<div dir="ltr">After some log analysis it looks like filtering on "a2=10" only shows network activity. From what I understand, this is the address length (<i>int addrlen</i>) argument in the sys_connect function.<div><br></div><div>Traced it down to this comment in socket.c. Sounds like filtering for a2=10 and a2=18 (to account for IPv6) may work.</div><div><br></div><blockquote style="margin:0px 0px 0px 40px;border:none;padding:0px"><div><font size="1">#define MAX_SOCK_ADDR 128 </font></div><div><font size="1">/* 108 for Unix domain -</font></div><div><font size="1">16 for IP,</font></div><div><font size="1">16 for IPX, </font></div><div><font size="1">24 for IPv6, </font></div><div><font size="1">about 80 for AX.</font></div><div><font size="1">25 must be at least one bigger than the AF_UNIX size (see netunix/af_unix.c :unix_mkname())</font></div><div><font size="1"> */</font></div><div><font size="1"><br></font></div></blockquote><div>10 hex = 16 dec and 18 hex = 24 dec<br></div><div><br></div><div>I hope someone can correct me if I sound like I'm not all there. </div><br><div>Farhan</div><div><br></div><br><div class="gmail_extra"><br><div class="gmail_quote">On Tue, Feb 3, 2015 at 6:53 PM, F Rafi <span dir="ltr"><<a href="mailto:farhanible@gmail.com" target="_blank">farhanible@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex"><div dir="ltr">Correction. Both filetype=socket and !=socket result in just saddr=0100.. events. Seems like this is not the way to go.<div><br></div><div>Farhan</div></div><div class=""><div class="h5"><div class="gmail_extra"><br><div class="gmail_quote">On Tue, Feb 3, 2015 at 6:24 PM, F Rafi <span dir="ltr"><<a href="mailto:farhanible@gmail.com" target="_blank">farhanible@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex"><div dir="ltr">Sorry, I should have mentioned that I already tried that. That results in no logs being generated for that rule.<div><br></div><div>Thanks,</div><div>Farhan </div></div><div><div><div class="gmail_extra"><br><div class="gmail_quote">On Tue, Feb 3, 2015 at 6:21 PM, Peter Moody <span dir="ltr"><<a href="mailto:pmoody@google.com" target="_blank">pmoody@google.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex"><span><br> On Tue, Feb 03 2015 at 14:57, F Rafi wrote:<br> > Hi folks,<br> ><br> > <n00b alert><br> ><br> > I have auditing for outbound connect requests working using the Connect<br> </span>> (sys_connect) syscall on a server running *Ubuntu precise 12.04 LTS*.<br> <span>><br> > The rule I'm using is:<br> ><br> > -a exit,always -F arch=b64 -S connect -k network_outbound<br> ><br> ><br> ><br> > I'm getting a substantial amount of saddr=0100.... logs, which I understand<br> > are not connections to a remote host but rather a local AF_UNIX socket<br> > pointing to a file. Example log message is:<br> ><br> ><br> ><br> > type=SYSCALL msg=audit(1423002916.796:24545371): arch=c000003e syscall=42<br> >> success=no exit=-2 a0=294 a1=7fff97f62680 a2=6e a3=7fff97f62860 items=0<br> >> ppid=20546 pid=21439 auid=4294967295 uid=33 gid=33 euid=33 suid=33 fsuid=33<br> >> egid=33 sgid=33 fsgid=33 tty=(none) ses=4294967295 comm="apache2"<br> >> exe="/usr/lib/apache2/mpm-prefork/apache2" key="network_outbound"<br> ><br> </span>> type=SOCKADDR msg=audit(1423002916.796:24545371): *saddr=0100*<truncated to<br> <span>>> remove the hex-encoded file path><br> ><br> ><br> > Is there an easy way to filter these out so that we only have saddr=0200...<br> > messages left?<br> ><br> > I'm exporting the log to an external syslog server and it would help<br> > considerably if I could eliminate this from all of our servers.<br> ><br> </span>> I see that auditctl has a *filetype* filter which can be set to filter<br> > *socket* or *file* types. Is that the right way to filter these messages?<br> <span>><br> > -a exit,always -F arch=b64 -F filetype=socket -S connect -k network_outbound<br> <br> </span>does -F filetype!=socket work?<br> <div><div><br> > The above rule filters out everything but the af_unix connect syscalls,<br> > which is the opposite of what I'm looking for.<br> ><br> > Any help would be appreciated.<br> ><br> > Thanks,<br> > Farhan<br> </div></div><span><font color="#888888">> --<br> > Linux-audit mailing list<br> > <a href="mailto:Linux-audit@redhat.com" target="_blank">Linux-audit@redhat.com</a><br> > <a href="https://www.redhat.com/mailman/listinfo/linux-audit" target="_blank">https://www.redhat.com/mailman/listinfo/linux-audit</a><br> </font></span></blockquote></div><br></div> </div></div></blockquote></div><br></div> </div></div></blockquote></div><br></div></div>