Add audit(4) support to NFS

Add audit(4) support to NFS - Google Summer of Code 2020 project page

Differential revisions Submitted





NFS remove vfs_statfs and vnode_mount macro

Merged (./)

D25869 D26243

NFSv3 Audit Support

Revision is still in review


  1. More differential revision has to be submitted for NFSv4 audit support.
  2. NFSAuditTestSuite is reviewed using github and is still under review. It'll come as a FreeBSD Port (due to dependency on net/libnfs) in the future.

Idea of the project:

FreeBSD includes support for security event auditing. Security event auditing permits the selective and fine-grained configurable logging of security-relevant system events for the purpose of post-mortem analysis, intrusion detection, and run-time monitoring. It is important for advanced security and monitoring and is intended to meet the requirements of the Common Criteria(CC)/Common Access protection profile(CAPP) evaluation. The audit subsystem in FreeBSD, audit(4), can record a variety of system events like user-logins, file system activities, network activities, process creations, etc.

The sysadmin may wish to monitor the filesystem activities within the NFS network. It will require the sysadmin to run the auditd(8) on each NFS client, and audit trails can be transferred across the network with auditdistd(8). The security officer can review each client’s audit trails to review the NFS activities. This arrangement works perfectly fine in case of secure networks, where the admin has control over the clients as well as servers.

The auditd(8) on the server doesn’t generate any record trails for the NFS activities because the audit works mostly on the syscall level and the NFS server is implemented within the kernel. This makes it bypass the syscall layer and the requests go to the VFS layer.

In case NFS is used on insecure networks, running auditd(8) on each client is not an option as the audit records on the client can be tempered. The audit(4) support to the NFS server is a missing feature for such networks. Thus, The aim of this project is to audit each NFS RPC. This would allow an audit of all NFS activities within the network by just running auditd(8) on the server.

Project description & Implementation

The AUDIT_NFSRPC_ENTER macro checks whether the audit is enabled and nfs class is enabled for audit event preselection. If a record is needed, the audit thread allocates audit record memory zone associated with RPC request in the struct kaudit_record *nd_ar field of struct nfsrv_descript. Then AUDIT_NFSARG_* macros are used to audit arguments associated with individual RPC service and the FLAGS are set to indicate if the arg has to be included in the audit log stream (as a token). For instance, AUDIT_NFSARG_NETSOCKADDR(nd, nd->nd_nam) is used to audit the client socket address associated with the RPC request description. The AUDIT_NFSRPC_EXIT macro commits the kernel audit record according to the desired configuration. The kaudit_to_bsm does the work of converting the kernel audit record to BSM record and contains individual cases for NFS service to audit the NFS arguments into BSM format tokens.

NFSv2/3 Audit: The AUDIT_NFSRPC_ENTER and AUDIT_NFSRPC_EXIT macros are defined around the nfsrvd_dorpc to audit each NFSv2 and NFSc3 RPC. The nfsrv3_procsX (X = 0, 1, 2; depends on number of extra args to NFS service function) maps function pointer array of NFS service to their respective procedure number. The audit event to procedure number mapping is also defined for uniquely identifying the NFSv3 AUDIT event.

NFSv4 Audit: The nfsrvd_compound RPC request contains various suboperations. It is desired to audit each nfsrvd_compound RPC (to get the summary and number of sub-operations associated with the request) and individual sub-operations(which is mostly similar to audit individual NFSv3 RPC) associated with it. The AUDIT_NFSRPC_ENTER and AUDIT_NFSRPC_EXIT are thus first used to audit the number of suboperations and socket addr in compound RPC (NFSv4 summary record), and then again reusing the nd_ar field to audit each sub-operation one-by-one in for loop (as it breaks down an RPC record to subops). The nfsrv4_auevent[NFSV42_NOPS] table is used to map NFSv4 procedure number to respective audit event numbers.

Test Plan

NFSAuditTestSuite: The NFS audit test suite is built on the top net/libnfs port and uses Kyua ATF framework for testing. Note: The NFSAuditTestSuite design and code is deeply influenced and borrowed from RegressionTestSuiteForAuditFramework and net/libnfs examples and internal code. NFSAuditTestSuite uses async libnfs raw-APIs interface to test individual RPCs. This allows us to test the NFS Audit with high flexibility and helps avoid doing RPC that other than the desired one (as much as possible).

It employs high-level(posix like apis) libnfs API for mounting, etc.(that is doing pre-testing work). Then using raw-api to test the desire RPC and checking the auditpipe output.

Work Done

Work Remaining

Weekly Reports

Report Email Archive

Introduction mail

Week 1

Week 2

Week 3

Week 5

Week 6

Week 7

Week 8

Week 9-10

Week 11

Week 12

Please check this branch for the code


SummerOfCode2020Projects/AddAuditSupportToNFS (last edited 2020-10-18 23:59:12 by SashaVigole)