NFS share audit

khuman

khuman

Hi, everyone!

I need audit file operations (create, write, change, delete) for NFS shares (ZFS). I'm trying to configure auditd:
Code: 
dir:/var/log/audit
dist:off
flags:fc,fd,fw
minfree:5
naflags:fc,fd,fw
policy:cnt,argv
filesz:512M
expire-after:30d
But after create, modify or delete file via NFS, a didn't see any audit records in log file.
Can anybody give advice about correct solution for my task, except auditd? I think the log file size will be very large. May be I don't found it.
 
I don't think that there is currently support for auditing NFS via auditd, although there was some work done back in 2010 to try to move this forward. As a compensating control, perhaps you could use something like security/tripwire to monitor the directories you are concerned about, or maybe look at a kqueue-based approach as suggested here.
 
You must log in or register to reply here.
Back
Top