Skip to content

Instantly share code, notes, and snippets.

@aniketp aniketp/

Last active Mar 25, 2018
What would you like to do?
Report 2: File-read System Call testing for FreeBSD Audit Framework

Report 2: File-read System Call testing

Explicit System Call Testing

The test application would trigger all Syscalls one by one, evaluating that the audit record contains all the expected parameters, e.g the arguments, valid argument types, return values etc. The testing will be done for various success and failure modes, with cross checking for appropriate error codes in case of failure mode.



Directory Structure

Source contains following significant files

  • readlink.c : Source for triggering readlink(2) and readlinkat(2), used for following symbolic links.

  • open.c : Source for triggering open(2) and openat(2). Note: syscall(2) is used for calling open as libc converts 'open(2)' to 'openat(2)'.

  • test : A POSIX compliant shell script which does all the hard work. From firing off the network binary to extracting the data from resulting trail and analysing the result. Detailed functioning of the script is described later.


Here is how I attempted to test the file-read (fr) syscalls.

  1. Get all audit_events with file-read(fr) audit class.
  $ cat /etc/security/audit_event | grep ":fr"
  72:AUE_OPEN_R:open(2) - read:fr
  80:AUE_OPEN_RW:open(2) - read,write:fr,fw
  270:AUE_OPENAT_R:openat(2) - read:fr
  278:AUE_OPENAT_RW:openat(2) - read,write:fr,fw
  43170:AUE_OPEN_EXTENDED_R:open_extended(2) - read:fr
  43178:AUE_OPEN_EXTENDED_RW:open_extended(2) - read,write:fr,fw

Note: From the obtained results, it is noticed that some Darwin supported system calls are deprecated, these will be ignored.

Description of test

  1. Set the audit flag:fr (file-read)
 sed -i "" '/\<flags:/s/\(.*\)/flags:fr/' /etc/security/audit_control
  1. Start the audit daemon and set a new trail for recording the syscalls
 $ service auditd start; audit -n
  1. Create a temporary file and its symbolic link in the /tmp directory. These disposable files will be used to trigger the open(2) and openat(2) syscalls in read-write only (no-create) mode and readlink(2), readlinkat(2) for symlink following.

  2. Fire off the syscalls, one after the other, they will read and close the file/symbolic link.

 ./open &
 ./readlink &
  1. Rest of the steps are same as in the testing of network socket system calls, i.e Report1

Troubles encountered

The BSD libc converts open(2) to openat(2) to optimize the resource usage in case no file descriptor is passed to open(2). With no other option, I presented this issue to the #freebsd-security IRC channel and a member resolved it by suggesting the use of syscall(2) for calling open(2). i.e

 syscall(SYS_open, "/tmp/templog", O_RDWR)

With this approach, I was finally able to audit open(2) 😃


Audit of all concerned tests (in this case too) was successful (Yay! x2)

$ ./test
Audit Directory: /var/audit .. ✔
Starting auditd.
Audit daemon and new trail started .. ✔
Launching system calls .. ✔
Audit daemon stopped .. ✔

Trigger sent.
Success mode passed: open(2) .. ✔
Failure mode passed: open(2) .. ✔
Success mode passed: openat(2) .. ✔
Failure mode passed: openat(2) .. ✔
Success mode passed: readlink(2) .. ✔
Failure mode passed: readlink(2) .. ✔
Success mode passed: readlinkat(2) .. ✔
Failure mode passed: readlinkat(2) .. ✔

Tests evaluated: 8
Tests passed: 8

Further plan and Improvements

  • Add tests for the remaining file-read syscalls, e.g copyfile(2) and open_extended(2). Might need to use syscall(2) for calling both of them as it is possible libc modifies them too.


  • Sometimes, setting audit flag as fr (file-read) continuously logs openat(2) and it renders the audit system useless.


Added tests for a lot more file-create (fc) system calls

  • symlink(2) & symlinkat(2)
  • mkdir(2) & mkdirat(2)
  • mkfifo(2) & mkfifoat(2)
  • mknod(2) & mknodat(2)
  • link(2) & linkat(2)
    Although it remains to automate them!
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.