After some log analysis it looks like filtering on "a2=10" only shows network activity. From what I understand, this is the address length (*int addrlen*) argument in the sys_connect function.
Traced it down to this comment in socket.c. Sounds like filtering for a2=10 and a2=18 (to account for IPv6) may work. #define MAX_SOCK_ADDR 128 /* 108 for Unix domain - 16 for IP, 16 for IPX, 24 for IPv6, about 80 for AX. 25 must be at least one bigger than the AF_UNIX size (see netunix/af_unix.c :unix_mkname()) */ 10 hex = 16 dec and 18 hex = 24 dec I hope someone can correct me if I sound like I'm not all there. Farhan On Tue, Feb 3, 2015 at 6:53 PM, F Rafi <farhani...@gmail.com> wrote: > Correction. Both filetype=socket and !=socket result in just saddr=0100.. > events. Seems like this is not the way to go. > > Farhan > > On Tue, Feb 3, 2015 at 6:24 PM, F Rafi <farhani...@gmail.com> wrote: > >> Sorry, I should have mentioned that I already tried that. That results in >> no logs being generated for that rule. >> >> Thanks, >> Farhan >> >> On Tue, Feb 3, 2015 at 6:21 PM, Peter Moody <pmo...@google.com> wrote: >> >>> >>> On Tue, Feb 03 2015 at 14:57, F Rafi wrote: >>> > Hi folks, >>> > >>> > <n00b alert> >>> > >>> > I have auditing for outbound connect requests working using the Connect >>> > (sys_connect) syscall on a server running *Ubuntu precise 12.04 LTS*. >>> > >>> > The rule I'm using is: >>> > >>> > -a exit,always -F arch=b64 -S connect -k network_outbound >>> > >>> > >>> > >>> > I'm getting a substantial amount of saddr=0100.... logs, which I >>> understand >>> > are not connections to a remote host but rather a local AF_UNIX socket >>> > pointing to a file. Example log message is: >>> > >>> > >>> > >>> > type=SYSCALL msg=audit(1423002916.796:24545371): arch=c000003e >>> syscall=42 >>> >> success=no exit=-2 a0=294 a1=7fff97f62680 a2=6e a3=7fff97f62860 >>> items=0 >>> >> ppid=20546 pid=21439 auid=4294967295 uid=33 gid=33 euid=33 suid=33 >>> fsuid=33 >>> >> egid=33 sgid=33 fsgid=33 tty=(none) ses=4294967295 comm="apache2" >>> >> exe="/usr/lib/apache2/mpm-prefork/apache2" key="network_outbound" >>> > >>> > type=SOCKADDR msg=audit(1423002916.796:24545371): >>> *saddr=0100*<truncated to >>> >> remove the hex-encoded file path> >>> > >>> > >>> > Is there an easy way to filter these out so that we only have >>> saddr=0200... >>> > messages left? >>> > >>> > I'm exporting the log to an external syslog server and it would help >>> > considerably if I could eliminate this from all of our servers. >>> > >>> > I see that auditctl has a *filetype* filter which can be set to filter >>> > *socket* or *file* types. Is that the right way to filter these >>> messages? >>> > >>> > -a exit,always -F arch=b64 -F filetype=socket -S connect -k >>> network_outbound >>> >>> does -F filetype!=socket work? >>> >>> > The above rule filters out everything but the af_unix connect syscalls, >>> > which is the opposite of what I'm looking for. >>> > >>> > Any help would be appreciated. >>> > >>> > Thanks, >>> > Farhan >>> > -- >>> > Linux-audit mailing list >>> > Linux-audit@redhat.com >>> > https://www.redhat.com/mailman/listinfo/linux-audit >>> >> >> >
-- Linux-audit mailing list Linux-audit@redhat.com https://www.redhat.com/mailman/listinfo/linux-audit
