auditing automounted filesystems (NFS)

auditing automounted filesystems (NFS)

[Frank Thommen]

Hello,

we have started auditing on our systems (file open, close, write etc.). 
This is no problem on local and on statically mounted NFS systems (-a 
exit,always -F dir=/a/b/c ...).  However for automounted filesystems 
auditd only reports on system calls on those filesystems which are 
mounted when auditd starts.

Is there a way to make auditd aware of newly mounted NFS filesystems, so 
that we can audit them, too?

Cheers
frank

Re: auditing automounted filesystems (NFS)

[Richard Guy Briggs]

On 2018-04-07 04:04, Frank Thommen wrote:
> Hello,
> 
> we have started auditing on our systems (file open, close, write etc.). This
> is no problem on local and on statically mounted NFS systems (-a exit,always
> -F dir=/a/b/c ...).  However for automounted filesystems auditd only reports
> on system calls on those filesystems which are mounted when auditd starts.
> 
> Is there a way to make auditd aware of newly mounted NFS filesystems, so
> that we can audit them, too?

Have you looked at the auditctl "-t" (trim) and "-q" (equivalent)
commands?  I'm not certain they do exactly what you want, but may help.

Warning that remote filesystems can't be expected to audit changes made
to that filesystem by other systems that have mounted that remote
filesystem unless those rules are running on that remote system.

> frank

- RGB

--
Richard Guy Briggs <rgb@redhat.com>
Sr. S/W Engineer, Kernel Security, Base Operating Systems
Remote, Ottawa, Red Hat Canada
IRC: rgb, SunRaycer
Voice: +1.647.777.2635, Internal: (81) 32635

Re: auditing automounted filesystems (NFS)

[Frank Thommen]

On 07/04/18 13:56, Richard Guy Briggs wrote:
> On 2018-04-07 04:04, Frank Thommen wrote:
>> Hello,
>>
>> we have started auditing on our systems (file open, close, write etc.). This
>> is no problem on local and on statically mounted NFS systems (-a exit,always
>> -F dir=/a/b/c ...).  However for automounted filesystems auditd only reports
>> on system calls on those filesystems which are mounted when auditd starts.
>>
>> Is there a way to make auditd aware of newly mounted NFS filesystems, so
>> that we can audit them, too?
> 
> Have you looked at the auditctl "-t" (trim) and "-q" (equivalent)
> commands?  I'm not certain they do exactly what you want, but may help.

Thanks a lot.  I don't understand what "trim" means in this context. 
Reading the explanation in the manpage ("Trim the subtrees after a mount 
command") I'd expect this to happen after an UNmount, not a mount...?

However -q looks promising.  I'll give it a try.


> Warning that remote filesystems can't be expected to audit changes made
> to that filesystem by other systems that have mounted that remote
> filesystem unless those rules are running on that remote system.

All rules are running on the NFS clients, not the NFS servers.

frank

> 
>> frank
> 
> - RGB
> 
> --
> Richard Guy Briggs <rgb@redhat.com>
> Sr. S/W Engineer, Kernel Security, Base Operating Systems
> Remote, Ottawa, Red Hat Canada
> IRC: rgb, SunRaycer
> Voice: +1.647.777.2635, Internal: (81) 32635
> 


-- 
Frank Thommen          | HD-HuB / DKFZ Heidelberg
                        | f.thommen@dkfz-heidelberg.de

Re: auditing automounted filesystems (NFS)

[Richard Guy Briggs]

On 2018-04-07 18:38, Frank Thommen wrote:
> On 07/04/18 13:56, Richard Guy Briggs wrote:
> > On 2018-04-07 04:04, Frank Thommen wrote:
> > > Hello,
> > > 
> > > we have started auditing on our systems (file open, close, write etc.). This
> > > is no problem on local and on statically mounted NFS systems (-a exit,always
> > > -F dir=/a/b/c ...).  However for automounted filesystems auditd only reports
> > > on system calls on those filesystems which are mounted when auditd starts.
> > > 
> > > Is there a way to make auditd aware of newly mounted NFS filesystems, so
> > > that we can audit them, too?
> > 
> > Have you looked at the auditctl "-t" (trim) and "-q" (equivalent)
> > commands?  I'm not certain they do exactly what you want, but may help.
> 
> Thanks a lot.  I don't understand what "trim" means in this context. Reading
> the explanation in the manpage ("Trim the subtrees after a mount command")
> I'd expect this to happen after an UNmount, not a mount...?
> 
> However -q looks promising.  I'll give it a try.
> 
> > Warning that remote filesystems can't be expected to audit changes made
> > to that filesystem by other systems that have mounted that remote
> > filesystem unless those rules are running on that remote system.
> 
> All rules are running on the NFS clients, not the NFS servers.

