* Filtering Connect syscalls for af_inet only @ 2015-02-03 22:57 F Rafi 2015-02-03 23:21 ` Peter Moody 0 siblings, 1 reply; 12+ messages in thread From: F Rafi @ 2015-02-03 22:57 UTC (permalink / raw) To: linux-audit [-- Attachment #1.1: Type: text/plain, Size: 1543 bytes --] Hi folks, <n00b alert> I have auditing for outbound connect requests working using the Connect (sys_connect) syscall on a server running *Ubuntu precise 12.04 LTS*. The rule I'm using is: -a exit,always -F arch=b64 -S connect -k network_outbound I'm getting a substantial amount of saddr=0100.... logs, which I understand are not connections to a remote host but rather a local AF_UNIX socket pointing to a file. Example log message is: type=SYSCALL msg=audit(1423002916.796:24545371): arch=c000003e syscall=42 > success=no exit=-2 a0=294 a1=7fff97f62680 a2=6e a3=7fff97f62860 items=0 > ppid=20546 pid=21439 auid=4294967295 uid=33 gid=33 euid=33 suid=33 fsuid=33 > egid=33 sgid=33 fsgid=33 tty=(none) ses=4294967295 comm="apache2" > exe="/usr/lib/apache2/mpm-prefork/apache2" key="network_outbound" type=SOCKADDR msg=audit(1423002916.796:24545371): *saddr=0100*<truncated to > remove the hex-encoded file path> Is there an easy way to filter these out so that we only have saddr=0200... messages left? I'm exporting the log to an external syslog server and it would help considerably if I could eliminate this from all of our servers. I see that auditctl has a *filetype* filter which can be set to filter *socket* or *file* types. Is that the right way to filter these messages? -a exit,always -F arch=b64 -F filetype=socket -S connect -k network_outbound The above rule filters out everything but the af_unix connect syscalls, which is the opposite of what I'm looking for. Any help would be appreciated. Thanks, Farhan [-- Attachment #1.2: Type: text/html, Size: 2756 bytes --] [-- Attachment #2: Type: text/plain, Size: 0 bytes --] ^ permalink raw reply [flat|nested] 12+ messages in thread
* Re: Filtering Connect syscalls for af_inet only 2015-02-03 22:57 Filtering Connect syscalls for af_inet only F Rafi @ 2015-02-03 23:21 ` Peter Moody 2015-02-03 23:24 ` F Rafi 0 siblings, 1 reply; 12+ messages in thread From: Peter Moody @ 2015-02-03 23:21 UTC (permalink / raw) To: F Rafi; +Cc: linux-audit On Tue, Feb 03 2015 at 14:57, F Rafi wrote: > Hi folks, > > <n00b alert> > > I have auditing for outbound connect requests working using the Connect > (sys_connect) syscall on a server running *Ubuntu precise 12.04 LTS*. > > The rule I'm using is: > > -a exit,always -F arch=b64 -S connect -k network_outbound > > > > I'm getting a substantial amount of saddr=0100.... logs, which I understand > are not connections to a remote host but rather a local AF_UNIX socket > pointing to a file. Example log message is: > > > > type=SYSCALL msg=audit(1423002916.796:24545371): arch=c000003e syscall=42 >> success=no exit=-2 a0=294 a1=7fff97f62680 a2=6e a3=7fff97f62860 items=0 >> ppid=20546 pid=21439 auid=4294967295 uid=33 gid=33 euid=33 suid=33 fsuid=33 >> egid=33 sgid=33 fsgid=33 tty=(none) ses=4294967295 comm="apache2" >> exe="/usr/lib/apache2/mpm-prefork/apache2" key="network_outbound" > > type=SOCKADDR msg=audit(1423002916.796:24545371): *saddr=0100*<truncated to >> remove the hex-encoded file path> > > > Is there an easy way to filter these out so that we only have saddr=0200... > messages left? > > I'm exporting the log to an external syslog server and it would help > considerably if I could eliminate this from all of our servers. > > I see that auditctl has a *filetype* filter which can be set to filter > *socket* or *file* types. Is that the right way to filter these messages? > > -a exit,always -F arch=b64 -F filetype=socket -S connect -k network_outbound does -F filetype!