Received: by 2002:a05:6a10:8c0a:0:0:0:0 with SMTP id go10csp3583012pxb;
        Mon, 1 Mar 2021 14:05:55 -0800 (PST)
X-Google-Smtp-Source: ABdhPJwrAg49R+lTj5eqMYVtCJIchT84Olg8fTIFho+hf5q812dSn2vPllY0Fs4nPcxkdrJwTpc4
X-Received: by 2002:a17:907:9495:: with SMTP id dm21mr17798036ejc.462.1614636354845;
        Mon, 01 Mar 2021 14:05:54 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1614636354; cv=none;
        d=google.com; s=arc-20160816;
        b=dFujaT4BXQluQG/JSTKQTNCpEZr79gFMuSvSia0S6HOHkfXT1Fdw/JtmcjQ3eymAsP
         TnEvBt/lC9VJHtkS4jO3z+GU+BjYbrxpBqrFn/7PrJFZ5fdLh8ZZWkU4X/+8z81A0FQ8
         YAfNsnhsqx9M/YV3lj+NMs1iIOZ2h+g8pyvawuV6ol33aG8fPW6dX+xtKZ9FkB2ukvqG
         hrUGO0n+Ihr422cjGJByOdTVt1tufgyVNm8WiVmmjU+8dyImeECvEcTH52aGeBhsa9oA
         IKlGT95F1z4zyGxcMTbF59an+ITkiVDL9UFZjJffyEBP1GkCR83x33Bg3bOVBqNCoG6Z
         JmRw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:mime-version:message-id:references:in-reply-to
         :subject:cc:date:to:from;
        bh=EZvW7/CNmgFYgDvh0H30HaHuHcj/gFnBUikAMz2Fy3A=;
        b=1FOWQIenRCW469HEB4lPjGs7NDetD0aOGXGAFy8U8cacmCwRVXTbX70Ry5dO9e6HmE
         tgKwVSXpQsRROdXH61u2/NuhQ+9WOqK47/0OBp30Y7cNphLbX2ElkXwOmKBkfFrNJGIE
         TP9iTaszRO1vm1i9LZEayrkX8N68UTxa8M2+Gl2Sy0winrOahiczxz6ZQoglBd+NNz0/
         L8QOrBAu7QuBSSRrmG0nYqyufC4ecmsaOM+9NBXpwkN0hhwGLk+wcbgPvWNocSWUKu2t
         GrQXAvOO3WyghbC5VGEO5fmL11PdoDumVjUKn3ylp3RxC9kbPiIP+zYSsHILb0jPN1tb
         2BDA==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: domain of linux-nfs-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-nfs-owner@vger.kernel.org
Return-Path: <linux-nfs-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18])
        by mx.google.com with ESMTP id n18si5370106edt.3.2021.03.01.14.05.25;
        Mon, 01 Mar 2021 14:05:54 -0800 (PST)
Received-SPF: pass (google.com: domain of linux-nfs-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18;
Authentication-Results: mx.google.com;
       spf=pass (google.com: domain of linux-nfs-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-nfs-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S234192AbhCAWC3 (ORCPT <rfc822;geliangtang@gmail.com>
        + 99 others); Mon, 1 Mar 2021 17:02:29 -0500
Received: from mx2.suse.de ([195.135.220.15]:60996 "EHLO mx2.suse.de"
        rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
        id S232890AbhCAWA2 (ORCPT <rfc822;linux-nfs@vger.kernel.org>);
        Mon, 1 Mar 2021 17:00:28 -0500
X-Virus-Scanned: by amavisd-new at test-mx.suse.de
Received: from relay2.suse.de (unknown [195.135.221.27])
        by mx2.suse.de (Postfix) with ESMTP id 6FE74AB8C;
        Mon,  1 Mar 2021 21:59:42 +0000 (UTC)
From:   NeilBrown <neilb@suse.de>
To:     "J. Bruce Fields" <bfields@fieldses.org>
Date:   Tue, 02 Mar 2021 08:59:37 +1100
Cc:     Steve Dickson <SteveD@RedHat.com>,
        Linux NFS Mailing list <linux-nfs@vger.kernel.org>
Subject: Re: [PATCH 0/5 v2] nfs-utils: provide audit-logging of NFSv4 access
In-Reply-To: <20210301185037.GB14881@fieldses.org>
References: <161456493684.22801.323431390819102360.stgit@noble>
 <20210301185037.GB14881@fieldses.org>
Message-ID: <87a6rmilh2.fsf@notabene.neil.brown.name>
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-=";
        micalg=pgp-sha256; protocol="application/pgp-signature"
Precedence: bulk
List-ID: <linux-nfs.vger.kernel.org>
X-Mailing-List: linux-nfs@vger.kernel.org

--=-=-=
Content-Type: text/plain
Content-Transfer-Encoding: quoted-printable

On Mon, Mar 01 2021, J. Bruce Fields wrote:

> I've gotten requests for similar functionality, and intended to
> implement it using directory notifications on /proc/fs/nfsd/clients.

