Identifying writes to NFS

Identifying writes to NFS

[Matthew Booth]

[-- Attachment #1.1: Type: text/plain, Size: 665 bytes --]

I'd like to be able to reliably recognise a PATH record which refers to
an NFS mount. It seems that dev=00:xx would be related to the answer.
However, each mount seems to have its own value of xx, and other mounts
not backed by a block device, eg /proc and /dev, also have dev=00:xx. 

The answer can't be related to a single system, as the solution has to
be rolled out across a large estate with a variety of nfs mounts on
particular servers.

Any ideas? Thanks,

Matt
-- 
Matthew Booth, RHCA, RHCSS
Red Hat, Global Professional Services

M:       +44 (0)7977 267231
GPG ID:  D33C3490
GPG FPR: 3733 612D 2D05 5458 8A8A 1600 3441 EA19 D33C 3490

[-- Attachment #1.2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 189 bytes --]

[-- Attachment #2: Type: text/plain, Size: 0 bytes --]

Re: Identifying writes to NFS

[Alexander Viro]

On Wed, May 30, 2007 at 05:35:28PM +0100, Matthew Booth wrote:
> I'd like to be able to reliably recognise a PATH record which refers to
> an NFS mount. It seems that dev=00:xx would be related to the answer.
> However, each mount seems to have its own value of xx, and other mounts
> not backed by a block device, eg /proc and /dev, also have dev=00:xx. 
> 
> The answer can't be related to a single system, as the solution has to
> be rolled out across a large estate with a variety of nfs mounts on
> particular servers.
> 
> Any ideas? Thanks,

man statfs, look at f_type field there.

Re: Identifying writes to NFS

[Steve Grubb]

On Wednesday 30 May 2007 13:56, Alexander Viro wrote:
> > I'd like to be able to reliably recognise a PATH record which refers to
> > an NFS mount. 
> >
> > Any ideas? Thanks,
>
> man statfs, look at f_type field there.

While that does tell you the file system type, the audit rule comparitor does 
not use that field to trigger an event. Maybe that would be something useful 
to add to the comparitor?

Matthew, what kernel are you using?

-Steve

Re: Identifying writes to NFS

[Matthew Booth]

[-- Attachment #1.1: Type: text/plain, Size: 673 bytes --]

On Wed, 2007-05-30 at 14:06 -0400, Steve Grubb wrote:
> While that does tell you the file system type, the audit rule comparitor does 
> not use that field to trigger an event. Maybe that would be something useful 
> to add to the comparitor?

Actually I would be matching on this in an external system. That system
would receive *all* open() calls. It just needs to be able to
differentiate nfs from non-nfs.

> Matthew, what kernel are you using?

It's RHEL 4, x86_64.

Matt
-- 
Matthew Booth, RHCA, RHCSS
Red Hat, Global Professional Services

M:       +44 (0)7977 267231
GPG ID:  D33C3490
GPG FPR: 3733 612D 2D05 5458 8A8A 1600 3441 EA19 D33C 3490

[-- Attachment #1.2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 189 bytes --]

[-- Attachment #2: Type: text/plain, Size: 0 bytes --]

Re: Identifying writes to NFS

[Steve Grubb]

On Wednesday 30 May 2007 14:11, Matthew Booth wrote:
> Actually I would be matching on this in an external system. That system
> would receive *all* open() calls. It just needs to be able to
> differentiate nfs from non-nfs.

Ok, I thought you wanted to audit by file system type and have the kernel 
distinguish it. If its external/post-processing, Al gave you the answer.

-Steve

Re: Identifying writes to NFS

[Matthew Booth]

[-- Attachment #1.1: Type: text/plain, Size: 1081 bytes --]

On Wed, 2007-05-30 at 13:56 -0400, Alexander Viro wrote:
> On Wed, May 30, 2007 at 05:35:28PM +0100, Matthew Booth wrote:
> > I'd like to be able to reliably recognise a PATH record which refers to
> > an NFS mount. It seems that dev=00:xx would be related to the answer.
> > However, each mount seems to have its own value of xx, and other mounts
> > not backed by a block device, eg /proc and /dev, also have dev=00:xx. 
> > 
> > The answer can't be related to a single system, as the solution has to
> > be rolled out across a large estate with a variety of nfs mounts on
> > particular servers.
> > 
> > Any ideas? Thanks,
> 
> man statfs, look at f_type field there.

Looking at this again, this field doesn't appear to be in the audit
data. Am I missing it? It's not possible to invoke statfs to determine
this information as the system receiving the data is remote.

Matt
-- 
Matthew Booth, RHCA, RHCSS
Red Hat, Global Professional Services

M:       +44 (0)7977 267231
GPG ID:  D33C3490
GPG FPR: 3733 612D 2D05 5458 8A8A 1600 3441 EA19 D33C 3490

[-- Attachment #1.2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 189 bytes --]

[-- Attachment #2: Type: text/plain, Size: 0 bytes --]

Re: Identifying writes to NFS

[Steve Grubb]

On Thursday 31 May 2007 05:34, Matthew Booth wrote:
> > man statfs, look at f_type field there.
>
> Looking at this again, this field doesn't appear to be in the audit
> data. Am I missing it?

Correct and nope.

> It's not possible to invoke statfs to determine this information as the
> system receiving the data is remote.

Sounds like you wrote a relaying program, it would need to do the statfs 
against the path in the record and add that data before sending it.

-Steve