=socket work? > The above rule filters out everything but the af_unix connect syscalls, > which is the opposite of what I'm looking for. > > Any help would be appreciated. > > Thanks, > Farhan > -- > Linux-audit mailing list > Linux-audit@redhat.com > https://www.redhat.com/mailman/listinfo/linux-audit ^ permalink raw reply [flat|nested] 12+ messages in thread
* Re: Filtering Connect syscalls for af_inet only 2015-02-03 23:21 ` Peter Moody @ 2015-02-03 23:24 ` F Rafi 2015-02-03 23:53 ` F Rafi 0 siblings, 1 reply; 12+ messages in thread From: F Rafi @ 2015-02-03 23:24 UTC (permalink / raw) To: Peter Moody; +Cc: linux-audit [-- Attachment #1.1: Type: text/plain, Size: 2120 bytes --] Sorry, I should have mentioned that I already tried that. That results in no logs being generated for that rule. Thanks, Farhan On Tue, Feb 3, 2015 at 6:21 PM, Peter Moody <pmoody@google.com> wrote: > > On Tue, Feb 03 2015 at 14:57, F Rafi wrote: > > Hi folks, > > > > <n00b alert> > > > > I have auditing for outbound connect requests working using the Connect > > (sys_connect) syscall on a server running *Ubuntu precise 12.04 LTS*. > > > > The rule I'm using is: > > > > -a exit,always -F arch=b64 -S connect -k network_outbound > > > > > > > > I'm getting a substantial amount of saddr=0100.... logs, which I > understand > > are not connections to a remote host but rather a local AF_UNIX socket > > pointing to a file. Example log message is: > > > > > > > > type=SYSCALL msg=audit(1423002916.796:24545371): arch=c000003e syscall=42 > >> success=no exit=-2 a0=294 a1=7fff97f62680 a2=6e a3=7fff97f62860 items=0 > >> ppid=20546 pid=21439 auid=4294967295 uid=33 gid=33 euid=33 suid=33 > fsuid=33 > >> egid=33 sgid=33 fsgid=33 tty=(none) ses=4294967295 comm="apache2" > >> exe="/usr/lib/apache2/mpm-prefork/apache2" key="network_outbound" > > > > type=SOCKADDR msg=audit(1423002916.796:24545371): *saddr=0100*<truncated > to > >> remove the hex-encoded file path> > > > > > > Is there an easy way to filter these out so that we only have > saddr=0200... > > messages left? > > > > I'm exporting the log to an external syslog server and it would help > > considerably if I could eliminate this from all of our servers. > > > > I see that auditctl has a *filetype* filter which can be set to filter > > *socket* or *file* types. Is that the right way to filter these messages? > > > > -a exit,always -F arch=b64 -F filetype=socket -S connect -k > network_outbound > > does -F filetype!=socket work? > > > The above rule filters out everything but the af_unix connect syscalls, > > which is the opposite of what I'm looking for. > > > > Any help would be appreciated. > > > > Thanks, > > Farhan > > -- > > Linux-audit mailing list > > Linux-audit@redhat.com > > https://www.redhat.com/mailman/listinfo/linux-audit > [-- Attachment #1.2: Type: text/html, Size: 3147 bytes --] [-- Attachment #2: Type: text/plain, Size: 0 bytes --] ^ permalink raw reply [flat|nested] 12+ messages in thread
