| Message ID | 161422077024.28256.15543036625096419495.stgit@noble (mailing list archive) |
|---|---|
| Headers | show |
| Series | nfs-utils: provide audit-logging of NFSv4 access | expand |
Hey! A couple comments... On 2/24/21 9:42 PM, NeilBrown wrote: > When NFSv3 is used mountd provides logs of successful and failed mount > attempts which can be used for auditing. > When NFSv4 is used there are no such logs as NFSv4 does not have a > distinct "mount" request. > > However mountd still knows about which filesysytems are being accessed > from which clients, and can actually provide more reliable logs than it > currently does, though they must be more verbose - with periodic "is > being accessed" message replacing a single "was mounted" message. > > This series adds support for that logging, and adds some related > improvements to make the logs as useful as possible. > > NeilBrown > > --- > > NeilBrown (5): > mountd: reject unknown client IP when !use_ipaddr. > mountd: Don't proactively add export info when fh info is requested. > mountd: add logging for authentication results for accesses. I wonder if we should mention setting "debug=auth" enables this logging in the mountd manpage > mountd: add --cache-use-ipaddr option to force use_ipaddr > mountd: make default ttl settable by option These two probably need to be put into the nfs.conf file and the nfs.conf man page since the conf_get_num() and conf_get_bool() calls were added. Finally, I'll add this to my plate, but I'm thinking the new log-auth and ttl flags probably should be introduce into nfsv4.exported. I didn't port over the use-ipaddr flag to exportd, since I though it was only used in the v3 mount path but may that was an oversight on my part. Thoughts? steved. > > > support/export/auth.c | 4 +++ > support/export/cache.c | 32 +++++++++++------ > support/export/v4root.c | 3 +- > support/include/exportfs.h | 3 +- > support/nfs/exports.c | 4 ++- > utils/mountd/mountd.c | 29 +++++++++++++++- > utils/mountd/mountd.man | 70 ++++++++++++++++++++++++++++++++++++++ > 7 files changed, 130 insertions(+), 15 deletions(-) > > -- > Signature >
On Tue, Mar 02 2021, Steve Dickson wrote: > Hey! > > A couple comments... > > On 2/24/21 9:42 PM, NeilBrown wrote: >> When NFSv3 is used mountd provides logs of successful and failed mount >> attempts which can be used for auditing. >> When NFSv4 is used there are no such logs as NFSv4 does not have a >> distinct "mount" request. >> >> However mountd still knows about which filesysytems are being accessed >> from which clients, and can actually provide more reliable logs than it >> currently does, though they must be more verbose - with periodic "is >> being accessed" message replacing a single "was mounted" message. >> >> This series adds support for that logging, and adds some related >> improvements to make the logs as useful as possible. >> >> NeilBrown >> >> --- >> >> NeilBrown (5): >> mountd: reject unknown client IP when !use_ipaddr. >> mountd: Don't proactively add export info when fh info is requested. >> mountd: add logging for authentication results for accesses. > I wonder if we should mention setting "debug=auth" enables > this logging in the mountd manpage That is already in the mountd man page :-) > >> mountd: add --cache-use-ipaddr option to force use_ipaddr >> mountd: make default ttl settable by option > These two probably need to be put into the nfs.conf file > and the nfs.conf man page since the conf_get_num() > and conf_get_bool() calls were added. That's done now too. > > Finally, I'll add this to my plate, but I'm thinking > the new log-auth and ttl flags probably should be > introduce into nfsv4.exported. > I'll add that to my patches before resubmitting. > I didn't port over the use-ipaddr flag to exportd, > since I though it was only used in the v3 mount path > but may that was an oversight on my part. use-ipaddr it not at all v3 specific. It was originally introduced to handle the fact that a single host could be in a large number of netgroups, and concatenating the names of all those netgroups could produce a "domain" name that is too long. The new option to force it on is useful for access logging, particularly with NFSv4. I'll add that to my patches too. Thanks, NeilBrown > > Thoughts? > > steved. >> >> >> support/export/auth.c | 4 +++ >> support/export/cache.c | 32 +++++++++++------ >> support/export/v4root.c | 3 +- >> support/include/exportfs.h | 3 +- >> support/nfs/exports.c | 4 ++- >> utils/mountd/mountd.c | 29 +++++++++++++++- >> utils/mountd/mountd.man | 70 ++++++++++++++++++++++++++++++++++++++ >> 7 files changed, 130 insertions(+), 15 deletions(-) >> >> -- >> Signature >>
