Details
-
New Feature
-
Resolution: Fixed
-
Minor
-
Lustre 2.10.0
-
9223372036854775807
Description
Hi,
As Lustre Changelogs are a centralized mechanism reporting activity on the file system, we would like to use it as a basis for an audit facility for Lustre. The aim is to be able to track all accesses to files residing on Lustre, so that they can be recorded and looked up later for auditing purposes.
Changelogs cannot be used as-is to achieve auditing, because of the following limitations we have identified so far:
(a) uid/gid information is not recorded;
(b) OPEN and GEXATTR operations are not recorded;
(c) CLOSE operations are not recorded if the file is opened in READ_ONLY mode;
(d) Changelogs only record successful operations, not attempts.
Further comments on limitations:
(a) LU-1996 (https://review.whamcloud.com/4060) added support for jobid in Changelogs. If jobid is set to procname_uid, Changelogs will contain procname.uid information. So this could be used to know which user is doing the access. But jobid can be used for another purpose than audit, so we cannot always rely on it. We should create a new changelog extension similar to changelog_ext_jobid, that would hold uid/gid information.
(b) and (c) We do understand that it would have a performance cost to record OPEN and GEXATTR operations, as it would mean generating a write in the Changelogs for a read operation. Similarly for a CLOSE when a file is opened read-only. We will have to exclude OPEN and GETXATTR from the default Changelogs mask, and potentially create a dedicated changelogs entry type for the 'close on read-only' case, excluded by default. Moreover, we will evaluate the performance cost when these operations are recorded.
(d) Having all access attempts recorded will definitely increase MDS/MDT load, so we should examine carefully the performance impact of doing this. We would warn users about how much they would suffer by recording all access attempts.
I will feed this ticket by pushing patches to address the various limitations identified here (and possibly others to come).
Sebastien.
Attachments
Issue Links
- is related to
-
LU-11050 mdd: modifying changelog_deniednext does not yield immediate result
-
- Open
-
-
-
- Resolved
-
-
-
- Resolved
-
-
-
- Resolved
-
-
-
- Resolved
-
-
LU-15372 add projid to changelog
-
- Open
-
-
-
- Resolved
-
-
-
- Resolved
-
- is related to
-
LU-15373 changelog improvements tracking
-
- Open
-
Activity
Hi Sebastien,
Could you have a look at LU-10738? I think one of the patches for LU-9727 might have caused it.
Quentin
Oleg Drokin (oleg.drokin@intel.com) merged in patch https://review.whamcloud.com/28314/
Subject: LU-9727 lustre: record if enable_audit is set on nodemap
Project: fs/lustre-release
Branch: master
Current Patch Set:
Commit: 9dffcdd2fa07520aab89edd15f627518d3f6cff2
Oleg Drokin (oleg.drokin@intel.com) merged in patch https://review.whamcloud.com/30970/
Subject: LU-9727 doc: update llog_reader man page for Changelogs
Project: fs/lustre-release
Branch: master
Current Patch Set:
Commit: a13e325130d60b2bec46f67517fa46892e368337
Oleg Drokin (oleg.drokin@intel.com) merged in patch https://review.whamcloud.com/30315/
Subject: LU-9727 utils: make llog_reader decode changelog fields
Project: fs/lustre-release
Branch: master
Current Patch Set:
Commit: 8811869b1e88175d2ea6ead64f7c584b97db98bd
Oleg Drokin (oleg.drokin@intel.com) merged in patch https://review.whamcloud.com/28812/
Subject: LU-9727 lustre: record denied OPEN in Changelogs
Project: fs/lustre-release
Branch: master
Current Patch Set:
Commit: ccb6fe4b5994c0b8e8890265acfa78e865592431
Oleg Drokin (oleg.drokin@intel.com) merged in patch https://review.whamcloud.com/28299/
Subject: LU-9727 lustre: limit OPEN and CLOSE rates in Changelogs
Project: fs/lustre-release
Branch: master
Current Patch Set:
Commit: b45f8364a307d1b13ebaf5dc59da33bddde92769
Oleg Drokin (oleg.drokin@intel.com) merged in patch https://review.whamcloud.com/28251/
Subject: LU-9727 lustre: add CL_GETXATTR for Changelogs
Project: fs/lustre-release
Branch: master
Current Patch Set:
Commit: c722371c18809aaa1de36e5cb61a54de947611b4
Oleg Drokin (oleg.drokin@intel.com) merged in patch https://review.whamcloud.com/28313/
Subject: LU-9727 nodemap: add audit_mode flag to nodemap
Project: fs/lustre-release
Branch: master
Current Patch Set:
Commit: 942a9853f7b4c6fe22729468f1802ab782087e4e
Oleg Drokin (oleg.drokin@intel.com) merged in patch https://review.whamcloud.com/27929/
Subject: LU-9727 lustre: record CLOSE if OPEN was recorded
Project: fs/lustre-release
Branch: master
Current Patch Set:
Commit: afef52b9f2b5cb3af735d698883951fdd129af20
Oleg Drokin (oleg.drokin@intel.com) merged in patch https://review.whamcloud.com/28214/
Subject: LU-9727 lustre: implement CL_OPEN for Changelogs
Project: fs/lustre-release
Branch: master
Current Patch Set:
Commit: 21fb4d93a94ef3876051fed31c5ef0c33f484f9d
Hi Quentin,
I will try to have a look, thanks for letting me know.
Cheers.