Auditing NFS Events. Efstratios Karatzas gpf@freebsd.org

Similar documents
Practical Security Event Auditing with FreeBSD

FreeBSD Developer Summit TrustedBSD: Audit + priv(9)

CAPP-Compliant Security Event Audit System for Mac OS X and FreeBSD

We mean.network File System

Network File System (NFS)

Oak Ridge National Laboratory Computing and Computational Sciences Directorate. Lustre Crash Dumps And Log Files

Chapter 11 Distributed File Systems. Distributed File Systems

Chapter 11: File System Implementation. Operating System Concepts with Java 8 th Edition

Installation Instruction STATISTICA Enterprise Small Business

FileNet System Manager Dashboard Help

Virtual Private Systems for FreeBSD

CYAN SECURE WEB APPLIANCE. User interface manual

STATISTICA VERSION 12 STATISTICA ENTERPRISE SMALL BUSINESS INSTALLATION INSTRUCTIONS

SMART Solutions for Active Directory Migrations

An On-line Backup Function for a Clustered NAS System (X-NAS)

Kiwi SyslogGen. A Freeware Syslog message generator for Windows. by SolarWinds, Inc.

Session 17 Windows 7 Professional DNS & Active Directory(Part 2)

How to protect, restore and recover SQL 2005 and SQL 2008 Databases

Incremental Backup Script. Jason Healy, Director of Networks and Systems

AVG Business Secure Sign On Active Directory Quick Start Guide

File-System Implementation

Threat Modelling for Web Application Deployment. Ivan Ristic (Thinking Stone)

Linux Audit Quick Start SUSE Linux Enterprise 10 SP1

The Native AFS Client on Windows The Road to a Functional Design. Jeffrey Altman, President Your File System Inc.

SAMBA AND SMB3: ARE WE THERE YET? Ira Cooper Principal Software Engineer Red Hat Samba Team

From bsdtar to tarsnap

KB Windows 2000 DNS Event Messages 1 Through 1614

OPERATING SYSTEMS FILE SYSTEMS

<Samba status report>

McAfee Web Gateway 7.4.1

Wavelink Avalanche Mobility Center Linux Reference Guide

Lesson Objectives. To provide a grand tour of the major operating systems components To provide coverage of basic computer system organization

Microsoft Baseline Security Analyzer

HowTo Check. Microsoft Cluster. Functionality via SNMP

An Open Source Wide-Area Distributed File System. Jeffrey Eric Altman jaltman *at* secure-endpoints *dot* com

Solaris Run Cron Job Every 5 Minutes

GL254 - RED HAT ENTERPRISE LINUX SYSTEMS ADMINISTRATION III

Snare System Version Release Notes

THE BCS PROFESSIONAL EXAMINATIONS BCS Level 6 Professional Graduate Diploma in IT. April 2009 EXAMINERS' REPORT. Network Information Systems

Four Reasons To Start Working With NFSv4.1 Now

Using Secure4Audit in an IRIX 6.5 Environment

Kaseya 2. User Guide. Version 1.1

ovirt and Gluster hyper-converged! HA solution for maximum resource utilization

Running a Workflow on a PowerCenter Grid

Network File System (NFS) Pradipta De

HOW TO GUIDE. Pcounter Scan Server. For Support Click here INTRODUCTION

Hadoop and Map-Reduce. Swati Gore

CIA Lab Assignment: Web Servers

Determine the process of extracting monitoring information in Sun ONE Application Server

Version Control. Luka Milovanov

Module 15: Nonconformance And Corrective And Preventive Action

ZooKeeper. Table of contents

Disaster Recovery for Ingres. Abstract

Mac OS X Security Checklist:

Getting Started. Backup Repositories. Getting Started 1/6

Client Monitoring with Microsoft System Center Operations Manager 2007

Enabling Remote Management of SQL Server Integration Services

RedHat (RHEL) System Administration Course Summary

Installation Guide for Basler pylon 2.3.x for Linux

APACHE WEB SERVER. Andri Mirzal, PhD N

Contents. Part 1 SSH Basics 1. Acknowledgments About the Author Introduction

WINDOWS LOGGING CHEAT SHEET - Win 7/Win 2008 or later

Case Study. File Transfer Issues Faced by an Engineering Company

Univention Corporate Server. Operation of a Samba domain based on Windows NT domain services

Clinical Scheduling for Windows

J-Flow on J Series Services Routers and Branch SRX Series Services Gateways

EMC RepliStor for Microsoft Windows ERROR MESSAGE AND CODE GUIDE P/N REV A02

...2. Standard Installation...4. Example Installation Scenarios...5. Network Installation...8. Advanced Settings Product Requirements

Configuring Security Features of Session Recording

Surround SCM Best Practices

Statement of Support on Shared File System Support for Informatica PowerCenter High Availability Service Failover and Session Recovery

EMC NetWorker Module for Microsoft Applications Release 2.3. Application Guide P/N REV A02

PVFS High Availability Clustering using Heartbeat 2.0

The Settings tab: Check Uncheck Uncheck

Lightweight Virtualization: LXC Best Practices

Computer Science 4302 Operating Systems. Student Learning Outcomes

Application Security Policy

Server Monitoring: Centralize and Win

How To Use A Microsoft Networker Module For Windows (Windows) And Windows 8 (Windows 8) (Windows 7) (For Windows) (Powerbook) (Msa) (Program) (Network

Junos WebApp Secure (formerly Mykonos)

System Requirement Specification for A Distributed Desktop Search and Document Sharing Tool for Local Area Networks

BF2CC Daemon Linux Installation Guide

ZFS Backup Platform. ZFS Backup Platform. Senior Systems Analyst TalkTalk Group. Robert Milkowski.

