# NFS share audit



## khuman (Jul 6, 2016)

Hi, everyone!

  I need audit file operations (create, write, change, delete) for NFS shares (ZFS). I'm trying to configure auditd:

```
dir:/var/log/audit
dist:off
flags:fc,fd,fw
minfree:5
naflags:fc,fd,fw
policy:cnt,argv
filesz:512M
expire-after:30d
```
  But after create, modify or delete file via NFS, a didn't see any audit records in log file.
Can anybody give advice about correct solution for my task, except auditd? I think the log file size will be very large.  May be I don't found it.


----------



## shepherdAZ (Jul 11, 2016)

I don't think that there is currently support for auditing NFS via auditd, although there was some work done back in 2010 to try to move this forward. As a compensating control, perhaps you could use something like security/tripwire to monitor the directories you are concerned about, or maybe look at a kqueue-based approach as suggested here.


----------

