RFE: create a new audit rule filter to filter on network address family

stevegrubb commented 7 years ago

If you use the nice new audit by executable feature to look for network connections, what you will find is events being recorded for af_unix connections rather than IPV4 or IPv6 which is what was actually desired. For example:

-a always,exit -F arch=b64 -S connect,recvfrom -F auid>=1000 -F auid!=-1 -F exe=/usr/bin/bash -F key=network-test

You get a lot of this kind of events: node=x2 type=PROCTITLE msg=audit(07/27/2017 12:18:27.019:845) : proctitle=bash node=x2 type=PATH msg=audit(07/27/2017 12:18:27.019:845) : item=0 name=/var/run/nscd/socket nametype=UNKNOWN node=x2 type=CWD msg=audit(07/27/2017 12:18:27.019:845) : cwd=/home/sgrubb node=x2 type=SOCKADDR msg=audit(07/27/2017 12:18:27.019:845) : saddr={ fam=local path=/var/run/nscd/socket } node=x2 type=SYSCALL msg=audit(07/27/2017 12:18:27.019:845) : arch=x86_64 syscall=connect success=no exit=ENOENT(No such file or directory) a0=0x3 a1=0x7fff229c4980 a2=0x6e a3=0x6 items=1 ppid=3301 pid=6145 auid=sgrubb uid=sgrubb gid=sgrubb euid=sgrubb suid=sgrubb fsuid=sgrubb egid=sgrubb sgid=sgrubb fsgid=sgrubb tty=pts3 ses=4 comm=bash exe=/usr/bin/bash subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=network-test

Which is not useful. We need a way to tell the rule matching engine that we are only interested in tcp IPv4 or IPv6 connections. There maybe times when we want datagrams, but that creates a problem where we only really want one and not thousands.

pcmoore commented 7 years ago

We need a way to tell the rule matching engine that we are only interested in tcp IPv4 or IPv6 connections.

I think this would be a good enhancement, but just to be clear, I think the filter should allow filtering on any address family, not just AF_INET and AF_INET6.