From mboxrd@z Thu Jan 1 00:00:00 1970 From: F Rafi Subject: Re: Filtering Connect syscalls for af_inet only Date: Tue, 3 Feb 2015 18:24:32 -0500 Message-ID: References: Mime-Version: 1.0 Content-Type: multipart/mixed; boundary="===============1466409552792418498==" Return-path: Received: from mx1.redhat.com (ext-mx12.extmail.prod.ext.phx2.redhat.com [10.5.110.17]) by int-mx13.intmail.prod.int.phx2.redhat.com (8.14.4/8.14.4) with ESMTP id t13NOZOw014691 for ; Tue, 3 Feb 2015 18:24:35 -0500 Received: from mail-we0-f179.google.com (mail-we0-f179.google.com [74.125.82.179]) by mx1.redhat.com (8.14.4/8.14.4) with ESMTP id t13NOWmK031469 (version=TLSv1/SSLv3 cipher=RC4-SHA bits=128 verify=FAIL) for ; Tue, 3 Feb 2015 18:24:33 -0500 Received: by mail-we0-f179.google.com with SMTP id q59so47845204wes.10 for ; Tue, 03 Feb 2015 15:24:32 -0800 (PST) In-Reply-To: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com To: Peter Moody Cc: linux-audit@redhat.com List-Id: linux-audit@redhat.com --===============1466409552792418498== Content-Type: multipart/alternative; boundary=047d7bacb5288c650a050e375fe8 --047d7bacb5288c650a050e375fe8 Content-Type: text/plain; charset=UTF-8 Sorry, I should have mentioned that I already tried that. That results in no logs being generated for that rule. Thanks, Farhan On Tue, Feb 3, 2015 at 6:21 PM, Peter Moody wrote: > > On Tue, Feb 03 2015 at 14:57, F Rafi wrote: > > Hi folks, > > > > > > > > I have auditing for outbound connect requests working using the Connect > > (sys_connect) syscall on a server running *Ubuntu precise 12.04 LTS*. > > > > The rule I'm using is: > > > > -a exit,always -F arch=b64 -S connect -k network_outbound > > > > > > > > I'm getting a substantial amount of saddr=0100.... logs, which I > understand > > are not connections to a remote host but rather a local AF_UNIX socket > > pointing to a file. Example log message is: > > > > > > > > type=SYSCALL msg=audit(1423002916.796:24545371): arch=c000003e syscall=42 > >> success=no exit=-2 a0=294 a1=7fff97f62680 a2=6e a3=7fff97f62860 items=0 > >> ppid=20546 pid=21439 auid=4294967295 uid=33 gid=33 euid=33 suid=33 > fsuid=33 > >> egid=33 sgid=33 fsgid=33 tty=(none) ses=4294967295 comm="apache2" > >> exe="/usr/lib/apache2/mpm-prefork/apache2" key="network_outbound" > > > > type=SOCKADDR msg=audit(1423002916.796:24545371): *saddr=0100* to > >> remove the hex-encoded file path> > > > > > > Is there an easy way to filter these out so that we only have > saddr=0200... > > messages left? > > > > I'm exporting the log to an external syslog server and it would help > > considerably if I could eliminate this from all of our servers. > > > > I see that auditctl has a *filetype* filter which can be set to filter > > *socket* or *file* types. Is that the right way to filter these messages? > > > > -a exit,always -F arch=b64 -F filetype=socket -S connect -k > network_outbound > > does -F filetype!=socket work? > > > The above rule filters out everything but the af_unix connect syscalls, > > which is the opposite of what I'm looking for. > > > > Any help would be appreciated. > > > > Thanks, > > Farhan > > -- > > Linux-audit mailing list > > Linux-audit@redhat.com > > https://www.redhat.com/mailman/listinfo/linux-audit > --047d7bacb5288c650a050e375fe8 Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable

Sorry, I should have mentioned that I already tried that. = That results in no logs being generated for that rule.

T= hanks,

Farhan=C2=A0

On Tue, Feb 3, 2015 at 6:21 PM, Peter Moody <pmood= y@google.com> wrote:

On Tue, Feb 03 2015 at 14:57, F Rafi wrote:
> Hi folks,
>
> <n00b alert>
>
> I have auditing for outbound connect requests working using the Connec= t
> (sys_connect) syscall on a server running *Ubuntu precise 12.04= LTS*.
>
> The rule I'm using is:
>
> -a exit,always -F arch=3Db64 -S connect -k network_outbound
>
>
>
> I'm getting a substantial amount of saddr=3D0100.... logs, which I= understand
> are not=C2=A0 connections to a remote host but rather a local AF_UNIX = socket
> pointing to a file. Example log message is:
>
>
>
> type=3DSYSCALL msg=3Daudit(1423002916.796:24545371): arch=3Dc000003e s= yscall=3D42
>> success=3Dno exit=3D-2 a0=3D294 a1=3D7fff97f62680 a2=3D6e a3=3D7ff= f97f62860 items=3D0
>> ppid=3D20546 pid=3D21439 auid=3D4294967295 uid=3D33 gid=3D33 euid= =3D33 suid=3D33 fsuid=3D33
>> egid=3D33 sgid=3D33 fsgid=3D33 tty=3D(none) ses=3D4294967295 comm= =3D"apache2"
>> exe=3D"/usr/lib/apache2/mpm-prefork/apache2" key=3D"= ;network_outbound"
>
> type=3DSOCKADDR msg=3Daudit(1423002916.796:24545371): *saddr=3D= 0100*<truncated to
>> remove the hex-encoded file path>
>
>
> Is there an easy way to filter these out so that we only have saddr=3D= 0200...
> messages left?
>
> I'm exporting the log to an external syslog server and it would he= lp
> considerably if I could eliminate this from all of our servers.
>
> I see that auditctl has a *filetype* filter which can be set to= filter
> *socket* or *file* types. Is that the right way to filter these messag= es?
>
> -a exit,always -F arch=3Db64 -F filetype=3Dsocket -S connect -k networ= k_outbound

does -F filetype!=3Dsocket work?

> The above rule filters out everything but the af_unix connect syscalls= ,
> which is the opposite of what I'm looking for.
>
> Any help would be appreciated.
>
> Thanks,
> Farhan

> --
> Linux-audit mailing list
> Linux-audit@redhat.com > https://www.redhat.com/mailman/listinfo/linux-audit

--047d7bacb5288c650a050e375fe8-- --===============1466409552792418498== Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline --===============1466409552792418498==--