File Access Auditing w/ Linux NFS Server

What is the accepted/best solution for auditing file access with GNU/Linux NFS server infrastructure?

I recently received a request for auditing the basic file access patterns (read/write) for an NFS export on a RHEL 6 server. While researching the problem, I discovered that there is no apparent method to accomplish this task without reliable and trusted client side auditing. It wasn’t a priority and we didn’t have admin on all the clients so I had to politely decline with “Sorry, we are unable to support that with the existing infrastructure”.

Linux has auditd and at first it looked promising for this problem. I later learned more about the architecture of auditd and found out that the method it uses for the directory watch feature is not capable of auditing reads and writes occurring over NFS because the syscalls for those operations are happening on the client side, not the server-side. What I still don’t quite understand yet is why the Linux NFS server doesn’t have built-in auditing functionality. If such functionality does exist, it’s either undocumented or I’m simply unable to find it.

Samba provides a logging directive that enables file access auditing without client side cooperation so it seems plausible that the GNU/Linux NFS server could implement similar functionality. Disclaimer: I don’t really understand NFS architecture so I don’t know if this is a difficult problem. NetApp appears to support server-side NFS auditing so it looks possible. Wouldn’t it be nice if “enterprise” GNU/Linux vendors would also support server-side auditing of file access over NFS?


Interesting New Developments…

There have been some interesting new developments lately! Here’s a shrunken summary.

At present I’m doing a technology review for implementing a new terminal server. Our existing terminal server is a 4-way AMD Opteron 848 system that’s about 5 years old right now. It runs CentOS 4 and has been so mega-customized over those 5 years, I’ve never wanted to go through the pain of in-place upgrading to CentOS 5. We also have a simple IBM 1U server running Windows 2003 Server for windows purposes. It’s ok but also about 5 years old.

The idea is to roll both these servers into a large single physical server with some kind of virtualization. The large system would also have the resources to run other VMs, as necessary. Development/test boxes or what not.

Read More