auditing nfs

public inbox for linux-audit@redhat.com
 help / color / mirror / Atom feed

* auditing nfs
@ 2008-02-26 21:54 Bob Kryger
  2008-03-03 21:09 ` Steve Grubb
  0 siblings, 1 reply; 2+ messages in thread
From: Bob Kryger @ 2008-02-26 21:54 UTC (permalink / raw)
  To: linux-audit

So, I'm looking to audit file access (via syscalls 
create,open,unlink,etc. because I want every file in the filesystem and 
do not want to have to specify an audit rule for each dir/file) that are 
accessed via nfs from the nfs server. It seems, I assume because nfs is 
in the kernel, that I am not getting any audit messages for those nfs 
files access.

Is my assumption correct?
Any suggestions for auditing from the nfs server side?

BTW: not a list subscriber, please reply directly.

Thanks
Bob

-- 
Bob Kryger                                        Office: 212-813-8677
Systems/Network Administrator                       Cell: 917-913-6670
SAC Capital, Synapse Group                         email: bobk@sac.com
540 Madison Ave                                      AIM: sacbobk
New York, NY 10022

DISCLAIMER: This e-mail message and any attachments are intended solely for the use of the individual or entity to which it is addressed and may contain information that is confidential or legally privileged. If you are not the intended recipient, you are hereby notified that any dissemination, distribution, copying or other use of this message or its attachments is strictly prohibited. If you have received this message in error, please notify the sender immediately and permanently delete this message and any attachments. 

^ permalink raw reply	[flat|nested] 2+ messages in thread

* Re: auditing nfs
  2008-02-26 21:54 auditing nfs Bob Kryger
@ 2008-03-03 21:09 ` Steve Grubb
  0 siblings, 0 replies; 2+ messages in thread
From: Steve Grubb @ 2008-03-03 21:09 UTC (permalink / raw)
  To: linux-audit; +Cc: Bob Kryger

On Tuesday 26 February 2008 16:54:13 Bob Kryger wrote:
> So, I'm looking to audit file access (via syscalls
> create,open,unlink,etc. because I want every file in the filesystem and
> do not want to have to specify an audit rule for each dir/file) that are
> accessed via nfs from the nfs server. It seems, I assume because nfs is
> in the kernel, that I am not getting any audit messages for those nfs
> files access.
>
> Is my assumption correct?

I think in terms of syscall auditing you should be able to see all the 
syscalls. But at somepoint, it should get the path name and add that to the 
record. That might be the part where we are missing a hook. Are you getting 
syscall opens, but no files?

> Any suggestions for auditing from the nfs server side?

You should be able to place watches there or use syscall auditing. Not sure 
what you will get, though, for the user accessing the file.

-Steve

^ permalink raw reply	[flat|nested] 2+ messages in thread

end of thread, other threads:[~2008-03-03 21:09 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2008-02-26 21:54 auditing nfs Bob Kryger
2008-03-03 21:09 ` Steve Grubb

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox