Audit watches on NFS mounts

Audit watches on NFS mounts

[Vaughn, Chad M]

I noticed a weird behavior. I NFS mount /usr/local on my Redhat machines.

If I put a watch for a directory in that NFS mount:

-w /usr/local/mywatchdir/ -p rwxa -F exit!=-ENODATA -F success!=1 -k watch


On Redhat 6.4, I don't see audit events when trying to remove or change files in that dir.
On Redhat 6.8, I do see the audit events when trying to remove or changes files in that dir.

Any ideas of possible features added to auditd between those releases?  I would like to be able to speak to it for security audits.

Re: Audit watches on NFS mounts

[Steve Grubb]

On Thursday, October 20, 2016 2:42:07 PM EDT Vaughn, Chad M wrote:
> I noticed a weird behavior. I NFS mount /usr/local on my Redhat machines.
> 
> If I put a watch for a directory in that NFS mount:
> 
> -w /usr/local/mywatchdir/ -p rwxa -F exit!=-ENODATA -F success!=1 -k watch
> 
> On Redhat 6.4, I don't see audit events when trying to remove or change
> files in that dir. On Redhat 6.8, I do see the audit events when trying to
> remove or changes files in that dir.
> 
> Any ideas of possible features added to auditd between those releases?  I
> would like to be able to speak to it for security audits.

Auditd is just the collector. The events are generated by the kernel. So, it 
would be a kernel change that may have allowed that. I don't know what was 
changed or which version did it. I do know that in the past it was not 
possible to audit nfs or fuse based file systems.

-Steve

RE: EXTERNAL: Re: Audit watches on NFS mounts

[Vaughn, Chad M]

Thanks for the quick response. That makes sense.

One other thing, on Redhat 6.4 if the watch dir does not exist, ie automount NFS, then auditd will bomb out and not even start.

On Redhat 6.8, it seems to not care and start up anyway (better).  Kernel or Auditd?

-----Original Message-----
From: Steve Grubb [mailto:sgrubb@redhat.com] 
Sent: Thursday, October 20, 2016 10:38 AM
To: Vaughn, Chad M (US) <chad.m.vaughn@lmco.com>
Cc: linux-audit@redhat.com
Subject: EXTERNAL: Re: Audit watches on NFS mounts

On Thursday, October 20, 2016 2:42:07 PM EDT Vaughn, Chad M wrote:
> I noticed a weird behavior. I NFS mount /usr/local on my Redhat machines.
> 
> If I put a watch for a directory in that NFS mount:
> 
> -w /usr/local/mywatchdir/ -p rwxa -F exit!=-ENODATA -F success!=1 -k 
> watch
> 
> On Redhat 6.4, I don't see audit events when trying to remove or 
> change files in that dir. On Redhat 6.8, I do see the audit events 
> when trying to remove or changes files in that dir.
> 
> Any ideas of possible features added to auditd between those releases?  
> I would like to be able to speak to it for security audits.

Auditd is just the collector. The events are generated by the kernel. So, it would be a kernel change that may have allowed that. I don't know what was changed or which version did it. I do know that in the past it was not possible to audit nfs or fuse based file systems.

-Steve

Re: EXTERNAL: Re: Audit watches on NFS mounts

[Steve Grubb]

On Thursday, October 20, 2016 4:10:43 PM EDT Vaughn, Chad M wrote:
> Thanks for the quick response. That makes sense.
> 
> One other thing, on Redhat 6.4 if the watch dir does not exist, ie automount
> NFS, then auditd will bomb out and not even start.

I have my doubts on this. What I would expect to happen is that the rules 
being loaded by auditctl will get an error from the kernel and that is 
displayed. If you do not have a rule to ignore errors then it will stop the 
rule loading. Auditd itself should be up and running. The init script starts 
auditd and then after its running, loads rules by auditctl.


> On Redhat 6.8, it seems to not care and start up anyway (better).  Kernel or
> Auditd?

That was also a kernel change. Auditd is pretty much like a specialized 
syslog.

-Steve

> -----Original Message-----
> From: Steve Grubb [mailto:sgrubb@redhat.com]
> Sent: Thursday, October 20, 2016 10:38 AM
> To: Vaughn, Chad M (US) <chad.m.vaughn@lmco.com>
> Cc: linux-audit@redhat.com
> Subject: EXTERNAL: Re: Audit watches on NFS mounts
> 
> On Thursday, October 20, 2016 2:42:07 PM EDT Vaughn, Chad M wrote:
> > I noticed a weird behavior. I NFS mount /usr/local on my Redhat machines.
> > 
> > If I put a watch for a directory in that NFS mount:
> > 
> > -w /usr/local/mywatchdir/ -p rwxa -F exit!=-ENODATA -F success!=1 -k
> > watch
> > 
> > On Redhat 6.4, I don't see audit events when trying to remove or
> > change files in that dir. On Redhat 6.8, I do see the audit events
> > when trying to remove or changes files in that dir.
> > 
> > Any ideas of possible features added to auditd between those releases?
> > I would like to be able to speak to it for security audits.
> 
> Auditd is just the collector. The events are generated by the kernel. So, it
> would be a kernel change that may have allowed that. I don't know what was
> changed or which version did it. I do know that in the past it was not
> possible to audit nfs or fuse based file systems.
> 
> -Steve