Filtering Connect syscalls for af_inet only
Hassan Sultan
hsultan at thefroid.net
Thu Feb 5 20:26:44 UTC 2015
Wouldn't x86 simply be a filter with 2 comparisons : one on a0 to filter
only connect, and one on a3 for the sockaddr size ?
Basically, on x86 you have one rule : the one with 2 comparisons
On x64 you have 2 rules : one on the connect syscall, and one on the
socketcall syscall with 2 comparisons
Thanks,
Hassan
On Thu, 05 Feb 2015 11:06:03 -0800, F Rafi <farhanible at gmail.com> wrote:
> I did some digging and now I understand the different size variations of
> sockaddr_storage. I guess I can just filter on a2!=6e then.
>
> And we'd have to keep an eye out for x86 systems. I understand that
> x86_64 does not use socketcall() but, do you know if multiarch support
> somehow >allows 32bit apps on x86_64 to use / translate these calls?
>
> Thanks again!
> Farhan
>
> On Thu, Feb 5, 2015 at 10:38 AM, Paul Moore <paul at paul-moore.com> wrote:
>> On Thu, Feb 5, 2015 at 10:31 AM, F Rafi <farhanible at gmail.com> wrote:
>>> Ahh..thanks Paul!
>>>
>>> Is there a better way to intercept outbound network access calls while
>>> avoiding af_unix?
>>
>> I'm not sure, I'm not overly familiar with the auditd/auditctl
>> filtering capabilities. There are several people on this list that
>> are far more knowledgeable about that than me.
>>
>>>>> I assume sockaddr_storage is just a different size (I think 128?)
>>
>> The idea behind the sockaddr_storage struct was to create a structure
>> that could be used to represent any address family that the system
>> supports. I don't believe there is a standard size across OSes due to
>> different level of support, padding, etc; in other words, it's
>> probably best not to rely on a specific size of sockaddr_storage.
>>
>>>> --
>> paul moore
>> www.paul-moore.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/linux-audit/attachments/20150205/0b16a74e/attachment.htm>
More information about the Linux-audit
mailing list