From this page: http://www.opensolaris.org/os/community/zfs/docs/man_acl/ * NFSv4 ACLs provide a mechanism for hooking into system audit trail. Currently, Solaris does not support this mechanism. Does anyone know: -If this is in a planned roadmap anywhere? -Is there any way under solaris & ZFS to trigger an audit event on a file modification for a specific subset of files/directories on the filesystem? Thanks.
Shannon Roddy wrote:> From this page: http://www.opensolaris.org/os/community/zfs/docs/man_acl/ > > * NFSv4 ACLs provide a mechanism for hooking into system audit trail. > Currently, Solaris does not support this mechanism. > > Does anyone know: > -If this is in a planned roadmap anywhere?It will be supported at some point, but isn''t not currently on any road map.> -Is there any way under solaris & ZFS to trigger an audit event on a > file modification for a specific subset of files/directories on the > filesystem?You could use the FEM (file event monitor) subsystem to track modifications for specific files/directories and then do that necessary calls into the audit subsystem. FEM is used in NFSv4 for delegation support. The FEM stuff isn''t documented, but the code is in usr/src/uts/common/fem.c and usr/src/uts/common/fs/nfs. Specific questions about FEM are best directed at the nfs-discuss alias. -Mark
On Mon, 2006-01-23 at 00:07, Shannon Roddy wrote:> From this page: http://www.opensolaris.org/os/community/zfs/docs/man_acl/ > > * NFSv4 ACLs provide a mechanism for hooking into system audit trail. > Currently, Solaris does not support this mechanism. > > Does anyone know: > -If this is in a planned roadmap anywhere? > -Is there any way under solaris & ZFS to trigger an audit event on a > file modification for a specific subset of files/directories on the > filesystem?What kind of audit event are you looking for here ? Are you looking for a hook you can put your own stuff into or are you looking for an event written to the system logs ? Solaris has (and has had since SunOS 5.3) auditing hooks in the VFS layer so that any read/write/chmod/chown/etc done on any file on any file system is audited. There is also since Solaris 9 (IIRC) the nfslogd that might be more what you are looking for. -- Darren J Moffat
On Mon, 2006-01-23 at 09:20 -0800, Darren J Moffat wrote:> There is also since Solaris 9 (IIRC) the nfslogd that might be > more what you are looking for. >Note: NFS logging has a significant negative impact on NFS server performance. It is great if you need detailed auditing of NFS operations. It isn''t so great if you *also* need high performance -- though I can''t think of a way to have this cake and eat it too. YMMV, but you should consider this effect when sizing systems. -- richard This message posted from opensolaris.org
Right now, my understanding is that if you enable file auditing, it enables it for *every* file, which could generate a large amount of logging (most of which is rather uninteresting). What I''d be more interested in is controlling per file or directory what audit events are generated. For example, I''m less likely to care about stuff in /tmp than I am in /etc or /usr where I really want to know anytime any changes take place. However for /var, it''s probably going to depend a bit -- some stuff I probably don''t care about modifications, while others I do. It sounds like the ACLs in ZFS (as well as NFSv4) at least have placeholders that could eventually allow for this, but is that planned as a feature at any point? This message posted from opensolaris.org
On Mon, 2006-01-23 at 14:18, Jason King wrote:> Right now, my understanding is that if you enable file auditing, it enables it for *every* file, which could generate a large amount of logging (most of which is rather uninteresting). What I''d be more interested in is controlling per file or directory what audit events are generated.Just now we have two classes of files. Public - root owned world readable. Everything else. The policy can be set so that we don''t audit accesses to public objects. In older Trusted Solaris releases where we modified UFS we had extended attributes that you could set on files and directories for this. We don''t have that anymore.> For example, I''m less likely to care about stuff in /tmp than I am in /etc or /usr where I really want to know anytime any changes take place. However for /var, it''s probably going to depend a bit -- some stuff I probably don''t care about modifications, while others I do.What we have just now doesn''t help you there. -- Darren J Moffat