Received: by 2002:a05:6a10:8c0a:0:0:0:0 with SMTP id go10csp1200117pxb; Thu, 4 Mar 2021 06:03:11 -0800 (PST) X-Google-Smtp-Source: ABdhPJy0WYgxaEll1quz5ya3dmXKORXiI74m37R2X2Bnnolp4/NlFI2z2RhixIEBZkNN//p8nEaC X-Received: by 2002:a17:907:ea3:: with SMTP id ho35mr4292027ejc.396.1614866591052; Thu, 04 Mar 2021 06:03:11 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1614866591; cv=none; d=google.com; s=arc-20160816; b=T0fMOcL/94/ntZ12C38K7WO1sG3yR2FVNd0kqJURCw3uMJCHj+mevVktcREQRygDKV 9x9mw2kFi9XP8or+VJsdwEts1uIQbE8nRjlN0o1AammKla/104LH04pfv7ZJqGLrCv24 QJxwUHJibPX5/v/lHFl0wB91UVniDuAXFdXiAU5sCePOM91iYl0BdpaHpmOT4ziFRdHD pn6fhu74Dl9lOJDrOz+Hp3MLJhT5OCkmg/g8lrqRpN2bUJiJInq1ywKncKccGYrn4nwB yVNC5L1QD4zUQKXNxMghMBt4nC3rom+UBLShDwJOrsgOECVnIDC+n+CsCL50rhfeiod/ TkBw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:mime-version:message-id:references:in-reply-to :subject:cc:date:to:from; bh=wAGELUEiTsfBDuGmc/o63vHfnuUij7F40OQEPoE0xxw=; b=VKALi19p+YsLDuzJscNlWPTXNFtkbFdt6ISIfBVJJBTE9aWOKJkoKNaVL3llC6GrkU ZrR33rLX3Wat1Mq65HRPhq5Zz41rYuBUXrsg3npamYzkzBaDrPYjXYKaUx1siyzw//Ur wdlz3pLbLPfMQrbgEG5vjAexD247pwj3d7mv833hPOry2IQieOgWQmgHOCRHl2VTcn3T f3TAsYy/3NB1n44PlxUV75ipfyrpN3g5d15PY4l2bm14FrfuMZiAis3WpK1e+y0tGfwk RNnPTJbeUIIwAsOH3FGs9N2aOMfhmBdPAYVSt60xMklQPDE8wRUfH80QjXliV45fkwvR XpTg== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-nfs-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-nfs-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id d2si12617947ejz.77.2021.03.04.06.02.46; Thu, 04 Mar 2021 06:03:11 -0800 (PST) Received-SPF: pass (google.com: domain of linux-nfs-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-nfs-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-nfs-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1390852AbhCDA37 (ORCPT + 99 others); Wed, 3 Mar 2021 19:29:59 -0500 Received: from mx2.suse.de ([195.135.220.15]:33192 "EHLO mx2.suse.de" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1346978AbhCCWa0 (ORCPT ); Wed, 3 Mar 2021 17:30:26 -0500 X-Virus-Scanned: by amavisd-new at test-mx.suse.de Received: from relay2.suse.de (unknown [195.135.221.27]) by mx2.suse.de (Postfix) with ESMTP id A473CADDB; Wed, 3 Mar 2021 22:28:39 +0000 (UTC) From: NeilBrown To: Steve Dickson Date: Thu, 04 Mar 2021 09:28:35 +1100 Cc: Linux NFS Mailing list Subject: Re: [PATCH 0/5] nfs-utils: provide audit-logging of NFSv4 access In-Reply-To: <6ddbe801-d107-5cbd-7362-c3e84321f203@RedHat.com> References: <161422077024.28256.15543036625096419495.stgit@noble> <6ddbe801-d107-5cbd-7362-c3e84321f203@RedHat.com> Message-ID: <87pn0fhnxo.fsf@notabene.neil.brown.name> MIME-Version: 1.0 Content-Type: multipart/signed; boundary="=-=-="; micalg=pgp-sha256; protocol="application/pgp-signature" Precedence: bulk List-ID: X-Mailing-List: linux-nfs@vger.kernel.org --=-=-= Content-Type: text/plain Content-Transfer-Encoding: quoted-printable On Tue, Mar 02 2021, Steve Dickson wrote: > Hey! > > A couple comments...