Auditing in the NFS environment

Edit online

The AIX® audit subsystem supports the auditing of the mounted file systems. The configuration of the mounted file system on the client is similar to the local file system. The auditing operations on auditable mounted objects are similar to the local objects as described in Auditing overview. The auditing behavior on the client and the server for the mounted file systems are described in the information later in this topic.

Auditing on the NFS client

All operations run on the auditable objects that are on the mounted file systems by the client are logged on the client. This is valid provided there are no operations on the objects by the NFS server, or any other NFS clients or the fullpath auditing must be enabled on the client.

Refer to audit command man page for more information. If the fullpath auditing is not enabled and the file is modified by server or by other clients, the consecutive auditing will be unpredictable. This behavior can be rectified by restarting audit on client. If a file system is mounted on multiple clients, it is recommended that you audit the operations on the server to get the exact log of the events or enable the fullpath auditing on the client.

Note: The audit subsystem configuration does not support using the audit log file system as a mounted NFS file system.

Auditing on the NFS server

All of the operations carried on the mounted file system by both the client and the server are logged on the NFS server.

Limitations on the server side

If any operations carried by the NFS client are not sent to the server, either due to the NFS caching or due to the inherent NFS architecture, that operation will not be audited by the server.
For example: After mounting the file system, only the first read operation performed on a file is audited by the server. Consecutive read operations are not logged on the server . This applies to the read operations on files, links, and directories.
The operations carried out by the client are logged on the server as nfsd, and have root user as the user name.

Example

A file system named File_System is mounted on the client with the command mount server:/File_system /mnt. If the file named A in the File_System file system needs to be audited on the server, then the /File_system/A must be configured in audit configuration files.

If you decide to audit the A file in the File_System file system on the client, then /mnt/A must be configured to be audited on the client.

If the A file is configured to be audited on both the server and the client, then the operations carried by both the server and the client on the A file are audited and logged on the server and the operations carried by the client are logged on the client.

Any operation carried by the client on A file is logged on the server as the nfsd daemon instead of the operation or command name.