On 3/3/21 5:28 PM, NeilBrown wrote: > On Tue, Mar 02 2021, Steve Dickson wrote: > >> Hey! >> >> A couple comments... >> >> On 2/24/21 9:42 PM, NeilBrown wrote: >>> When NFSv3 is used mountd provides logs of successful and failed mount >>> attempts which can be used for auditing. >>> When NFSv4 is used there are no such logs as NFSv4 does not have a >>> distinct "mount" request. >>> >>> However mountd still knows about which filesysytems are being accessed >>> from which clients, and can actually provide more reliable logs than it >>> currently does, though they must be more verbose - with periodic "is >>> being accessed" message replacing a single "was mounted" message. >>> >>> This series adds support for that logging, and adds some related >>> improvements to make the logs as useful as possible. >>> >>> NeilBrown >>> >>> --- >>> >>> NeilBrown (5): >>> mountd: reject unknown client IP when !use_ipaddr. >>> mountd: Don't proactively add export info when fh info is requested. >>> mountd: add logging for authentication results for accesses. >> I wonder if we should mention setting "debug=auth" enables >> this logging in the mountd manpage > > That is already in the mountd man page :-) Sorry I must have missed it... > >> >>> mountd: add --cache-use-ipaddr option to force use_ipaddr >>> mountd: make default ttl settable by option >> These two probably need to be put into the nfs.conf file >> and the nfs.conf man page since the conf_get_num() >> and conf_get_bool() calls were added. > > That's done now too. Thank you! > >> >> Finally, I'll add this to my plate, but I'm thinking >> the new log-auth and ttl flags probably should be >> introduce into nfsv4.exported. >> > > I'll add that to my patches before resubmitting. Thank you again! > >> I didn't port over the use-ipaddr flag to exportd, >> since I though it was only used in the v3 mount path >> but may that was an oversight on my part. > > use-ipaddr it not at all v3 specific. > It was originally introduced to handle the fact that a single host could > be in a large number of netgroups, and concatenating the names of all > those netgroups could produce a "domain" name that is too long. > The new option to force it on is useful for access logging, particularly > with NFSv4. > > I'll add that to my patches too. Perfect! steved. > > Thanks, > NeilBrown > > >> >> Thoughts? >> >> steved. >>> >>> >>> support/export/auth.c | 4 +++ >>> support/export/cache.c | 32 +++++++++++------ >>> support/export/v4root.c | 3 +- >>> support/include/exportfs.h | 3 +- >>> support/nfs/exports.c | 4 ++- >>> utils/mountd/mountd.c | 29 +++++++++++++++- >>> utils/mountd/mountd.man | 70 ++++++++++++++++++++++++++++++++++++++ >>> 7 files changed, 130 insertions(+), 15 deletions(-) >>> >>> -- >>> Signature >>>
When NFSv3 is used mountd provides logs of successful and failed mount attempts which can be used for auditing. When NFSv4 is used there are no such logs as NFSv4 does not have a distinct "mount" request. However mountd still knows about which filesysytems are being accessed from which clients, and can actually provide more reliable logs than it currently does, though they must be more verbose - with periodic "is being accessed" message replacing a single "was mounted" message. This series adds support for that logging, and adds some related improvements to make the logs as useful as possible. NeilBrown --- NeilBrown (5): mountd: reject unknown client IP when !use_ipaddr. mountd: Don't proactively add export info when fh info is requested. mountd: add logging for authentication results for accesses. mountd: add --cache-use-ipaddr option to force use_ipaddr mountd: make default ttl settable by option support/export/auth.c | 4 +++ support/export/cache.c | 32 +++++++++++------ support/export/v4root.c | 3 +- support/include/exportfs.h | 3 +- support/nfs/exports.c | 4 ++- utils/mountd/mountd.c | 29 +++++++++++++++- utils/mountd/mountd.man | 70 ++++++++++++++++++++++++++++++++++++++ 7 files changed, 130 insertions(+), 15 deletions(-) -- Signature