Are *all* the clients running the rules? Since it is the host executing
the action that is the only one that can audit the action.

> frank
> 
> > > frank
> > 
> > - RGB

- RGB

--
Richard Guy Briggs <rgb@redhat.com>
Sr. S/W Engineer, Kernel Security, Base Operating Systems
Remote, Ottawa, Red Hat Canada
IRC: rgb, SunRaycer
Voice: +1.647.777.2635, Internal: (81) 32635

Re: auditing automounted filesystems (NFS)

[Frank Thommen]

On 08/04/18 03:08, Richard Guy Briggs wrote:
> On 2018-04-07 18:38, Frank Thommen wrote:
>> On 07/04/18 13:56, Richard Guy Briggs wrote:
>>> On 2018-04-07 04:04, Frank Thommen wrote:
>>>> Hello,
>>>>
>>>> we have started auditing on our systems (file open, close, write etc.). This
>>>> is no problem on local and on statically mounted NFS systems (-a exit,always
>>>> -F dir=/a/b/c ...).  However for automounted filesystems auditd only reports
>>>> on system calls on those filesystems which are mounted when auditd starts.
>>>>
>>>> Is there a way to make auditd aware of newly mounted NFS filesystems, so
>>>> that we can audit them, too?
>>>
>>> Have you looked at the auditctl "-t" (trim) and "-q" (equivalent)
>>> commands?  I'm not certain they do exactly what you want, but may help.
>>
>> Thanks a lot.  I don't understand what "trim" means in this context. Reading
>> the explanation in the manpage ("Trim the subtrees after a mount command")
>> I'd expect this to happen after an UNmount, not a mount...?
>>
>> However -q looks promising.  I'll give it a try.
>>
>>> Warning that remote filesystems can't be expected to audit changes made
>>> to that filesystem by other systems that have mounted that remote
>>> filesystem unless those rules are running on that remote system.
>>
>> All rules are running on the NFS clients, not the NFS servers.
> 
> Are *all* the clients running the rules? Since it is the host executing
> the action that is the only one that can audit the action.

yes, all clients are running the rules

frank

Re: auditing automounted filesystems (NFS)

[Frank Thommen]

On 04/07/2018 06:38 PM, Frank Thommen wrote:
> On 07/04/18 13:56, Richard Guy Briggs wrote:
>> On 2018-04-07 04:04, Frank Thommen wrote:
>>> Hello,
>>>
>>> we have started auditing on our systems (file open, close, write 
>>> etc.). This
>>> is no problem on local and on statically mounted NFS systems (-a 
>>> exit,always
>>> -F dir=/a/b/c ...).  However for automounted filesystems auditd only 
>>> reports
>>> on system calls on those filesystems which are mounted when auditd 
>>> starts.
>>>
>>> Is there a way to make auditd aware of newly mounted NFS filesystems, so
>>> that we can audit them, too?
>>
>> Have you looked at the auditctl "-t" (trim) and "-q" (equivalent)
>> commands?  I'm not certain they do exactly what you want, but may help.
> 
> Thanks a lot.  I don't understand what "trim" means in this context. 
> Reading the explanation in the manpage ("Trim the subtrees after a mount 
> command") I'd expect this to happen after an UNmount, not a mount...?
> 
> However -q looks promising.  I'll give it a try.

Unfortunately this didn't work.  Either our config is wrong or I 
misunderstand what "-q" does:

Example: /mnt/test is automounted (/etc/auto.mnt: test -vers=3 
fs:/export/test)

In /etc/audit/audit.rules we have

-------------------
[...]
-a always,exit -F dir=/mnt -F arch=b64 -S write -S open -S close -S 
rename -S mkdir -S chmod -S chown -S rmdir -S unlink -S unlinkat -S 
renameat -S fchmod -S fchown -S symlink -S symlinkat -S readlink -S link 
-S readlinkat -S linkat -S fchmodat -S fchownat -k fs-XXXX
-q /mnt,/mnt/test
-------------------

when I unmount /mnt/test, restart auditd and then do e.g. a `cat 
/mnt/test/myfile`, then I get the following entries in the audit log:

-------------------
type=SYSCALL msg=audit(1523295277.512:3124883): arch=c000003e syscall=89 
success=no exit=-22 a0=7ffeac151c70 a1=7ffeac150c20 a2=1000 
a3=7ffeac1509b0 items=1 ppid=15487 pid=11761 auid=4294967295 uid=0 gid=0 
euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 
comm="mount" exe="/usr/bin/mount" key="fs-XXXX"
type=PATH msg=audit(1523295277.512:3124883): item=0 name="/mnt" 
inode=57521 dev=00:74 mode=040755 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL
type=SYSCALL msg=audit(1523295277.512:3124884): arch=c000003e syscall=89 
success=no exit=-22 a0=7ffeac151c70 a1=7ffeac150c20 a2=1000 
a3=7ffeac1509b0 items=1 ppid=15487 pid=11761 auid=4294967295 uid=0 gid=0 
euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 
comm="mount" exe="/usr/bin/mount" key="fs-XXXX"
type=PATH msg=audit(1523295277.512:3124884): item=0 name="/mnt/test" 
inode=1049245405 dev=00:74 mode=040555 ouid=0 ogid=0 rdev=00:00 
nametype=NORMAL
type=SYSCALL msg=audit(1523295277.516:3124885): arch=c000003e syscall=89 
success=no exit=-22 a0=7ffe3dc73d80 a1=7ffe3dc72d30 a2=1000 
a3=7ffe3dc72ac0 items=1 ppid=11761 pid=11769 auid=4294967295 uid=0 gid=0 
euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 
comm="mount.nfs" exe="/sbin/mount.nfs" key="fs-XXXX"
type=PATH msg=audit(1523295277.516:3124885): item=0 name="/mnt" 
inode=57521 dev=00:74 mode=040755 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL
type=SYSCALL msg=audit(1523295277.516:3124886): arch=c000003e syscall=89 
success=no exit=-22 a0=7ffe3dc73d80 a1=7ffe3dc72d30 a2=1000 
a3=7ffe3dc72ac0 items=1 ppid=11761 pid=11769 auid=4294967295 uid=0 gid=0 
euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 
comm="mount.nfs" exe="/sbin/mount.nfs" key="fs-XXXX"
type=PATH msg=audit(1523295277.516:3124886): item=0 name="/mnt/test" 
inode=1049245405 dev=00:74 mode=040555 ouid=0 ogid=0 rdev=00:00 
nametype=NORMAL
-------------------

Access to the file itself is not logged.  When I restart auditd while 
/mnt/test /is/ mounted, then a `cat /mnt/test/myfile` results in

-------------------
type=SYSCALL msg=audit(1523295467.808:3125055): arch=c000003e syscall=2 
success=yes exit=3 a0=7ffffa9c424c a1=0 a2=1fffffffffff0000 
a3=7ffffa9c2560 items=1 ppid=22404 pid=4794 auid=22189 uid=22189 
gid=1110 euid=22189 suid=22189 fsuid=22189 egid=1110 sgid=1110 
fsgid=1110 tty=pts7 ses=662075 comm="cat" exe="/usr/bin/cat" key="fs-XXXX"
type=PATH msg=audit(1523295467.808:3125055): item=0 
name="/mnt/test/myfile" inode=13 dev=00:80 mode=0100764 ouid=6836 
ogid=2515 rdev=00:00 nametype=NORMAL
-------------------

in the logfile.  That's the entries I'd like to see even when /mnt/test 
is unmounted when auditd is started.

Can that be done at all?

