Filtering Connect syscalls for af_inet only
F Rafi
farhanible at gmail.com
Thu Feb 5 15:31:42 UTC 2015
Ahh..thanks Paul!
Is there a better way to intercept outbound network access calls while
avoiding af_unix?
I assume sockaddr_storage is just a different size (I think 128?)
Thanks
Farhan
On Thursday, February 5, 2015, Paul Moore <paul at paul-moore.com> wrote:
> On Wed, Feb 4, 2015 at 8:19 PM, F Rafi <farhanible at gmail.com
> <javascript:;>> wrote:
> > After some log analysis it looks like filtering on "a2=10" only shows
> > network activity. From what I understand, this is the address length (int
> > addrlen) argument in the sys_connect function.
> >
> > Traced it down to this comment in socket.c. Sounds like filtering for
> a2=10
> > and a2=18 (to account for IPv6) may work.
> >
> > #define MAX_SOCK_ADDR 128
> > /* 108 for Unix domain -
> > 16 for IP,
> > 16 for IPX,
> > 24 for IPv6,
> > about 80 for AX.
> > 25 must be at least one bigger than the AF_UNIX size (see
> netunix/af_unix.c
> > :unix_mkname())
> > */
> >
> > 10 hex = 16 dec and 18 hex = 24 dec
> >
> > I hope someone can correct me if I sound like I'm not all there.
>
> [Ooops, hit "reply" instead of "reply-to-all"]
>
> A few things come to mind with this approach:
>
> * This will not work on x86 due to the socketcall() syscall multiplexer.
>
> * This doesn't solve the problem for applications that leverage the
> address family independent sockaddr_storage structure.
>
> --
> paul moore
> www.paul-moore.com
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/linux-audit/attachments/20150205/5b289e3e/attachment.htm>
More information about the Linux-audit
mailing list