ENTERPRISE LINUX SECURITY ADMINISTRATION

Vulnerability Scanning and Patch Management

Implementing, Managing, and Maintaining a Microsoft Windows Server 2003 Network Infrastructure

EXTENDED FILE SYSTEM FOR F-SERIES PLC

Using RichCopy. For. Bulk Fileshare Transfer

GlusterFS Distributed Replicated Parallel File System

GL550 - Enterprise Linux Security Administration

Chapter 12 File Management

How to test and debug an ASP.NET application

Transcription:

Auditing NFS Events Efstratios Karatzas gpf@freebsd.org FreeBSD Developer Summit Karlsruhe Institute of Technology Karlsruhe, Germany October 8, 2010

Audit's Limitations TrustedBSD's Audit implementation is widely used by sys/admins to keep an eye on their servers via run-time monitoring, post-mortem analysis, etc. However, Audit is limited on the following aspects: Audit is focused on gathering data from local system calls. Audit assumes that a running kernel thread will be involved in at most one security event at a time.

Motivation Why should we extend the functionality of Audit? There are plenty of kernel subsystems (such as firewalls or NFS) that generate security log data which are, at the moment, ignored by Audit. FreeBSD is widely used as a file server and current implementation only supports auditing of local filesystem activity, i.e. No logging of NFS server activity. Logging of NFS activity requested by sys/admins on multiple occasions.

Suggested GsoC Project Idea How should we extend Audit? In order to successfuly audit other kernel subsystems, Audit must support handling of simultaneous audit records per running kernel thread. i.e. two Audit Records are needed when an open(2) is used over NFS and this action triggers a Firewall Event. Actually extend other kernel subsystems to use the Audit framework and log security relevant information.

GSoC 2010 Audit Kernel Events Deliverables of this project in a nutshell: Audit Support for NFS RPCs that get serviced by your FreeBSD fileserver. This includes support for both the current NFS implementation in sys/nfs* as well as the experimental NFS implementation in sys/fs/nfs* (NFS protocols v2,3 & 4). Handling of multiple audit records per kernel thread via use of a treelike data structure that is kept with each kernel thread.

Demo This is the audit record for the NFSv3 RPC "WRITE": header,181,11,nfsrv_write(),0,mon Aug 9 20:21:08 2010, + 697 msec argument,2,0x8,flags path,/usr/home/gpf/desktop/nfs/my_test/file attribute,646,1002,0,104,216583,857980 text,192.168.1.10:639 protocol,nfsv3 subject,-1,1002,0,1002,0,1560,0,0,0.0.0.0 return,success,0 trailer,181

vnode* to file path? (1) Task: Acquiring a full filename from just a vnode pointer; necessary in order to make sense out of NFS activity. Pre-existing solution: vn_fullpath(9) use the name cache to generate a full pathname.

vnode* to file path? (2) Problems with vn_fullpath(): Name Cache Hints are lost every time the server reboots. Contents of the cache are replaced in a semi-lru fashion. Therefore, this KPI is deemed unreliable for use in a security submodule such as Audit.

vnode* to file path? (3) Proposed Solution: Store the directory *node number (hint) inside the filehandle during filehandle creation, VOP_VPTOFH(9). Collect the *node number from the filehandle using VFS_FHHINT(9). Feed the vnode* and the directory hint to vn_fullpath_nocache(9). vn_fullpath_nocache(9) will then try to generate a working path for the vnode in question without making use of the name cache.

vn_fullpath_nocache(9) The hardest part is to link a non-directory vnode with a parent directory - VOP_GETPARENT(9) is used. Use the directory parent hint to make this easier. Perform an exhaustive search on the filesystem. Use filesystem specific mechanisms to facilitate the seach. i.e. The parent znode_id is stored inside each znode in ZFS. Problems: Hardlinks with multiple paths, temporary files with no path at all.

Todo List Stuff left to do: Review code alongside mentor and merge with HEAD. Port VOP_GETPARENT(9) to other filesystems. Update Audit code at sys/fs/nfs* as new functionality is being added to the experimental NFS server.

Audit & GSoC (1) Distributed Audit Daemon Alexey Mikhailov, GSoC 2007 unsuccessful Sergio Ligregni, GSoC 2010 successful Application-Specific Audit Trails Ilias Marinos, GSoC 2009 successful The same mechanisms can be extended to jails (work in progress)

Audit & GSoC (2) Audit Log Analyzer Dongmei Liu, GSoC 2007 unsuccessful Audit Kernel Events Diego Giagio (Firewalls), GSoC 2008 unsuccessful His work will be picked up by me :-) Efstratios Karatzas (NFS), GSoC 2010 successful

The End Thank you for your time! For more information on my project, please visit the project's wiki page http://wiki.freebsd.org/soc2010efstratioskaratzas Special Thanks to: Robert Watson Rick Macklem FreeBSD Project & Community Google & Carol Smith

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information