Filtering Connect syscalls for af_inet only
Paul Moore
paul at paul-moore.com
Thu Feb 5 14:39:04 UTC 2015
On Wed, Feb 4, 2015 at 8:19 PM, F Rafi <farhanible at gmail.com> wrote:
> After some log analysis it looks like filtering on "a2=10" only shows
> network activity. From what I understand, this is the address length (int
> addrlen) argument in the sys_connect function.
>
> Traced it down to this comment in socket.c. Sounds like filtering for a2=10
> and a2=18 (to account for IPv6) may work.
>
> #define MAX_SOCK_ADDR 128
> /* 108 for Unix domain -
> 16 for IP,
> 16 for IPX,
> 24 for IPv6,
> about 80 for AX.
> 25 must be at least one bigger than the AF_UNIX size (see netunix/af_unix.c
> :unix_mkname())
> */
>
> 10 hex = 16 dec and 18 hex = 24 dec
>
> I hope someone can correct me if I sound like I'm not all there.
[Ooops, hit "reply" instead of "reply-to-all"]
A few things come to mind with this approach:
* This will not work on x86 due to the socketcall() syscall multiplexer.
* This doesn't solve the problem for applications that leverage the
address family independent sockaddr_storage structure.
--
paul moore
www.paul-moore.com
More information about the Linux-audit
mailing list