Interesting idea.  That could report successful mounts and unmounts but
wouldn't report failed mount attempts or (I think) which export point is
being mounted.

If we could reliably correlate the entry in 'clients' with each auth
request, we could filter out multiple auth refresh requests for the same
client+filesystem.  The only field we could do that on would be IP
address, and that wouldn't be seamless..

Might be worth pursuing if only to report "mount" and "unmount" events
for a client identified by IP, and leave it to the admin to see any
connection between 'mount' events and 'auth' events.

Thanks,
NeilBrown


>
> But this is another way to do it that I hadn't thought of.  That's
> interesting.  I haven't thought about the relative advantages or
> disadvantages.
>
> --b.
>
> On Mon, Mar 01, 2021 at 01:17:15PM +1100, NeilBrown wrote:
>> V1 of this series didn't update the usage() message for mountd,
>> and omited the required ':' after the 'T' sort-option.  This=20
>> series fixes those two omissions.
>>=20
>> Original series comment:
>>=20
>> When NFSv3 is used mountd provides logs of successful and failed mount
>> attempts which can be used for auditing.
>> When NFSv4 is used there are no such logs as NFSv4 does not have a
>> distinct "mount" request.
>>=20
>> However mountd still knows about which filesysytems are being accessed
>> from which clients, and can actually provide more reliable logs than it
>> currently does, though they must be more verbose - with periodic "is
>> being accessed" message replacing a single "was mounted" message.
>>=20
>> This series adds support for that logging, and adds some related
>> improvements to make the logs as useful as possible.
>>=20
>> NeilBrown
>>=20
>> ---
>>=20
>> NeilBrown (5):
>>       mountd: reject unknown client IP when !use_ipaddr.
>>       mountd: Don't proactively add export info when fh info is requeste=
d.
>>       mountd: add logging for authentication results for accesses.
>>       mountd: add --cache-use-ipaddr option to force use_ipaddr
>>       mountd: make default ttl settable by option
>>=20
>>=20
>>  support/export/auth.c      |  4 +++
>>  support/export/cache.c     | 32 +++++++++++------
>>  support/export/v4root.c    |  3 +-
>>  support/include/exportfs.h |  3 +-
>>  support/nfs/exports.c      |  4 ++-
>>  utils/mountd/mountd.c      | 30 +++++++++++++++-
>>  utils/mountd/mountd.man    | 70 ++++++++++++++++++++++++++++++++++++++
>>  7 files changed, 131 insertions(+), 15 deletions(-)
>>=20
>> --
>> Signature

--=-=-=
Content-Type: application/pgp-signature; name="signature.asc"

-----BEGIN PGP SIGNATURE-----

iQJCBAEBCAAsFiEEG8Yp69OQ2HB7X0l6Oeye3VZigbkFAmA9Y8kOHG5laWxiQHN1
c2UuZGUACgkQOeye3VZigblYZQ/+LM3KD7dZbq/wmdK+cWociURX+swWE98MrdFG
XnNMulvVlALLV74j3oW7meDNe9eHzXUr+iCpKGiBp+hjRxQ7DZHVRkOcBab1dPSM
tHKzjz3AFCCr24s7/cNhj3zxkzDQzybzB/sQj7Vpp0R4v+EbsxTjOgP8fONdiXLU
+zUKv30iPJuKnetjTk/rTUIsHmbIgPeSDidrUYuUprocL2rrLi+XUL1gWvX30MOP
bQAb26oxQ/geLQo8KmlX9AFIjJxCOgIAmmDFaASizPUNxIDdqhYby0WujWhnEIKX
YfeE9wjQcH/0b2GqN5OI6A5KrVjMUpiwXj3sM61Nq1PN26MShQlnG5M8t0ossz1e
Tpxmwk4V7qh+fAbTsYZuiJHURVG6lxvb2997ENdzqTNXLNpwMTHuqW8bB/6pSgVB
8vPFs9pPfImBfnHk1fp7GpTvP/zBbLD+hdrxNvKn8j2vOsMrmP5ORlDkJJxagXuN
r7hRUuwgC0nRehhk1PVMx8nn+g9vlo2qnZmQjLgwy6qvqZuQPuj5oSjOY7p2XxMR
cNeKcSkqZlyOw5S/Qoze9n2wYFJ35K8eJErn6wVKAWMj5OJ2nEUOhSnzNlMH0MAz
2nMURlXO3k/9o7nvvFQfC86T3MqfhicXnTola6uT4JPxNg8ttJ4z1o3r3qWbSmGx
f3cmL6E=
=UJ93
-----END PGP SIGNATURE-----
--=-=-=--