Cheers
frank

--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit

Re: auditing automounted filesystems (NFS)

[Frank Thommen]

Hi,

On 04/09/2018 07:45 PM, Frank Thommen wrote:
> On 04/07/2018 06:38 PM, Frank Thommen wrote:
>> On 07/04/18 13:56, Richard Guy Briggs wrote:
>>> On 2018-04-07 04:04, Frank Thommen wrote:
>>>> Hello,
>>>>
>>>> we have started auditing on our systems (file open, close, write 
>>>> etc.). This
>>>> is no problem on local and on statically mounted NFS systems (-a 
>>>> exit,always
>>>> -F dir=/a/b/c ...).  However for automounted filesystems auditd only 
>>>> reports
>>>> on system calls on those filesystems which are mounted when auditd 
>>>> starts.
>>>>
>>>> Is there a way to make auditd aware of newly mounted NFS 
>>>> filesystems, so
>>>> that we can audit them, too?
>>>
>>> Have you looked at the auditctl "-t" (trim) and "-q" (equivalent)
>>> commands?  I'm not certain they do exactly what you want, but may help.
>>
>> Thanks a lot.  I don't understand what "trim" means in this context. 
>> Reading the explanation in the manpage ("Trim the subtrees after a 
>> mount command") I'd expect this to happen after an UNmount, not a 
>> mount...?
>>
>> However -q looks promising.  I'll give it a try.
> 
> Unfortunately this didn't work.  Either our config is wrong or I 
> misunderstand what "-q" does:
> 
> Example: /mnt/test is automounted (/etc/auto.mnt: test -vers=3 
> fs:/export/test)
> 
> In /etc/audit/audit.rules we have
> 
> -------------------
> [...]
> -a always,exit -F dir=/mnt -F arch=b64 -S write -S open -S close -S 
> rename -S mkdir -S chmod -S chown -S rmdir -S unlink -S unlinkat -S 
> renameat -S fchmod -S fchown -S symlink -S symlinkat -S readlink -S link 
> -S readlinkat -S linkat -S fchmodat -S fchownat -k fs-XXXX
> -q /mnt,/mnt/test
> -------------------
> 
> when I unmount /mnt/test, restart auditd and then do e.g. a `cat 
> /mnt/test/myfile`, then I get the following entries in the audit log:
> 
> -------------------
> type=SYSCALL msg=audit(1523295277.512:3124883): arch=c000003e syscall=89 
> success=no exit=-22 a0=7ffeac151c70 a1=7ffeac150c20 a2=1000 
> a3=7ffeac1509b0 items=1 ppid=15487 pid=11761 auid=4294967295 uid=0 gid=0 
> euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 
> comm="mount" exe="/usr/bin/mount" key="fs-XXXX"
> type=PATH msg=audit(1523295277.512:3124883): item=0 name="/mnt" 
> inode=57521 dev=00:74 mode=040755 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL
> type=SYSCALL msg=audit(1523295277.512:3124884): arch=c000003e syscall=89 
> success=no exit=-22 a0=7ffeac151c70 a1=7ffeac150c20 a2=1000 
> a3=7ffeac1509b0 items=1 ppid=15487 pid=11761 auid=4294967295 uid=0 gid=0 
> euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 
> comm="mount" exe="/usr/bin/mount" key="fs-XXXX"
> type=PATH msg=audit(1523295277.512:3124884): item=0 name="/mnt/test" 
> inode=1049245405 dev=00:74 mode=040555 ouid=0 ogid=0 rdev=00:00 
> nametype=NORMAL
> type=SYSCALL msg=audit(1523295277.516:3124885): arch=c000003e syscall=89 
> success=no exit=-22 a0=7ffe3dc73d80 a1=7ffe3dc72d30 a2=1000 
> a3=7ffe3dc72ac0 items=1 ppid=11761 pid=11769 auid=4294967295 uid=0 gid=0 
> euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 
> comm="mount.nfs" exe="/sbin/mount.nfs" key="fs-XXXX"
> type=PATH msg=audit(1523295277.516:3124885): item=0 name="/mnt" 
> inode=57521 dev=00:74 mode=040755 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL
> type=SYSCALL msg=audit(1523295277.516:3124886): arch=c000003e syscall=89 
> success=no exit=-22 a0=7ffe3dc73d80 a1=7ffe3dc72d30 a2=1000 
> a3=7ffe3dc72ac0 items=1 ppid=11761 pid=11769 auid=4294967295 uid=0 gid=0 
> euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 
> comm="mount.nfs" exe="/sbin/mount.nfs" key="fs-XXXX"
> type=PATH msg=audit(1523295277.516:3124886): item=0 name="/mnt/test" 
> inode=1049245405 dev=00:74 mode=040555 ouid=0 ogid=0 rdev=00:00 
> nametype=NORMAL
> -------------------
> 
> Access to the file itself is not logged.  When I restart auditd while 
> /mnt/test /is/ mounted, then a `cat /mnt/test/myfile` results in
> 
> -------------------
> type=SYSCALL msg=audit(1523295467.808:3125055): arch=c000003e syscall=2 
> success=yes exit=3 a0=7ffffa9c424c a1=0 a2=1fffffffffff0000 
> a3=7ffffa9c2560 items=1 ppid=22404 pid=4794 auid=22189 uid=22189 
> gid=1110 euid=22189 suid=22189 fsuid=22189 egid=1110 sgid=1110 
> fsgid=1110 tty=pts7 ses=662075 comm="cat" exe="/usr/bin/cat" key="fs-XXXX"
> type=PATH msg=audit(1523295467.808:3125055): item=0 
> name="/mnt/test/myfile" inode=13 dev=00:80 mode=0100764 ouid=6836 
> ogid=2515 rdev=00:00 nametype=NORMAL
> -------------------
> 
> in the logfile.  That's the entries I'd like to see even when /mnt/test 
> is unmounted when auditd is started.
> 
> Can that be done at all?

