Auditd & NFS Event Tracking

G5 Cyber Security

2 weeks ago

TL;DR

Yes, auditd can track events over NFS, but it requires specific configuration on both the client and server to ensure proper logging. This guide explains how to set this up.

Configuring Auditd for NFS Tracking

Server-Side Configuration (NFS Server)

Edit /etc/audit/auditd.conf. Ensure the following is present or added:
```
log_format = RAW
```
This ensures detailed information is logged, which is crucial for NFS events.
Create an audit rule to monitor NFS-related activity. Add a line similar to this in /etc/audit/rules.d/nfsaudit.rules:
```
-w /exports -p wa -k nfs_access
```
This monitors writes and attribute changes to the exported NFS directories.
Restart auditd:
```
sudo systemctl restart auditd
```

Client-Side Configuration (NFS Client)

Edit /etc/audit/auditd.conf. Ensure the following is present or added:
```
log_format = RAW
```
Create an audit rule to monitor NFS mount points. First, identify your NFS mount point (e.g., /mnt/nfsshare). Then add a line similar to this in /etc/audit/rules.d/nfsaudit.rules:
```
-w /mnt/nfsshare -p wa -k nfs_client_access
```
This monitors writes and attribute changes on the client’s mount point.
Restart auditd:
```
sudo systemctl restart auditd
```

Testing the Configuration

On the NFS server, create a file in an exported directory:
```
touch /exports/testfile
```
On the client, access and modify the same file:
```
echo "Test data" > /mnt/nfsshare/testfile
```
Check the audit logs on both the server and client using
```
sudo ausearch -k nfs_access
```
(server) and
```
sudo ausearch -k nfs_client_access
```
(client).

Interpreting Audit Logs

Audit logs will contain detailed information about the NFS events, including user ID, process ID, file path, and type of access.
Use ausearch with various options (e.g., -ts today for today’s events) to filter the logs as needed.

Important Considerations

Performance Impact: Auditd can have a performance impact, especially with high NFS activity. Monitor system resources after enabling audit logging.
Log Rotation: Configure log rotation for the audit logs to prevent them from filling up disk space. This is usually handled by logrotate.
Network Time Synchronization (NTP): Accurate time synchronization between the client and server is crucial for correlating events correctly.