Filtering Connect syscalls for af_inet only

Filtering Connect syscalls for af_inet only

[F Rafi]

[-- Attachment #1.1: Type: text/plain, Size: 1543 bytes --]

Hi folks,

<n00b alert>

I have auditing for outbound connect requests working using the Connect
(sys_connect) syscall on a server running *Ubuntu precise 12.04 LTS*.

The rule I'm using is:

-a exit,always -F arch=b64 -S connect -k network_outbound



I'm getting a substantial amount of saddr=0100.... logs, which I understand
are not  connections to a remote host but rather a local AF_UNIX socket
pointing to a file. Example log message is:



type=SYSCALL msg=audit(1423002916.796:24545371): arch=c000003e syscall=42
> success=no exit=-2 a0=294 a1=7fff97f62680 a2=6e a3=7fff97f62860 items=0
> ppid=20546 pid=21439 auid=4294967295 uid=33 gid=33 euid=33 suid=33 fsuid=33
> egid=33 sgid=33 fsgid=33 tty=(none) ses=4294967295 comm="apache2"
> exe="/usr/lib/apache2/mpm-prefork/apache2" key="network_outbound"

type=SOCKADDR msg=audit(1423002916.796:24545371): *saddr=0100*<truncated to
> remove the hex-encoded file path>


Is there an easy way to filter these out so that we only have saddr=0200...
messages left?

I'm exporting the log to an external syslog server and it would help
considerably if I could eliminate this from all of our servers.

I see that auditctl has a *filetype* filter which can be set to filter
*socket* or *file* types. Is that the right way to filter these messages?

-a exit,always -F arch=b64 -F filetype=socket -S connect -k network_outbound


The above rule filters out everything but the af_unix connect syscalls,
which is the opposite of what I'm looking for.

Any help would be appreciated.

Thanks,
Farhan

[-- Attachment #1.2: Type: text/html, Size: 2756 bytes --]

[-- Attachment #2: Type: text/plain, Size: 0 bytes --]

Re: Filtering Connect syscalls for af_inet only

[Peter Moody]

On Tue, Feb 03 2015 at 14:57, F Rafi wrote:
> Hi folks,
>
> <n00b alert>
>
> I have auditing for outbound connect requests working using the Connect
> (sys_connect) syscall on a server running *Ubuntu precise 12.04 LTS*.
>
> The rule I'm using is:
>
> -a exit,always -F arch=b64 -S connect -k network_outbound
>
>
>
> I'm getting a substantial amount of saddr=0100.... logs, which I understand
> are not  connections to a remote host but rather a local AF_UNIX socket
> pointing to a file. Example log message is:
>
>
>
> type=SYSCALL msg=audit(1423002916.796:24545371): arch=c000003e syscall=42
>> success=no exit=-2 a0=294 a1=7fff97f62680 a2=6e a3=7fff97f62860 items=0
>> ppid=20546 pid=21439 auid=4294967295 uid=33 gid=33 euid=33 suid=33 fsuid=33
>> egid=33 sgid=33 fsgid=33 tty=(none) ses=4294967295 comm="apache2"
>> exe="/usr/lib/apache2/mpm-prefork/apache2" key="network_outbound"
>
> type=SOCKADDR msg=audit(1423002916.796:24545371): *saddr=0100*<truncated to
>> remove the hex-encoded file path>
>
>
> Is there an easy way to filter these out so that we only have saddr=0200...
> messages left?
>
> I'm exporting the log to an external syslog server and it would help
> considerably if I could eliminate this from all of our servers.
>
> I see that auditctl has a *filetype* filter which can be set to filter
> *socket* or *file* types. Is that the right way to filter these messages?
>
> -a exit,always -F arch=b64 -F filetype=socket -S connect -k network_outbound

does -F filetype!=socket work?

