Re: [PATCH 0/5] nfs-utils: provide audit-logging of NFSv4 access

From: Steve Dickson <SteveD@RedHat.com>
To: NeilBrown <neilb@suse.de>
Cc: Linux NFS Mailing list <linux-nfs@vger.kernel.org>
Subject: Re: [PATCH 0/5] nfs-utils: provide audit-logging of NFSv4 access
Date: Thu, 4 Mar 2021 08:24:11 -0500	[thread overview]
Message-ID: <e9bbf5bc-1d78-746b-1d93-8e414801dadd@RedHat.com> (raw)
In-Reply-To: <87pn0fhnxo.fsf@notabene.neil.brown.name>


On 3/3/21 5:28 PM, NeilBrown wrote:
> On Tue, Mar 02 2021, Steve Dickson wrote:
> 
>> Hey!
>>
>> A couple comments... 
>>
>> On 2/24/21 9:42 PM, NeilBrown wrote:
>>> When NFSv3 is used mountd provides logs of successful and failed mount
>>> attempts which can be used for auditing.
>>> When NFSv4 is used there are no such logs as NFSv4 does not have a
>>> distinct "mount" request.
>>>
>>> However mountd still knows about which filesysytems are being accessed
>>> from which clients, and can actually provide more reliable logs than it
>>> currently does, though they must be more verbose - with periodic "is
>>> being accessed" message replacing a single "was mounted" message.
>>>
>>> This series adds support for that logging, and adds some related
>>> improvements to make the logs as useful as possible.
>>>
>>> NeilBrown
>>>
>>> ---
>>>
>>> NeilBrown (5):
>>>       mountd: reject unknown client IP when !use_ipaddr.
>>>       mountd: Don't proactively add export info when fh info is requested.
>>>       mountd: add logging for authentication results for accesses.
>> I wonder if we should mention setting "debug=auth" enables
>> this logging in the mountd manpage 
> 
> That is already in the mountd man page :-)
Sorry I must have missed it...

> 
>>
>>>       mountd: add --cache-use-ipaddr option to force use_ipaddr
>>>       mountd: make default ttl settable by option
>> These two probably need to be put into the nfs.conf file 
>> and the nfs.conf man page since the conf_get_num()
>> and conf_get_bool() calls were added.
> 
> That's done now too.
Thank you!

> 
>>
>> Finally, I'll add this to my plate, but I'm thinking
>> the new log-auth and ttl flags probably should be 
>> introduce into nfsv4.exported.
>>
> 
> I'll add that to my patches before resubmitting.
Thank you again!

> 
>> I didn't port over the use-ipaddr flag to exportd,
>> since I though it was only used in the v3 mount path
>> but may that was an oversight on my part. 
> 
> use-ipaddr it not at all v3 specific.
> It was originally introduced to handle the fact that a single host could
> be in a large number of netgroups, and concatenating the names of all
> those netgroups could produce a "domain" name that is too long.
> The new option to force it on is useful for access logging, particularly
> with NFSv4.
> 
> I'll add that to my patches too.
Perfect!

steved.
> 
> Thanks,
> NeilBrown
> 
> 
>>
>> Thoughts?
>>
>> steved.
>>>
>>>
>>>  support/export/auth.c      |  4 +++
>>>  support/export/cache.c     | 32 +++++++++++------
>>>  support/export/v4root.c    |  3 +-
>>>  support/include/exportfs.h |  3 +-
>>>  support/nfs/exports.c      |  4 ++-
>>>  utils/mountd/mountd.c      | 29 +++++++++++++++-
>>>  utils/mountd/mountd.man    | 70 ++++++++++++++++++++++++++++++++++++++
>>>  7 files changed, 130 insertions(+), 15 deletions(-)
>>>
>>> --
>>> Signature
>>>