Hi folks,

<n00b alert>

I have auditing for outbound connect requests working using the Connect (sys_connect) syscall on a server running Ubuntu precise 12.04 LTS.

The rule I'm using is:

-a exit,always -F arch=b64 -S connect -k network_outbound

I'm getting a substantial amount of saddr=0100.... logs, which I understand are not connections to a remote host but rather a local AF_UNIX socket pointing to a file. Example log message is:

type=SYSCALL msg=audit(1423002916.796:24545371): arch=c000003e syscall=42 success=no exit=-2 a0=294 a1=7fff97f62680 a2=6e a3=7fff97f62860 items=0 ppid=20546 pid=21439 auid=4294967295 uid=33 gid=33 euid=33 suid=33 fsuid=33 egid=33 sgid=33 fsgid=33 tty=(none) ses=4294967295 comm="apache2" exe="/usr/lib/apache2/mpm-prefork/apache2" key="network_outbound"

type=SOCKADDR msg=audit(1423002916.796:24545371): saddr=0100<truncated to remove the hex-encoded file path>

Is there an easy way to filter these out so that we only have saddr=0200... messages left?

I'm exporting the log to an external syslog server and it would help considerably if I could eliminate this from all of our servers.

I see that auditctl has a filetype filter which can be set to filter socket or file types. Is that the right way to filter these messages?

-a exit,always -F arch=b64 -F filetype=socket -S connect -k network_outbound

The above rule filters out everything but the af_unix connect syscalls, which is the opposite of what I'm looking for.

Any help would be appreciated.

Thanks,

Farhan