> The above rule filters out everything but the af_unix connect syscalls,
> which is the opposite of what I'm looking for.
>
> Any help would be appreciated.
>
> Thanks,
> Farhan
> --
> Linux-audit mailing list
> Linux-audit@redhat.com
> https://www.redhat.com/mailman/listinfo/linux-audit

Re: Filtering Connect syscalls for af_inet only

[F Rafi]

[-- Attachment #1.1: Type: text/plain, Size: 2120 bytes --]

Sorry, I should have mentioned that I already tried that. That results in
no logs being generated for that rule.

Thanks,
Farhan

On Tue, Feb 3, 2015 at 6:21 PM, Peter Moody <pmoody@google.com> wrote:

>
> On Tue, Feb 03 2015 at 14:57, F Rafi wrote:
> > Hi folks,
> >
> > <n00b alert>
> >
> > I have auditing for outbound connect requests working using the Connect
> > (sys_connect) syscall on a server running *Ubuntu precise 12.04 LTS*.
> >
> > The rule I'm using is:
> >
> > -a exit,always -F arch=b64 -S connect -k network_outbound
> >
> >
> >
> > I'm getting a substantial amount of saddr=0100.... logs, which I
> understand
> > are not  connections to a remote host but rather a local AF_UNIX socket
> > pointing to a file. Example log message is:
> >
> >
> >
> > type=SYSCALL msg=audit(1423002916.796:24545371): arch=c000003e syscall=42
> >> success=no exit=-2 a0=294 a1=7fff97f62680 a2=6e a3=7fff97f62860 items=0
> >> ppid=20546 pid=21439 auid=4294967295 uid=33 gid=33 euid=33 suid=33
> fsuid=33
> >> egid=33 sgid=33 fsgid=33 tty=(none) ses=4294967295 comm="apache2"
> >> exe="/usr/lib/apache2/mpm-prefork/apache2" key="network_outbound"
> >
> > type=SOCKADDR msg=audit(1423002916.796:24545371): *saddr=0100*<truncated
> to
> >> remove the hex-encoded file path>
> >
> >
> > Is there an easy way to filter these out so that we only have
> saddr=0200...
> > messages left?
> >
> > I'm exporting the log to an external syslog server and it would help
> > considerably if I could eliminate this from all of our servers.
> >
> > I see that auditctl has a *filetype* filter which can be set to filter
> > *socket* or *file* types. Is that the right way to filter these messages?
> >
> > -a exit,always -F arch=b64 -F filetype=socket -S connect -k
> network_outbound
>
> does -F filetype!=socket work?
>
> > The above rule filters out everything but the af_unix connect syscalls,
> > which is the opposite of what I'm looking for.
> >
> > Any help would be appreciated.
> >
> > Thanks,
> > Farhan
> > --
> > Linux-audit mailing list
> > Linux-audit@redhat.com
> > https://www.redhat.com/mailman/listinfo/linux-audit
>

[-- Attachment #1.2: Type: text/html, Size: 3147 bytes --]

[-- Attachment #2: Type: text/plain, Size: 0 bytes --]

Re: Filtering Connect syscalls for af_inet only

[F Rafi]

[-- Attachment #1.1: Type: text/plain, Size: 2403 bytes --]

Correction. Both filetype=socket and !=socket result in just saddr=0100..
events. Seems like this is not the way to go.

Farhan

On Tue, Feb 3, 2015 at 6:24 PM, F Rafi <farhanible@gmail.com> wrote:

> Sorry, I should have mentioned that I already tried that. That results in
> no logs being generated for that rule.
>
> Thanks,
> Farhan
>
> On Tue, Feb 3, 2015 at 6:21 PM, Peter Moody <pmoody@google.com> wrote:
>
>>
>> On Tue, Feb 03 2015 at 14:57, F Rafi wrote:
>> > Hi folks,
>> >
>> > <n00b alert>
>> >
>> > I have auditing for outbound connect requests working using the Connect
>> > (sys_connect) syscall on a server running *Ubuntu precise 12.04 LTS*.
>> >
>> > The rule I'm using is:
>> >
>> > -a exit,always -F arch=b64 -S connect -k network_outbound
>> >
>> >
>> >
>> > I'm getting a substantial amount of saddr=0100.... logs, which I
>> understand
>> > are not  connections to a remote host but rather a local AF_UNIX socket
>> > pointing to a file. Example log message is:
>> >
>> >
>> >
>> > type=SYSCALL msg=audit(1423002916.796:24545371): arch=c000003e
>> syscall=42
>> >> success=no exit=-2 a0=294 a1=7fff97f62680 a2=6e a3=7fff97f62860 items=0
>> >> ppid=20546 pid=21439 auid=4294967295 uid=33 gid=33 euid=33 suid=33
>> fsuid=33
>> >> egid=33 sgid=33 fsgid=33 tty=(none) ses=4294967295 comm="apache2"
>> >> exe="/usr/lib/apache2/mpm-prefork/apache2" key="network_outbound"
>> >
>> > type=SOCKADDR msg=audit(1423002916.796:24545371):
>> *saddr=0100*<truncated to
>> >> remove the hex-encoded file path>
>> >
>> >
>> > Is there an easy way to filter these out so that we only have
>> saddr=0200...
>> > messages left?
>> >
>> > I'm exporting the log to an external syslog server and it would help
>> > considerably if I could eliminate this from all of our servers.
>> >
>> > I see that auditctl has a *filetype* filter which can be set to filter
>> > *socket* or *file* types. Is that the right way to filter these
>> messages?
>> >
>> > -a exit,always -F arch=b64 -F filetype=socket -S connect -k
>> network_outbound
>>
>> does -F filetype!=socket work?
>>
>> > The above rule filters out everything but the af_unix connect syscalls,
>> > which is the opposite of what I'm looking for.
>> >
>> > Any help would be appreciated.
>> >
>> > Thanks,
>> > Farhan
>> > --
>> > Linux-audit mailing list
>> > Linux-audit@redhat.com
>> > https://www.redhat.com/mailman/listinfo/linux-audit
>>
>
>

[-- Attachment #1.2: Type: text/html, Size: 3652 bytes --]

[-- Attachment #2: Type: text/plain, Size: 0 bytes --]

Re: Filtering Connect syscalls for af_inet only

[F Rafi]

[-- Attachment #1.1: Type: text/plain, Size: 3190 bytes --]

After some log analysis it looks like filtering on "a2=10" only shows
network activity. From what I understand, this is the address length (*int
addrlen*) argument in the sys_connect function.

Traced it down to this comment in socket.c. Sounds like filtering for a2=10
and a2=18 (to account for IPv6) may work.

#define MAX_SOCK_ADDR 128
/* 108 for Unix domain -
16 for IP,
16 for IPX,
24 for IPv6,
about 80 for AX.
25 must be at least one bigger than the AF_UNIX size (see netunix/af_unix.c
:unix_mkname())
 */

10 hex = 16 dec and 18 hex = 24 dec

I hope someone can correct me if I sound like I'm not all there.

Farhan



On Tue, Feb 3, 2015 at 6:53 PM, F Rafi <farhanible@gmail.com> wrote:

> Correction. Both filetype=socket and !=socket result in just saddr=0100..
> events. Seems like this is not the way to go.
>
> Farhan
>
> On Tue, Feb 3, 2015 at 6:24 PM, F Rafi <farhanible@gmail.com> wrote:
>
>> Sorry, I should have mentioned that I already tried that. That results in
>> no logs being generated for that rule.
>>
>> Thanks,
>> Farhan
>>
>> On Tue, Feb 3, 2015 at 6:21 PM, Peter Moody <pmoody@google.com> wrote:
>>
>>>
>>> On Tue, Feb 03 2015 at 14:57, F Rafi wrote:
>>> > Hi folks,
>>> >
>>> > <n00b alert>
>>> >
>>> > I have auditing for outbound connect requests working using the Connect
>>> > (sys_connect) syscall on a server running *Ubuntu precise 12.04 LTS*.
>>> >
>>> > The rule I'm using is:
>>> >
>>> > -a exit,always -F arch=b64 -S connect -k network_outbound
>>> >
>>> >
>>> >
>>> > I'm getting a substantial amount of saddr=0100.... logs, which I
>>> understand
>>> > are not  connections to a remote host but rather a local AF_UNIX socket
>>> > pointing to a file. Example log message is:
>>> >
>>> >
>>> >
>>> > type=SYSCALL msg=audit(1423002916.796:24545371): arch=c000003e
>>> syscall=42
>>> >> success=no exit=-2 a0=294 a1=7fff97f62680 a2=6e a3=7fff97f62860
>>> items=0
>>> >> ppid=20546 pid=21439 auid=4294967295 uid=33 gid=33 euid=33 suid=33
>>> fsuid=33
>>> >> egid=33 sgid=33 fsgid=33 tty=(none) ses=4294967295 comm="apache2"
>>> >> exe="/usr/lib/apache2/mpm-prefork/apache2" key="network_outbound"
>>> >
>>> > type=SOCKADDR msg=audit(1423002916.796:24545371):
>>> *saddr=0100*<truncated to
>>> >> remove the hex-encoded file path>
>>> >
>>> >
>>> > Is there an easy way to filter these out so that we only have
>>> saddr=0200...
>>> > messages left?
>>> >
>>> > I'm exporting the log to an external syslog server and it would help
>>> > considerably if I could eliminate this from all of our servers.
>>> >
>>> > I see that auditctl has a *filetype* filter which can be set to filter
>>> > *socket* or *file* types. Is that the right way to filter these
>>> messages?
>>> >
>>> > -a exit,always -F arch=b64 -F filetype=socket -S connect -k
>>> network_outbound
>>>
>>> does -F filetype!=socket work?
>>>
>>> > The above rule filters out everything but the af_unix connect syscalls,
>>> > which is the opposite of what I'm looking for.
>>> >
>>> > Any help would be appreciated.
>>> >
>>> > Thanks,
>>> > Farhan
>>> > --
>>> > Linux-audit mailing list
>>> > Linux-audit@redhat.com
>>> > https://www.redhat.com/mailman/listinfo/linux-audit
>>>
>>
>>
>

[-- Attachment #1.2: Type: text/html, Size: 5354 bytes --]

[-- Attachment #2: Type: text/plain, Size: 0 bytes --]

Re: Filtering Connect syscalls for af_inet only

[Paul Moore]

On Wed, Feb 4, 2015 at 8:19 PM, F Rafi <farhanible@gmail.com> wrote:
> After some log analysis it looks like filtering on "a2=10" only shows
> network activity. From what I understand, this is the address length (int
> addrlen) argument in the sys_connect function.
>
> Traced it down to this comment in socket.c. Sounds like filtering for a2=10
> and a2=18 (to account for IPv6) may work.
>
> #define MAX_SOCK_ADDR 128
> /* 108 for Unix domain -
> 16 for IP,
> 16 for IPX,
> 24 for IPv6,
> about 80 for AX.
> 25 must be at least one bigger than the AF_UNIX size (see netunix/af_unix.c
> :unix_mkname())
>  */
>
> 10 hex = 16 dec and 18 hex = 24 dec
>
> I hope someone can correct me if I sound like I'm not all there.

[Ooops, hit "reply" instead of "reply-to-all"]

A few things come to mind with this approach:

* This will not work on x86 due to the socketcall() syscall multiplexer.

* This doesn't solve the problem for applications that leverage the
address family independent sockaddr_storage structure.

-- 
paul moore
www.paul-moore.com

Re: Filtering Connect syscalls for af_inet only

[F Rafi]

[-- Attachment #1.1: Type: text/plain, Size: 1395 bytes --]

Ahh..thanks Paul!