Since there were no more suggestions from the list, must I assume, that 
it is not possible to configure auditd to recursively check filesystems, 
which have been mounted /after/ auditd has been started?

Is there any workaround, which combines autofs and auditd?

Cheers
frank


> 
> Cheers
> frank

--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit

Re: auditing automounted filesystems (NFS)

[Steve Grubb]

On Thursday, April 19, 2018 9:21:19 AM EDT Frank Thommen wrote:
> Hi,
> 
> On 04/09/2018 07:45 PM, Frank Thommen wrote:
> > On 04/07/2018 06:38 PM, Frank Thommen wrote:
> >> On 07/04/18 13:56, Richard Guy Briggs wrote:
> >>> On 2018-04-07 04:04, Frank Thommen wrote:
> >>>> Hello,
> >>>> 
> >>>> we have started auditing on our systems (file open, close, write
> >>>> etc.). This
> >>>> is no problem on local and on statically mounted NFS systems (-a
> >>>> exit,always
> >>>> -F dir=/a/b/c ...).  However for automounted filesystems auditd only
> >>>> reports
> >>>> on system calls on those filesystems which are mounted when auditd
> >>>> starts.
> >>>> 
> >>>> Is there a way to make auditd aware of newly mounted NFS
> >>>> filesystems, so
> >>>> that we can audit them, too?
> >>> 
> >>> Have you looked at the auditctl "-t" (trim) and "-q" (equivalent)
> >>> commands?  I'm not certain they do exactly what you want, but may help.
> >> 
> >> Thanks a lot.  I don't understand what "trim" means in this context.
> >> Reading the explanation in the manpage ("Trim the subtrees after a
> >> mount command") I'd expect this to happen after an UNmount, not a
> >> mount...?
> >> 
> >> However -q looks promising.  I'll give it a try.
> > 
> > Unfortunately this didn't work.  Either our config is wrong or I
> > misunderstand what "-q" does:
> > 
> > Example: /mnt/test is automounted (/etc/auto.mnt: test -vers=3
> > fs:/export/test)
> > 
> > In /etc/audit/audit.rules we have
> > 
> > -------------------
> > [...]
> > -a always,exit -F dir=/mnt -F arch=b64 -S write -S open -S close -S
> > rename -S mkdir -S chmod -S chown -S rmdir -S unlink -S unlinkat -S
> > renameat -S fchmod -S fchown -S symlink -S symlinkat -S readlink -S link
> > -S readlinkat -S linkat -S fchmodat -S fchownat -k fs-XXXX
> > -q /mnt,/mnt/test
> > -------------------
> > 
> > when I unmount /mnt/test, restart auditd and then do e.g. a `cat
> > /mnt/test/myfile`, then I get the following entries in the audit log:
> > 
> > -------------------
> > type=SYSCALL msg=audit(1523295277.512:3124883): arch=c000003e syscall=89
> > success=no exit=-22 a0=7ffeac151c70 a1=7ffeac150c20 a2=1000
> > a3=7ffeac1509b0 items=1 ppid=15487 pid=11761 auid=4294967295 uid=0 gid=0
> > euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295
> > comm="mount" exe="/usr/bin/mount" key="fs-XXXX"
> > type=PATH msg=audit(1523295277.512:3124883): item=0 name="/mnt"
> > inode=57521 dev=00:74 mode=040755 ouid=0 ogid=0 rdev=00:00
> > nametype=NORMAL
> > type=SYSCALL msg=audit(1523295277.512:3124884): arch=c000003e syscall=89
