Filtering Connect syscalls for af_inet only
Peter Moody
pmoody at google.com
Tue Feb 3 23:21:14 UTC 2015
On Tue, Feb 03 2015 at 14:57, F Rafi wrote:
> Hi folks,
>
> <n00b alert>
>
> I have auditing for outbound connect requests working using the Connect
> (sys_connect) syscall on a server running *Ubuntu precise 12.04 LTS*.
>
> The rule I'm using is:
>
> -a exit,always -F arch=b64 -S connect -k network_outbound
>
>
>
> I'm getting a substantial amount of saddr=0100.... logs, which I understand
> are not connections to a remote host but rather a local AF_UNIX socket
> pointing to a file. Example log message is:
>
>
>
> type=SYSCALL msg=audit(1423002916.796:24545371): arch=c000003e syscall=42
>> success=no exit=-2 a0=294 a1=7fff97f62680 a2=6e a3=7fff97f62860 items=0
>> ppid=20546 pid=21439 auid=4294967295 uid=33 gid=33 euid=33 suid=33 fsuid=33
>> egid=33 sgid=33 fsgid=33 tty=(none) ses=4294967295 comm="apache2"
>> exe="/usr/lib/apache2/mpm-prefork/apache2" key="network_outbound"
>
> type=SOCKADDR msg=audit(1423002916.796:24545371): *saddr=0100*<truncated to
>> remove the hex-encoded file path>
>
>
> Is there an easy way to filter these out so that we only have saddr=0200...
> messages left?
>
> I'm exporting the log to an external syslog server and it would help
> considerably if I could eliminate this from all of our servers.
>
> I see that auditctl has a *filetype* filter which can be set to filter
> *socket* or *file* types. Is that the right way to filter these messages?
>
> -a exit,always -F arch=b64 -F filetype=socket -S connect -k network_outbound
does -F filetype!=socket work?
> The above rule filters out everything but the af_unix connect syscalls,
> which is the opposite of what I'm looking for.
>
> Any help would be appreciated.
>
> Thanks,
> Farhan
> --
> Linux-audit mailing list
> Linux-audit at redhat.com
> https://www.redhat.com/mailman/listinfo/linux-audit
More information about the Linux-audit
mailing list