Audit Kernel Events


Robert Watson

Student (+contact information)

Efstratios Karatzas


Kernel subsytems such as NFS & PF can be enhanced to log security related information using TrustedBSD's Audit subsystem. The kernel audit framework will need serious reworking itself because it is currently based on the notion that information is gathered only through system calls and a single kernel thread will be involved in at most one security event at a time. This project will focus on providing audit support for NFS RPCs and the necessary foundations for modifying other kernel subsystems.

p4 depot path



May 1 – May 10: Provide audit support for current NFS server implementation, using only vn_fullpath(9). Perform first tests.

May 11 – May 20: Some extra research + design & coding of a new KPI that produces a path, given a vnode pointer. Thorough testing & writing of man page for the KPI.

May 21 – May 27: Integrate the new KPI to NFS code, more testing & bug fixing. This actually led to the creation of a new VOP, VOP_GETPARENT(), and a new vfs op, VFS_FHTOHINT(). Release code & demos to get feedback from the community & sysadmins.

May 28 – June 5: Study nfsv4 implementation + start pondering about handling multiple audit records in a single kernel thread.

June 6 – June 13: Design a solution for this problem(rough patch). Request assistance from mentor.

June 14 – June 25: Provide audit support for new NFS server implementation, at least for NFS v2&3 rpcs.

June 26 – July 12: Provide support for NFSv4 compound rpcs, thorough testing.

July 13 – July 23: By this time, I will have some feedback on my proposed solution for the simultaneous handling of multiple td_ars in a kthread. Write some code and see if it applies cleanly to other parts of the kernel that use the audit framework (most notably the sys/calls), without breaking anything.

July 24 – August 16: Remaining tasks: Introduce new token types to bsm libs & praudit - write/update man pages - make praudit match NFS error codes to NFS error messages - revisit NFSv4 operation "OPEN" - ???

Final shipping to Google.



Following, are two audit logs from my own NFS server. The experimental NFS server found in sys/fs/nfsserver was used to produce these logs. The protocols used are NFSv3 and NFSv4.

To produce these logs, I executed a shell script that triggers most of the NFS RPCs; it can be found here. The actual logs can be found here(NFS v3) and here(NFS v4).


There is a new argument for praudit(1), 'c' so that foreign credentials are not matched against local userbase and are shown in raw numeric form; alternatively, argument 'r' can also be used. Argument '-c' was used to produce these logs. The NFS v4 log is much larger because the protocol wraps simple operations into a bunch of multiple RPCs (compound RPCs); I've stripped non NFS relevant Audit Events so the logs should not prove too hard to read.

Code Sample

This is a diff file that was procuded at the end of gsoc; last update: August 30 2010



There are some files missing from the diff file; 3 new man pages that were introduced while working no this project: vn_fullpath_nocache(9), VOP_GEPARENT(9), VFS_FHHINT(9)

FreeBSD Dev Summit 2010 (Karlsruhe) Presentation


Feel free to share any thoughts!


SOC2010EfstratiosKaratzas (last edited 2010-10-16 18:13:35 by EfstratiosKaratzas)