Filtering Connect syscalls for af_inet only

F Rafi farhanible at gmail.com
Thu Feb 5 01:19:21 UTC 2015 

After some log analysis it looks like filtering on "a2=10" only shows
network activity. From what I understand, this is the address length (*int
addrlen*) argument in the sys_connect function.

Traced it down to this comment in socket.c. Sounds like filtering for a2=10
and a2=18 (to account for IPv6) may work.

#define MAX_SOCK_ADDR 128
/* 108 for Unix domain -
16 for IP,
16 for IPX,
24 for IPv6,
about 80 for AX.
25 must be at least one bigger than the AF_UNIX size (see netunix/af_unix.c
:unix_mkname())
 */

10 hex = 16 dec and 18 hex = 24 dec

I hope someone can correct me if I sound like I'm not all there.

Farhan



On Tue, Feb 3, 2015 at 6:53 PM, F Rafi <farhanible at gmail.com> wrote:

> Correction. Both filetype=socket and !=socket result in just saddr=0100..
> events. Seems like this is not the way to go.
>
> Farhan
>
> On Tue, Feb 3, 2015 at 6:24 PM, F Rafi <farhanible at gmail.com> wrote:
>
>> Sorry, I should have mentioned that I already tried that. That results in
>> no logs being generated for that rule.
>>
>> Thanks,
>> Farhan
>>
>> On Tue, Feb 3, 2015 at 6:21 PM, Peter Moody <pmoody at google.com> wrote:
>>
>>>
>>> On Tue, Feb 03 2015 at 14:57, F Rafi wrote:
>>> > Hi folks,
>>> >
>>> > <n00b alert>
>>> >
>>> > I have auditing for outbound connect requests working using the Connect
>>> > (sys_connect) syscall on a server running *Ubuntu precise 12.04 LTS*.
>>> >
>>> > The rule I'm using is:
>>> >
>>> > -a exit,always -F arch=b64 -S connect -k network_outbound
>>> >
>>> >
>>> >
>>> > I'm getting a substantial amount of saddr=0100.... logs, which I
>>> understand
>>> > are not  connections to a remote host but rather a local AF_UNIX socket
>>> > pointing to a file. Example log message is:
>>> >
>>> >
>>> >
>>> > type=SYSCALL msg=audit(1423002916.796:24545371): arch=c000003e
>>> syscall=42
>>> >> success=no exit=-2 a0=294 a1=7fff97f62680 a2=6e a3=7fff97f62860
>>> items=0
>>> >> ppid=20546 pid=21439 auid=4294967295 uid=33 gid=33 euid=33 suid=33
>>> fsuid=33
>>> >> egid=33 sgid=33 fsgid=33 tty=(none) ses=4294967295 comm="apache2"
>>> >> exe="/usr/lib/apache2/mpm-prefork/apache2" key="network_outbound"
>>> >
>>> > type=SOCKADDR msg=audit(1423002916.796:24545371):
>>> *saddr=0100*<truncated to
>>> >> remove the hex-encoded file path>
>>> >
>>> >
>>> > Is there an easy way to filter these out so that we only have
>>> saddr=0200...
>>> > messages left?
>>> >
>>> > I'm exporting the log to an external syslog server and it would help
>>> > considerably if I could eliminate this from all of our servers.
>>> >
>>> > I see that auditctl has a *filetype* filter which can be set to filter
>>> > *socket* or *file* types. Is that the right way to filter these
>>> messages?
>>> >
>>> > -a exit,always -F arch=b64 -F filetype=socket -S connect -k
>>> network_outbound
>>>
>>> does -F filetype!=socket work?
>>>
>>> > The above rule filters out everything but the af_unix connect syscalls,
>>> > which is the opposite of what I'm looking for.
>>> >
>>> > Any help would be appreciated.
>>> >
>>> > Thanks,
>>> > Farhan
>>> > --
>>> > Linux-audit mailing list
>>> > Linux-audit at redhat.com
>>> > https://www.redhat.com/mailman/listinfo/linux-audit
>>>
>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/linux-audit/attachments/20150204/d2edf239/attachment.htm>

More information about the Linux-audit mailing list