Date: Mon, 1 Jun 2020 23:05:46 +0530 From: Shivank Garg <shivank@freebsd.org> To: freebsd-hackers@freebsd.org, soc-status@freebsd.org Cc: Alan Somers <asomers@freebsd.org> Subject: [GSoC'20 Introduction] Adding audit(4) support to NFS Message-ID: <CAOVCmzF7EeAJq-r3D5s-zsG_VkhPS6VMKKaYajfizX=z8e%2ByCg@mail.gmail.com>
next in thread | raw e-mail | index | archive | help
Hi everyone, This project aims to add audit(4) support to NFS, which will allow auditd(8) to just run on the NFS server and audit all activities within the NFS network. Note that audit(4) can still be used on the NFS network but auditd(8) must run on every NFS client. *Mentor: *Alan Somers <asomers@FreeBSD.org> *Project Information/Background:* Security event auditing permits the selective and fine-grained configurable logging of security-relevant system events for the purpose of post-mortem analysis, intrusion detection, and run-time monitoring. It is intended to meet the requirements of the Common Criteria(CC)/Common Access protection profile(CAPP) evaluation. Audit works mostly on the syscall level and NFS is implemented within the kernel, which means the NFS RPCs don't generate any audit records on the server. The NFS RPC requests bypass the syscall layer and go directly to the VFS layer. The need for this support arises in case of insecure networks, where running auditd(8) on each client is not an option(the audit log on such clients can't be trusted) *Approach:* This project will require the modification in the NFS server code to allow an audit of each NFS RPC. This will auditd(8) to audit all the NFS activities within the network. The NFS RPCs code lies mostly in nfs_nfsdserv.c and nfs_nfsdsocket.c. There would need to define AUDIT_NFSRPC_ENTER and AUDIT_NFSPRC_EXIT in a similar fashion to AUDIT_SYSCALL_ENTER and AUDIT_SYSCALL_EXIT at NFS RPC level. For auditing events, within each NFS RPC, one or more AUDIT_ARG_* macros(or some modification of them) will be called. The implementation design is under the thought process. *Project Wiki and Source links:* * Project Wiki Page: https://wiki.freebsd.org/SummerOfCode2020Projects/AddAuditSupportToNFS * Github Repo link: https://github.com/shivankgarg98/freebsd/tree/user/shivank/nfs_audit * Please see this diff for all changes: https://github.com/freebsd/freebsd/compare/master...shivankgarg98:user/shivank/nfs_audit Note: I'll be updating weekly status report on soc-status@ Please feel free to share your ideas and feedback on this project. Happy Hacking! :) Best Regards, Shivank Garg Undergrad at IIT Kanpur, India
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAOVCmzF7EeAJq-r3D5s-zsG_VkhPS6VMKKaYajfizX=z8e%2ByCg>