* Re: Filtering Connect syscalls for af_inet only 2015-02-03 23:24 ` F Rafi @ 2015-02-03 23:53 ` F Rafi 2015-02-05 1:19 ` F Rafi 0 siblings, 1 reply; 12+ messages in thread From: F Rafi @ 2015-02-03 23:53 UTC (permalink / raw) To: Peter Moody; +Cc: linux-audit [-- Attachment #1.1: Type: text/plain, Size: 2403 bytes --] Correction. Both filetype=socket and !=socket result in just saddr=0100.. events. Seems like this is not the way to go. Farhan On Tue, Feb 3, 2015 at 6:24 PM, F Rafi <farhanible@gmail.com> wrote: > Sorry, I should have mentioned that I already tried that. That results in > no logs being generated for that rule. > > Thanks, > Farhan > > On Tue, Feb 3, 2015 at 6:21 PM, Peter Moody <pmoody@google.com> wrote: > >> >> On Tue, Feb 03 2015 at 14:57, F Rafi wrote: >> > Hi folks, >> > >> > <n00b alert> >> > >> > I have auditing for outbound connect requests working using the Connect >> > (sys_connect) syscall on a server running *Ubuntu precise 12.04 LTS*. >> > >> > The rule I'm using is: >> > >> > -a exit,always -F arch=b64 -S connect -k network_outbound >> > >> > >> > >> > I'm getting a substantial amount of saddr=0100.... logs, which I >> understand >> > are not connections to a remote host but rather a local AF_UNIX socket >> > pointing to a file. Example log message is: >> > >> > >> > >> > type=SYSCALL msg=audit(1423002916.796:24545371): arch=c000003e >> syscall=42 >> >> success=no exit=-2 a0=294 a1=7fff97f62680 a2=6e a3=7fff97f62860 items=0 >> >> ppid=20546 pid=21439 auid=4294967295 uid=33 gid=33 euid=33 suid=33 >> fsuid=33 >> >> egid=33 sgid=33 fsgid=33 tty=(none) ses=4294967295 comm="apache2" >> >> exe="/usr/lib/apache2/mpm-prefork/apache2" key="network_outbound" >> > >> > type=SOCKADDR msg=audit(1423002916.796:24545371): >> *saddr=0100*<truncated to >> >> remove the hex-encoded file path> >> > >> > >> > Is there an easy way to filter these out so that we only have >> saddr=0200... >> > messages left? >> > >> > I'm exporting the log to an external syslog server and it would help >> > considerably if I could eliminate this from all of our servers. >> > >> > I see that auditctl has a *filetype* filter which can be set to filter >> > *socket* or *file* types. Is that the right way to filter these >> messages? >> > >> > -a exit,always -F arch=b64 -F filetype=socket -S connect -k >> network_outbound >> >> does -F filetype!=socket work? >> >> > The above rule filters out everything but the af_unix connect syscalls, >> > which is the opposite of what I'm looking for. >> > >> > Any help would be appreciated. >> > >> > Thanks, >> > Farhan >> > -- >> > Linux-audit mailing list >> > Linux-audit@redhat.com >> > https://www.redhat.com/mailman/listinfo/linux-audit >> > > [-- Attachment #1.2: Type: text/html, Size: 3652 bytes --] [-- Attachment #2: Type: text/plain, Size: 0 bytes --] ^ permalink raw reply [flat|nested] 12+ messages in thread
* Re: Filtering Connect syscalls for af_inet only 2015-02-03 23:53 ` F Rafi @ 2015-02-05 1:19 ` F Rafi 2015-02-05 14:39 ` Paul Moore 0 siblings, 1 reply; 12+ messages in thread From: F Rafi @ 2015-02-05 1:19 UTC (permalink / raw) To: Peter Moody; +Cc: linux-audit [-- Attachment #1.1: Type: text/plain, Size: 3190 bytes --] After some log analysis it looks like filtering on "a2=10" only shows network activity. From what I understand, this is the address length (*int addrlen*) argument in the sys_connect function. Traced it down to this comment in socket.c. Sounds like filtering for a2=10 and a2=18 (to account for IPv6) may work. #define MAX_SOCK_ADDR 128 /* 108 for Unix domain - 16 for IP, 16 for IPX, 24 for IPv6, about 80 for AX. 25 must be at least one bigger than the AF_UNIX size (see netunix/af_unix.c :unix_mkname()) */ 10 hex = 16 dec and 18 hex = 24 dec I hope someone can correct me if I sound like I'm not all there. Farhan On Tue, Feb 3, 2015 at 6:53 PM, F Rafi <farhanible@gmail.com> wrote: > Correction. Both filetype=socket and !