Is there a better way to intercept outbound network access calls while
avoiding af_unix?

I assume sockaddr_storage is just a different size (I think 128?)

Thanks
Farhan

On Thursday, February 5, 2015, Paul Moore <paul@paul-moore.com> wrote:

> On Wed, Feb 4, 2015 at 8:19 PM, F Rafi <farhanible@gmail.com
> <javascript:;>> wrote:
> > After some log analysis it looks like filtering on "a2=10" only shows
> > network activity. From what I understand, this is the address length (int
> > addrlen) argument in the sys_connect function.
> >
> > Traced it down to this comment in socket.c. Sounds like filtering for
> a2=10
> > and a2=18 (to account for IPv6) may work.
> >
> > #define MAX_SOCK_ADDR 128
> > /* 108 for Unix domain -
> > 16 for IP,
> > 16 for IPX,
> > 24 for IPv6,
> > about 80 for AX.
> > 25 must be at least one bigger than the AF_UNIX size (see
> netunix/af_unix.c
> > :unix_mkname())
> >  */
> >
> > 10 hex = 16 dec and 18 hex = 24 dec
> >
> > I hope someone can correct me if I sound like I'm not all there.
>
> [Ooops, hit "reply" instead of "reply-to-all"]
>
> A few things come to mind with this approach:
>
> * This will not work on x86 due to the socketcall() syscall multiplexer.
>
> * This doesn't solve the problem for applications that leverage the
> address family independent sockaddr_storage structure.
>
> --
> paul moore
> www.paul-moore.com
>

[-- Attachment #1.2: Type: text/html, Size: 2239 bytes --]

[-- Attachment #2: Type: text/plain, Size: 0 bytes --]

Re: Filtering Connect syscalls for af_inet only

[Paul Moore]

On Thu, Feb 5, 2015 at 10:31 AM, F Rafi <farhanible@gmail.com> wrote:
> Ahh..thanks Paul!
>
> Is there a better way to intercept outbound network access calls while
> avoiding af_unix?

I'm not sure, I'm not overly familiar with the auditd/auditctl
filtering capabilities.  There are several people on this list that
are far more knowledgeable about that than me.

> I assume sockaddr_storage is just a different size (I think 128?)

The idea behind the sockaddr_storage struct was to create a structure
that could be used to represent any address family that the system
supports.  I don't believe there is a standard size across OSes due to
different level of support, padding, etc; in other words, it's
probably best not to rely on a specific size of sockaddr_storage.

-- 
paul moore
www.paul-moore.com

Re: Filtering Connect syscalls for af_inet only

[F Rafi]

[-- Attachment #1.1: Type: text/plain, Size: 1283 bytes --]

I did some digging and now I understand the different size variations of
sockaddr_storage. I guess I can just filter on a2!=6e then.

And we'd have to keep an eye out for x86 systems. I understand that x86_64
does not use socketcall() but, do you know if multiarch support somehow
allows 32bit apps on x86_64 to use / translate these calls?

Thanks again!
Farhan

On Thu, Feb 5, 2015 at 10:38 AM, Paul Moore <paul@paul-moore.com> wrote:

> On Thu, Feb 5, 2015 at 10:31 AM, F Rafi <farhanible@gmail.com> wrote:
> > Ahh..thanks Paul!
> >
> > Is there a better way to intercept outbound network access calls while
> > avoiding af_unix?
>
> I'm not sure, I'm not overly familiar with the auditd/auditctl
> filtering capabilities.  There are several people on this list that
> are far more knowledgeable about that than me.
>
> > I assume sockaddr_storage is just a different size (I think 128?)
>
> The idea behind the sockaddr_storage struct was to create a structure
> that could be used to represent any address family that the system
> supports.  I don't believe there is a standard size across OSes due to
> different level of support, padding, etc; in other words, it's
> probably best not to rely on a specific size of sockaddr_storage.
>
> --
> paul moore
> www.paul-moore.com
>

[-- Attachment #1.2: Type: text/html, Size: 1942 bytes --]

[-- Attachment #2: Type: text/plain, Size: 0 bytes --]

Re: Filtering Connect syscalls for af_inet only

[Paul Moore]

On Thu, Feb 5, 2015 at 2:06 PM, F Rafi <farhanible@gmail.com> wrote:
> I did some digging and now I understand the different size variations of
> sockaddr_storage. I guess I can just filter on a2!=6e then.

