Re: Filtering Connect syscalls for af_inet only
Correction. Both filetype=socket and !=socket result in just saddr=0100..
events. Seems like this is not the way to go.
Farhan
On Tue, Feb 3, 2015 at 6:24 PM, F Rafi <farhanible(a)gmail.com> wrote:
Sorry, I should have mentioned that I already tried that. That
results in
no logs being generated for that rule.
Thanks,
Farhan
On Tue, Feb 3, 2015 at 6:21 PM, Peter Moody <pmoody(a)google.com> wrote:
>
> On Tue, Feb 03 2015 at 14:57, F Rafi wrote:
> > Hi folks,
> >
> > <n00b alert>
> >
> > I have auditing for outbound connect requests working using the Connect
> > (sys_connect) syscall on a server running *Ubuntu precise 12.04 LTS*.
> >
> > The rule I'm using is:
> >
> > -a exit,always -F arch=b64 -S connect -k network_outbound
> >
> >
> >
> > I'm getting a substantial amount of saddr=0100.... logs, which I
> understand
> > are not connections to a remote host but rather a local AF_UNIX socket
> > pointing to a file. Example log message is:
> >
> >
> >
> > type=SYSCALL msg=audit(1423002916.796:24545371): arch=c000003e
> syscall=42
> >> success=no exit=-2 a0=294 a1=7fff97f62680 a2=6e a3=7fff97f62860 items=0
> >> ppid=20546 pid=21439 auid=4294967295 uid=33 gid=33 euid=33 suid=33
> fsuid=33
> >> egid=33 sgid=33 fsgid=33 tty=(none) ses=4294967295 comm="apache2"
> >> exe="/usr/lib/apache2/mpm-prefork/apache2"
key="network_outbound"
> >
> > type=SOCKADDR msg=audit(1423002916.796:24545371):
> *saddr=0100*<truncated to
> >> remove the hex-encoded file path>
> >
> >
> > Is there an easy way to filter these out so that we only have
> saddr=0200...
> > messages left?
> >
> > I'm exporting the log to an external syslog server and it would help
> > considerably if I could eliminate this from all of our servers.
> >
> > I see that auditctl has a *filetype* filter which can be set to filter
> > *socket* or *file* types. Is that the right way to filter these
> messages?
> >
> > -a exit,always -F arch=b64 -F filetype=socket -S connect -k
> network_outbound
>
> does -F filetype!=socket work?
>
> > The above rule filters out everything but the af_unix connect syscalls,
> > which is the opposite of what I'm looking for.
> >
> > Any help would be appreciated.
> >
> > Thanks,
> > Farhan
> > --
> > Linux-audit mailing list
> > Linux-audit(a)redhat.com
> > https://www.redhat.com/mailman/listinfo/linux-audit
>
Attachments:
- attachment.html (text/html — 3.5 KB)