Skip site navigation (1)Skip section navigation (2)
Date:      Mon, 1 Jun 2020 23:05:46 +0530
From:      Shivank Garg <shivank@freebsd.org>
To:        freebsd-hackers@freebsd.org, soc-status@freebsd.org
Cc:        Alan Somers <asomers@freebsd.org>
Subject:   [GSoC'20 Introduction] Adding audit(4) support to NFS
Message-ID:  <CAOVCmzF7EeAJq-r3D5s-zsG_VkhPS6VMKKaYajfizX=z8e%2ByCg@mail.gmail.com>

next in thread | raw e-mail | index | archive | help
Hi everyone,

This project aims to add audit(4) support to NFS, which will allow
auditd(8) to just run on the NFS server and audit all activities within the
NFS network.
Note that audit(4) can still be used on the NFS network but auditd(8) must
run on every NFS client.

*Mentor: *Alan Somers <asomers@FreeBSD.org>

*Project Information/Background:*
Security event auditing permits the selective and fine-grained configurable
logging of security-relevant system events for the purpose of post-mortem
analysis, intrusion detection, and run-time monitoring. It is intended to
meet the requirements of the Common Criteria(CC)/Common Access protection
profile(CAPP) evaluation.
Audit works mostly on the syscall level and NFS is implemented within the
kernel, which means the NFS RPCs don't generate any audit records on the
server. The NFS RPC requests bypass the syscall layer and go directly to
the VFS layer.
The need for this support arises in case of insecure networks, where
running auditd(8) on each client is not an option(the audit log on such
clients can't be trusted)

*Approach:*
This project will require the modification in the NFS server code to allow
an audit of each NFS RPC. This will auditd(8) to audit all the NFS
activities within the network. The NFS RPCs code lies mostly in
 nfs_nfsdserv.c and nfs_nfsdsocket.c. There would need to define
AUDIT_NFSRPC_ENTER and AUDIT_NFSPRC_EXIT in a similar fashion to
AUDIT_SYSCALL_ENTER and AUDIT_SYSCALL_EXIT at NFS RPC level. For auditing
events, within each NFS RPC, one or more AUDIT_ARG_* macros(or some
modification of them) will be called.
The implementation design is under the thought process.

*Project Wiki and Source links:*
* Project Wiki Page:
https://wiki.freebsd.org/SummerOfCode2020Projects/AddAuditSupportToNFS
* Github Repo link:
https://github.com/shivankgarg98/freebsd/tree/user/shivank/nfs_audit
* Please see this diff for all changes:
https://github.com/freebsd/freebsd/compare/master...shivankgarg98:user/shivank/nfs_audit
Note: I'll be updating weekly status report on soc-status@

Please feel free to share your ideas and feedback on this project.

Happy Hacking! :)

Best Regards,
Shivank Garg
Undergrad at IIT Kanpur, India



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAOVCmzF7EeAJq-r3D5s-zsG_VkhPS6VMKKaYajfizX=z8e%2ByCg>