=socket result in just saddr=0100.. > events. Seems like this is not the way to go. > > Farhan > > On Tue, Feb 3, 2015 at 6:24 PM, F Rafi <farhanible@gmail.com> wrote: > >> Sorry, I should have mentioned that I already tried that. That results in >> no logs being generated for that rule. >> >> Thanks, >> Farhan >> >> On Tue, Feb 3, 2015 at 6:21 PM, Peter Moody <pmoody@google.com> wrote: >> >>> >>> On Tue, Feb 03 2015 at 14:57, F Rafi wrote: >>> > Hi folks, >>> > >>> > <n00b alert> >>> > >>> > I have auditing for outbound connect requests working using the Connect >>> > (sys_connect) syscall on a server running *Ubuntu precise 12.04 LTS*. >>> > >>> > The rule I'm using is: >>> > >>> > -a exit,always -F arch=b64 -S connect -k network_outbound >>> > >>> > >>> > >>> > I'm getting a substantial amount of saddr=0100.... logs, which I >>> understand >>> > are not connections to a remote host but rather a local AF_UNIX socket >>> > pointing to a file. Example log message is: >>> > >>> > >>> > >>> > type=SYSCALL msg=audit(1423002916.796:24545371): arch=c000003e >>> syscall=42 >>> >> success=no exit=-2 a0=294 a1=7fff97f62680 a2=6e a3=7fff97f62860 >>> items=0 >>> >> ppid=20546 pid=21439 auid=4294967295 uid=33 gid=33 euid=33 suid=33 >>> fsuid=33 >>> >> egid=33 sgid=33 fsgid=33 tty=(none) ses=4294967295 comm="apache2" >>> >> exe="/usr/lib/apache2/mpm-prefork/apache2" key="network_outbound" >>> > >>> > type=SOCKADDR msg=audit(1423002916.796:24545371): >>> *saddr=0100*<truncated to >>> >> remove the hex-encoded file path> >>> > >>> > >>> > Is there an easy way to filter these out so that we only have >>> saddr=0200... >>> > messages left? >>> > >>> > I'm exporting the log to an external syslog server and it would help >>> > considerably if I could eliminate this from all of our servers. >>> > >>> > I see that auditctl has a *filetype* filter which can be set to filter >>> > *socket* or *file* types. Is that the right way to filter these >>> messages? >>> > >>> > -a exit,always -F arch=b64 -F filetype=socket -S connect -k >>> network_outbound >>> >>> does -F filetype!=socket work? >>> >>> > The above rule filters out everything but the af_unix connect syscalls, >>> > which is the opposite of what I'm looking for. >>> > >>> > Any help would be appreciated. >>> > >>> > Thanks, >>> > Farhan >>> > -- >>> > Linux-audit mailing list >>> > Linux-audit@redhat.com >>> > https://www.redhat.com/mailman/listinfo/linux-audit >>> >> >> > [-- Attachment #1.2: Type: text/html, Size: 5354 bytes --] [-- Attachment #2: Type: text/plain, Size: 0 bytes --] ^ permalink raw reply [flat|nested] 12+ messages in thread
* Re: Filtering Connect syscalls for af_inet only 2015-02-05 1:19 ` F Rafi @ 2015-02-05 14:39 ` Paul Moore 2015-02-05 15:31 ` F Rafi 0 siblings, 1 reply; 12+ messages in thread From: Paul Moore @ 2015-02-05 14:39 UTC (permalink / raw) To: F Rafi; +Cc: linux-audit On Wed, Feb 4, 2015 at 8:19 PM, F Rafi <farhanible@gmail.com> wrote: > After some log analysis it looks like filtering on "a2=10" only shows > network activity. From what I understand, this is the address length (int > addrlen) argument in the sys_connect function. > > Traced it down to this comment in socket.c. Sounds like filtering for a2=10 > and a2=18 (to account for IPv6) may