> > success=no exit=-22 a0=7ffeac151c70 a1=7ffeac150c20 a2=1000
> > a3=7ffeac1509b0 items=1 ppid=15487 pid=11761 auid=4294967295 uid=0 gid=0
> > euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295
> > comm="mount" exe="/usr/bin/mount" key="fs-XXXX"
> > type=PATH msg=audit(1523295277.512:3124884): item=0 name="/mnt/test"
> > inode=1049245405 dev=00:74 mode=040555 ouid=0 ogid=0 rdev=00:00
> > nametype=NORMAL
> > type=SYSCALL msg=audit(1523295277.516:3124885): arch=c000003e syscall=89
> > success=no exit=-22 a0=7ffe3dc73d80 a1=7ffe3dc72d30 a2=1000
> > a3=7ffe3dc72ac0 items=1 ppid=11761 pid=11769 auid=4294967295 uid=0 gid=0
> > euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295
> > comm="mount.nfs" exe="/sbin/mount.nfs" key="fs-XXXX"
> > type=PATH msg=audit(1523295277.516:3124885): item=0 name="/mnt"
> > inode=57521 dev=00:74 mode=040755 ouid=0 ogid=0 rdev=00:00
> > nametype=NORMAL
> > type=SYSCALL msg=audit(1523295277.516:3124886): arch=c000003e syscall=89
> > success=no exit=-22 a0=7ffe3dc73d80 a1=7ffe3dc72d30 a2=1000
> > a3=7ffe3dc72ac0 items=1 ppid=11761 pid=11769 auid=4294967295 uid=0 gid=0
> > euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295
> > comm="mount.nfs" exe="/sbin/mount.nfs" key="fs-XXXX"
> > type=PATH msg=audit(1523295277.516:3124886): item=0 name="/mnt/test"
> > inode=1049245405 dev=00:74 mode=040555 ouid=0 ogid=0 rdev=00:00
> > nametype=NORMAL
> > -------------------
> > 
> > Access to the file itself is not logged.  When I restart auditd while
> > /mnt/test /is/ mounted, then a `cat /mnt/test/myfile` results in
> > 
> > -------------------
> > type=SYSCALL msg=audit(1523295467.808:3125055): arch=c000003e syscall=2
> > success=yes exit=3 a0=7ffffa9c424c a1=0 a2=1fffffffffff0000
> > a3=7ffffa9c2560 items=1 ppid=22404 pid=4794 auid=22189 uid=22189
> > gid=1110 euid=22189 suid=22189 fsuid=22189 egid=1110 sgid=1110
> > fsgid=1110 tty=pts7 ses=662075 comm="cat" exe="/usr/bin/cat"
> > key="fs-XXXX"
> > type=PATH msg=audit(1523295467.808:3125055): item=0
> > name="/mnt/test/myfile" inode=13 dev=00:80 mode=0100764 ouid=6836
> > ogid=2515 rdev=00:00 nametype=NORMAL
> > -------------------
> > 
> > in the logfile.  That's the entries I'd like to see even when /mnt/test
> > is unmounted when auditd is started.
> > 
> > Can that be done at all?
> 
> Since there were no more suggestions from the list, must I assume, that
> it is not possible to configure auditd to recursively check filesystems,
> which have been mounted /after/ auditd has been started?

auditd does not check anything. It records what the kernel sends it. The 
kernel can be configured at any time by running the auditctl command. It 
could be possible that auditctl -R /etc/audit/audit.d/nfs.rules be applied. 
You would have to work out some way to make that happen. I don't know if 
autofs has hooks where you can ask it to run a script after mounting.


> Is there any workaround, which combines autofs and auditd?

I have never investigated it. Maybe someone else has and can chime in.

-Steve