just the collector. The events are generated by the kernel. So, it 
would be a kernel change that may have allowed that. I don't know what was 
changed or which version did it. I do know that in the past it was not 
possible to audit nfs or fuse based file systems.

-Steve