work. > > #define MAX_SOCK_ADDR 128 > /* 108 for Unix domain - > 16 for IP, > 16 for IPX, > 24 for IPv6, > about 80 for AX. > 25 must be at least one bigger than the AF_UNIX size (see netunix/af_unix.c > :unix_mkname()) > */ > > 10 hex = 16 dec and 18 hex = 24 dec > > I hope someone can correct me if I sound like I'm not all there. [Ooops, hit "reply" instead of "reply-to-all"] A few things come to mind with this approach: * This will not work on x86 due to the socketcall() syscall multiplexer. * This doesn't solve the problem for applications that leverage the address family independent sockaddr_storage structure. -- paul moore www.paul-moore.com ^ permalink raw reply [flat|nested] 12+ messages in thread
* Re: Filtering Connect syscalls for af_inet only 2015-02-05 14:39 ` Paul Moore @ 2015-02-05 15:31 ` F Rafi 2015-02-05 15:38 ` Paul Moore 0 siblings, 1 reply; 12+ messages in thread From: F Rafi @ 2015-02-05 15:31 UTC (permalink / raw) To: Paul Moore; +Cc: linux-audit [-- Attachment #1.1: Type: text/plain, Size: 1395 bytes --] Ahh..thanks Paul! Is there a better way to intercept outbound network access calls while avoiding af_unix? I assume sockaddr_storage is just a different size (I think 128?) Thanks Farhan On Thursday, February 5, 2015, Paul Moore <paul@paul-moore.com> wrote: > On Wed, Feb 4, 2015 at 8:19 PM, F Rafi <farhanible@gmail.com > <javascript:;>> wrote: > > After some log analysis it looks like filtering on "a2=10" only shows > > network activity. From what I understand, this is the address length (int > > addrlen) argument in the sys_connect function. > > > > Traced it down to this comment in socket.c. Sounds like filtering for > a2=10 > > and a2=18 (to account for IPv6) may work. > > > > #define MAX_SOCK_ADDR 128 > > /* 108 for Unix domain - > > 16 for IP, > > 16 for IPX, > > 24 for IPv6, > > about 80 for AX. > > 25 must be at least one bigger than the AF_UNIX size (see > netunix/af_unix.c > > :unix_mkname()) > > */ > > > > 10 hex = 16 dec and 18 hex = 24 dec > > > > I hope someone can correct me if I sound like I'm not all there. > > [Ooops, hit "reply" instead of "reply-to-all"] > > A few things come to mind with this approach: > > * This will not work on x86 due to the socketcall() syscall multiplexer. > > * This doesn't solve the problem for applications that leverage the > address family independent sockaddr_storage structure. > > -- > paul moore > www.paul-moore.com > [-- Attachment #1.2: Type: text/html, Size: 2239 bytes --] [-- Attachment #2: Type: text/plain, Size: 0 bytes --] ^ permalink raw reply [flat|nested] 12+ messages in thread
* Re: Filtering Connect syscalls for af_inet only 2015-02-05 15:31 ` F Rafi @ 2015-02-05 15:38 ` Paul Moore 2015-02-05 19:06 ` F Rafi 0 siblings, 1 reply; 12+ messages in thread From: Paul Moore @ 2015-02-05 15:38 UTC (permalink / raw) To: F Rafi; +Cc: linux-audit On Thu, Feb 5, 2015 at 10:31 AM, F Rafi <farhanible@gmail.com> wrote: > Ahh..thanks Paul! > > Is there a better way to intercept outbound network access calls while > avoiding af_unix? I'm not sure, I'm not overly familiar with the auditd/auditctl filtering capabilities. There are several people on this list that are far more knowledgeable about that than me. > I assume sockaddr_storage is just a different size (I think 128?) The idea behind the sockaddr_storage struct was to create a structure that could be used to represent any address family that the system supports. I don't believe there is a standard size across OSes due to different level of support, padding, etc; in other words, it's probably best not to rely on a specific size of sockaddr_storage. -- paul moore www.paul-moore.com ^ permalink raw reply [flat|nested] 12+ messages in thread