I assume 0x6e is the size of sockaddr_un?  I would still caution
against filtering on any particular size as you could still use
sockaddr_storage for AF_UNIX.  Granted, it's unlikely, but it is
possible.

> And we'd have to keep an eye out for x86 systems. I understand that x86_64
> does not use socketcall() but, do you know if multiarch support somehow
> allows 32bit apps on x86_64 to use / translate these calls?

32-bit x86 applications running on a x86_64 system use the 32-bit
socketcall() system call; there is no way around that, it's part of
the 32-bit x86 ABI for Linux.

-- 
paul moore
www.paul-moore.com

Re: Filtering Connect syscalls for af_inet only

[Hassan Sultan]

[-- Attachment #1.1: Type: text/plain, Size: 1719 bytes --]

Wouldn't x86 simply be a filter with 2 comparisons : one on a0 to filter  
only connect, and one on a3 for the sockaddr size ?

Basically, on x86 you have one rule : the one with 2 comparisons
On x64 you have 2 rules : one on the connect syscall, and one on the  
socketcall syscall with 2 comparisons

Thanks,

Hassan

On Thu, 05 Feb 2015 11:06:03 -0800, F Rafi <farhanible@gmail.com> wrote:

> I did some digging and now I understand the different size variations of  
> sockaddr_storage. I guess I can just filter on a2!=6e then.
>
> And we'd have to keep an eye out for x86 systems. I understand that  
> x86_64 does not use socketcall() but, do you know if multiarch support  
> somehow >allows 32bit apps on x86_64 to use / translate these calls?
>
> Thanks again!
> Farhan
>
> On Thu, Feb 5, 2015 at 10:38 AM, Paul Moore <paul@paul-moore.com> wrote:
>> On Thu, Feb 5, 2015 at 10:31 AM, F Rafi <farhanible@gmail.com> wrote:
>>> Ahh..thanks Paul!
>>>
>>> Is there a better way to intercept outbound network access calls while
>>> avoiding af_unix?
>>
>> I'm not sure, I'm not overly familiar with the auditd/auditctl
>> filtering capabilities.  There are several people on this list that
>> are far more knowledgeable about that than me.
>>
>>>>> I assume sockaddr_storage is just a different size (I think 128?)
>>
>> The idea behind the sockaddr_storage struct was to create a structure
>> that could be used to represent any address family that the system
>> supports.  I don't believe there is a standard size across OSes due to
>> different level of support, padding, etc; in other words, it's
>> probably best not to rely on a specific size of sockaddr_storage.
>>
>>>> --
>> paul moore
>> www.paul-moore.com

[-- Attachment #1.2.1: Type: text/html, Size: 2708 bytes --]

[-- Attachment #2: Type: text/plain, Size: 0 bytes --]

Re: Filtering Connect syscalls for af_inet only

[Paul Moore]

On Thu, Feb 5, 2015 at 3:26 PM, Hassan Sultan <hsultan@thefroid.net> wrote:
> Wouldn't x86 simply be a filter with 2 comparisons : one on a0 to filter
> only connect, and one on a3 for the sockaddr size ?
>
> Basically, on x86 you have one rule : the one with 2 comparisons
> On x64 you have 2 rules : one on the connect syscall, and one on the
> socketcall syscall with 2 comparisons

The socketcall() syscall take two arguments, the first indicates the
syscall (e.g. connect()) and the second is binary blob that contains
the arguments for the socket syscall.

-- 
paul moore
www.paul-moore.com