Re: [PATCH 0/5] nfs-utils: provide audit-logging of NFSv4 access

From: NeilBrown <neilb@suse.de>
To: Steve Dickson <SteveD@RedHat.com>
Cc: Linux NFS Mailing list <linux-nfs@vger.kernel.org>
Subject: Re: [PATCH 0/5] nfs-utils: provide audit-logging of NFSv4 access
Date: Thu, 04 Mar 2021 09:28:35 +1100	[thread overview]
Message-ID: <87pn0fhnxo.fsf@notabene.neil.brown.name> (raw)
In-Reply-To: <6ddbe801-d107-5cbd-7362-c3e84321f203@RedHat.com>

[-- Attachment #1: Type: text/plain, Size: 2733 bytes --]

On Tue, Mar 02 2021, Steve Dickson wrote:

> Hey!
>
> A couple comments... 
>
> On 2/24/21 9:42 PM, NeilBrown wrote:
>> When NFSv3 is used mountd provides logs of successful and failed mount
>> attempts which can be used for auditing.
>> When NFSv4 is used there are no such logs as NFSv4 does not have a
>> distinct "mount" request.
>> 
>> However mountd still knows about which filesysytems are being accessed
>> from which clients, and can actually provide more reliable logs than it
>> currently does, though they must be more verbose - with periodic "is
>> being accessed" message replacing a single "was mounted" message.
>> 
>> This series adds support for that logging, and adds some related
>> improvements to make the logs as useful as possible.
>> 
>> NeilBrown
>> 
>> ---
>> 
>> NeilBrown (5):
>>       mountd: reject unknown client IP when !use_ipaddr.
>>       mountd: Don't proactively add export info when fh info is requested.
>>       mountd: add logging for authentication results for accesses.
> I wonder if we should mention setting "debug=auth" enables
> this logging in the mountd manpage 

That is already in the mountd man page :-)

>
>>       mountd: add --cache-use-ipaddr option to force use_ipaddr
>>       mountd: make default ttl settable by option
> These two probably need to be put into the nfs.conf file 
> and the nfs.conf man page since the conf_get_num()
> and conf_get_bool() calls were added.

That's done now too.

>
> Finally, I'll add this to my plate, but I'm thinking
> the new log-auth and ttl flags probably should be 
> introduce into nfsv4.exported.
>

I'll add that to my patches before resubmitting.

> I didn't port over the use-ipaddr flag to exportd,
> since I though it was only used in the v3 mount path
> but may that was an oversight on my part. 

use-ipaddr it not at all v3 specific.
It was originally introduced to handle the fact that a single host could
be in a large number of netgroups, and concatenating the names of all
those netgroups could produce a "domain" name that is too long.
The new option to force it on is useful for access logging, particularly
with NFSv4.

I'll add that to my patches too.

Thanks,
NeilBrown

>
> Thoughts?
>
> steved.
>> 
>> 
>>  support/export/auth.c      |  4 +++
>>  support/export/cache.c     | 32 +++++++++++------
>>  support/export/v4root.c    |  3 +-
>>  support/include/exportfs.h |  3 +-
>>  support/nfs/exports.c      |  4 ++-
>>  utils/mountd/mountd.c      | 29 +++++++++++++++-
>>  utils/mountd/mountd.man    | 70 ++++++++++++++++++++++++++++++++++++++
>>  7 files changed, 130 insertions(+), 15 deletions(-)
>> 
>> --
>> Signature
>> 

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 853 bytes --]