* Re: Filtering Connect syscalls for af_inet only 2015-02-05 15:38 ` Paul Moore @ 2015-02-05 19:06 ` F Rafi 2015-02-05 20:16 ` Paul Moore 2015-02-05 20:26 ` Hassan Sultan 0 siblings, 2 replies; 12+ messages in thread From: F Rafi @ 2015-02-05 19:06 UTC (permalink / raw) To: Paul Moore; +Cc: linux-audit [-- Attachment #1.1: Type: text/plain, Size: 1283 bytes --] I did some digging and now I understand the different size variations of sockaddr_storage. I guess I can just filter on a2!=6e then. And we'd have to keep an eye out for x86 systems. I understand that x86_64 does not use socketcall() but, do you know if multiarch support somehow allows 32bit apps on x86_64 to use / translate these calls? Thanks again! Farhan On Thu, Feb 5, 2015 at 10:38 AM, Paul Moore <paul@paul-moore.com> wrote: > On Thu, Feb 5, 2015 at 10:31 AM, F Rafi <farhanible@gmail.com> wrote: > > Ahh..thanks Paul! > > > > Is there a better way to intercept outbound network access calls while > > avoiding af_unix? > > I'm not sure, I'm not overly familiar with the auditd/auditctl > filtering capabilities. There are several people on this list that > are far more knowledgeable about that than me. > > > I assume sockaddr_storage is just a different size (I think 128?) > > The idea behind the sockaddr_storage struct was to create a structure > that could be used to represent any address family that the system > supports. I don't believe there is a standard size across OSes due to > different level of support, padding, etc; in other words, it's > probably best not to rely on a specific size of sockaddr_storage. > > -- > paul moore > www.paul-moore.com > [-- Attachment #1.2: Type: text/html, Size: 1942 bytes --] [-- Attachment #2: Type: text/plain, Size: 0 bytes --] ^ permalink raw reply [flat|nested] 12+ messages in thread
* Re: Filtering Connect syscalls for af_inet only 2015-02-05 19:06 ` F Rafi @ 2015-02-05 20:16 ` Paul Moore 2015-02-05 20:26 ` Hassan Sultan 1 sibling, 0 replies; 12+ messages in thread From: Paul Moore @ 2015-02-05 20:16 UTC (permalink / raw) To: F Rafi; +Cc: linux-audit On Thu, Feb 5, 2015 at 2:06 PM, F Rafi <farhanible@gmail.com> wrote: > I did some digging and now I understand the different size variations of > sockaddr_storage. I guess I can just filter on a2!=6e then. I assume 0x6e is the size of sockaddr_un? I would still caution against filtering on any particular size as you could still use sockaddr_storage for AF_UNIX. Granted, it's unlikely, but it is possible. > And we'd have to keep an eye out for x86 systems. I understand that x86_64 > does not use socketcall() but, do you know if multiarch support somehow > allows 32bit apps on x86_64 to use / translate these calls? 32-bit x86 applications running on a x86_64 system use the 32-bit socketcall() system call; there is no way around that, it's part of the 32-bit x86 ABI for Linux. -- paul moore www.paul-moore.com ^ permalink raw reply [flat|nested] 12+ messages in thread