=20 > > On 2/24/21 9:42 PM, NeilBrown wrote: >> When NFSv3 is used mountd provides logs of successful and failed mount >> attempts which can be used for auditing. >> When NFSv4 is used there are no such logs as NFSv4 does not have a >> distinct "mount" request. >>=20 >> However mountd still knows about which filesysytems are being accessed >> from which clients, and can actually provide more reliable logs than it >> currently does, though they must be more verbose - with periodic "is >> being accessed" message replacing a single "was mounted" message. >>=20 >> This series adds support for that logging, and adds some related >> improvements to make the logs as useful as possible. >>=20 >> NeilBrown >>=20 >> --- >>=20 >> NeilBrown (5): >> mountd: reject unknown client IP when !use_ipaddr. >> mountd: Don't proactively add export info when fh info is requeste= d. >> mountd: add logging for authentication results for accesses. > I wonder if we should mention setting "debug=3Dauth" enables > this logging in the mountd manpage=20 That is already in the mountd man page :-) > >> mountd: add --cache-use-ipaddr option to force use_ipaddr >> mountd: make default ttl settable by option > These two probably need to be put into the nfs.conf file=20 > and the nfs.conf man page since the conf_get_num() > and conf_get_bool() calls were added. That's done now too. > > Finally, I'll add this to my plate, but I'm thinking > the new log-auth and ttl flags probably should be=20 > introduce into nfsv4.exported. > I'll add that to my patches before resubmitting. > I didn't port over the use-ipaddr flag to exportd, > since I though it was only used in the v3 mount path > but may that was an oversight on my part.=20 use-ipaddr it not at all v3 specific. It was originally introduced to handle the fact that a single host could be in a large number of netgroups, and concatenating the names of all those netgroups could produce a "domain" name that is too long. The new option to force it on is useful for access logging, particularly with NFSv4. I'll add that to my patches too. Thanks, NeilBrown > > Thoughts? > > steved. >>=20 >>=20 >> support/export/auth.c | 4 +++ >> support/export/cache.c | 32 +++++++++++------ >> support/export/v4root.c | 3 +- >> support/include/exportfs.h | 3 +- >> support/nfs/exports.c | 4 ++- >> utils/mountd/mountd.c | 29 +++++++++++++++- >> utils/mountd/mountd.man | 70 ++++++++++++++++++++++++++++++++++++++ >> 7 files changed, 130 insertions(+), 15 deletions(-) >>=20 >> -- >> Signature >>=20 --=-=-= Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQJCBAEBCAAsFiEEG8Yp69OQ2HB7X0l6Oeye3VZigbkFAmBADZMOHG5laWxiQHN1 c2UuZGUACgkQOeye3VZigbmktw/+Mc3JJcKpDD5QKTTwG24dQZYNK251QvPKxA5n CVA9Iev6l4ZaLp4J3ffriPswW77sSJ4vuoAAXJmTLbABeT8KetkmcpQ+xblgj5ZW gqlLKObyXwFqVFz0lxYuEIoSAqRv95W5J6vxJsHqj6cPxDZj6UfqmzmqP/kb2qn/ dsuCA2VqlDqDwa269kM5AavcSVu3hbu27NTo9MD7naklviAB3XoT3NoN2J5W/k00 Z0e4ncsjiphdl5zfynKqWGYMorA+EHJXnyQYeT+cDCly3G8kq+zxR5gwKFsEIQhy YgBpji8Nvs5mdx7WSscQGNjAkZSah7/u9VnVAiOGisgQ8yHTYULoHyPtrBtMVsvb HFCAPtsQf/LKJyRr7L0UR4x62CTssJEyjXCpc/rznlzUx6rLT2Tj4V3FZC6VPLuF /OSfP2eBNEdo1qURsF0/VJZ0cg2HJX66aprxXjq80siAtXrXepJ812mscZ65Mwa6 bvhuRxHm9PRGXv37jrVpFHZ008KXFOTFAWBy/SlxwgnMLqDVBtMfgM9AQGyrK9JZ vbItMhNkWwtKqONnvwPAstZOZDqQscsTiVHnkGtCt4j7yM5qQm9frYIPH0diaueB pV13XA6Pl5xRUUGTvdv+jT9TWSIf9oNJQvfak5Rd72yVKwNR+BpH7Vju3mzr2dJH A6KuVl8= =Qjw5 -----END PGP SIGNATURE----- --=-=-=--