What is the accepted/best solution for auditing file access with GNU/Linux NFS server infrastructure?
I recently received a request for auditing the basic file access patterns (read/write) for an NFS export on a RHEL 6 server. While researching the problem, I discovered that there is no apparent method to accomplish this task without reliable and trusted client side auditing. It wasn’t a priority and we didn’t have admin on all the clients so I had to politely decline with “Sorry, we are unable to support that with the existing infrastructure”.
Linux has auditd and at first it looked promising for this problem. I later learned more about the architecture of auditd and found out that the method it uses for the directory watch feature is not capable of auditing reads and writes occurring over NFS because the syscalls for those operations are happening on the client side, not the server-side. What I still don’t quite understand yet is why the Linux NFS server doesn’t have built-in auditing functionality. If such functionality does exist, it’s either undocumented or I’m simply unable to find it.
Samba provides a logging directive that enables file access auditing without client side cooperation so it seems plausible that the GNU/Linux NFS server could implement similar functionality. Disclaimer: I don’t really understand NFS architecture so I don’t know if this is a difficult problem. NetApp appears to support server-side NFS auditing so it looks possible. Wouldn’t it be nice if “enterprise” GNU/Linux vendors would also support server-side auditing of file access over NFS?
References:
- http://security.blogoverflow.com/2013/01/a-brief-introduction-to-auditd/
- http://security.stackexchange.com/questions/15496/can-auditd-track-events-that-occured-over-nfs
- http://www.cyberciti.biz/tips/linux-audit-files-to-see-who-made-chnges-to-a-file.html
- http://www.samba.org/samba/docs/man/manpages-3/vfs_full_audit.8.html
- https://library.netapp.com/ecmdocs/ECMP1196993/html/GUID-13964A29-AA63-414C-9C1A-CD7B773D096B.html