* Re: Filtering Connect syscalls for af_inet only 2015-02-05 19:06 ` F Rafi 2015-02-05 20:16 ` Paul Moore @ 2015-02-05 20:26 ` Hassan Sultan 2015-02-05 20:34 ` Paul Moore 1 sibling, 1 reply; 12+ messages in thread From: Hassan Sultan @ 2015-02-05 20:26 UTC (permalink / raw) To: Paul Moore, F Rafi; +Cc: linux-audit [-- Attachment #1.1: Type: text/plain, Size: 1719 bytes --] Wouldn't x86 simply be a filter with 2 comparisons : one on a0 to filter only connect, and one on a3 for the sockaddr size ? Basically, on x86 you have one rule : the one with 2 comparisons On x64 you have 2 rules : one on the connect syscall, and one on the socketcall syscall with 2 comparisons Thanks, Hassan On Thu, 05 Feb 2015 11:06:03 -0800, F Rafi <farhanible@gmail.com> wrote: > I did some digging and now I understand the different size variations of > sockaddr_storage. I guess I can just filter on a2!=6e then. > > And we'd have to keep an eye out for x86 systems. I understand that > x86_64 does not use socketcall() but, do you know if multiarch support > somehow >allows 32bit apps on x86_64 to use / translate these calls? > > Thanks again! > Farhan > > On Thu, Feb 5, 2015 at 10:38 AM, Paul Moore <paul@paul-moore.com> wrote: >> On Thu, Feb 5, 2015 at 10:31 AM, F Rafi <farhanible@gmail.com> wrote: >>> Ahh..thanks Paul! >>> >>> Is there a better way to intercept outbound network access calls while >>> avoiding af_unix? >> >> I'm not sure, I'm not overly familiar with the auditd/auditctl >> filtering capabilities. There are several people on this list that >> are far more knowledgeable about that than me. >> >>>>> I assume sockaddr_storage is just a different size (I think 128?) >> >> The idea behind the sockaddr_storage struct was to create a structure >> that could be used to represent any address family that the system >> supports. I don't believe there is a standard size across OSes due to >> different level of support, padding, etc; in other words, it's >> probably best not to rely on a specific size of sockaddr_storage. >> >>>> -- >> paul moore >> www.paul-moore.com [-- Attachment #1.2.1: Type: text/html, Size: 2708 bytes --] [-- Attachment #2: Type: text/plain, Size: 0 bytes --] ^ permalink raw reply [flat|nested] 12+ messages in thread
* Re: Filtering Connect syscalls for af_inet only 2015-02-05 20:26 ` Hassan Sultan @ 2015-02-05 20:34 ` Paul Moore 0 siblings, 0 replies; 12+ messages in thread From: Paul Moore @ 2015-02-05 20:34 UTC (permalink / raw) To: Hassan Sultan; +Cc: linux-audit On Thu, Feb 5, 2015 at 3:26 PM, Hassan Sultan <hsultan@thefroid.net> wrote: > Wouldn't x86 simply be a filter with 2 comparisons : one on a0 to filter > only connect, and one on a3 for the sockaddr size ? > > Basically, on x86 you have one rule : the one with 2 comparisons > On x64 you have 2 rules : one on the connect syscall, and one on the > socketcall syscall with 2 comparisons The socketcall() syscall take two arguments, the first indicates the syscall (e.g. connect()) and the second is binary blob that contains the arguments for the socket syscall. -- paul moore www.paul-moore.com ^ permalink raw reply [flat|nested] 12+ messages in thread
end of thread, other threads:[~2015-02-05 20:34 UTC | newest] Thread overview: 12+ messages (download: mbox.gz / follow: Atom feed) -- links below jump to the message on this page -- 2015-02-03 22:57 Filtering Connect syscalls for af_inet only F Rafi 2015-02-03 23:21 ` Peter Moody 2015-02-03 23:24 ` F Rafi 2015-02-03 23:53 ` F Rafi 2015-02-05 1:19 ` F Rafi 2015-02-05 14:39 ` Paul Moore 2015-02-05 15:31 ` F Rafi 2015-02-05 15:38 ` Paul Moore 2015-02-05 19:06 ` F Rafi 2015-02-05 20:16 ` Paul Moore 2015-02-05 20:26 ` Hassan Sultan 2015-02-05 20:34 ` Paul Moore
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.