Auditd & NFS Event Tracking

TL;DR

Yes, auditd can track events over NFS, but it requires specific configuration on both the client and server to ensure proper logging. This guide explains how to set this up.

Configuring Auditd for NFS Tracking

1. Server-Side Configuration (NFS Server)
• Edit /etc/audit/auditd.conf. Ensure the following is present or added:

  log_format = RAW

  This ensures detailed information is logged, which is crucial for NFS events.

• Create an audit rule to monitor NFS-related activity. Add a line similar to this in /etc/audit/rules.d/nfsaudit.rules:

  -w /exports -p wa -k nfs_access

  This monitors writes and attribute changes to the exported NFS directories.

• Restart auditd:

  sudo systemctl restart auditd

2. Client-Side Configuration (NFS Client)
• Edit /etc/audit/auditd.conf. Ensure the following is present or added:

  log_format = RAW

• Create an audit rule to monitor NFS mount points. First, identify your NFS mount point (e.g., /mnt/nfsshare). Then add a line similar to this in /etc/audit/rules.d/nfsaudit.rules:

  -w /mnt/nfsshare -p wa -k nfs_client_access

  This monitors writes and attribute changes on the client’s mount point.

• Restart auditd:

  sudo systemctl restart auditd

3. Testing the Configuration
• On the NFS server, create a file in an exported directory:

  touch /exports/testfile

• On the client, access and modify the same file:

  echo "Test data" > /mnt/nfsshare/testfile

• Check the audit logs on both the server and client using

  sudo ausearch -k nfs_access

  (server) and

  sudo ausearch -k nfs_client_access

  (client).

4. Interpreting Audit Logs
• Audit logs will contain detailed information about the NFS events, including user ID, process ID, file path, and type of access.
• Use ausearch with various options (e.g., -ts today for today’s events) to filter the logs as needed.

Important Considerations

• Performance Impact: Auditd can have a performance impact, especially with high NFS activity. Monitor system resources after enabling audit logging.
• Log Rotation: Configure log rotation for the audit logs to prevent them from filling up disk space. This is usually handled by logrotate.
• Network Time Synchronization (NTP): Accurate time synchronization between the client and server is crucial for correlating events correctly.