Filtering Connect syscalls for af_inet only
F Rafi
farhanible at gmail.com
Thu Feb 5 19:06:03 UTC 2015
I did some digging and now I understand the different size variations of
sockaddr_storage. I guess I can just filter on a2!=6e then.
And we'd have to keep an eye out for x86 systems. I understand that x86_64
does not use socketcall() but, do you know if multiarch support somehow
allows 32bit apps on x86_64 to use / translate these calls?
Thanks again!
Farhan
On Thu, Feb 5, 2015 at 10:38 AM, Paul Moore <paul at paul-moore.com> wrote:
> On Thu, Feb 5, 2015 at 10:31 AM, F Rafi <farhanible at gmail.com> wrote:
> > Ahh..thanks Paul!
> >
> > Is there a better way to intercept outbound network access calls while
> > avoiding af_unix?
>
> I'm not sure, I'm not overly familiar with the auditd/auditctl
> filtering capabilities. There are several people on this list that
> are far more knowledgeable about that than me.
>
> > I assume sockaddr_storage is just a different size (I think 128?)
>
> The idea behind the sockaddr_storage struct was to create a structure
> that could be used to represent any address family that the system
> supports. I don't believe there is a standard size across OSes due to
> different level of support, padding, etc; in other words, it's
> probably best not to rely on a specific size of sockaddr_storage.
>
> --
> paul moore
> www.paul-moore.com
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/linux-audit/attachments/20150205/579387f2/attachment.htm>
More information about the Linux-audit
mailing list