linux-audit / audit-kernel

GitHub mirror of the Linux Kernel's audit repository
https://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/audit.git
Other
140 stars 37 forks source link

RFE: create a new audit rule filter to filter on network address family #64

Closed stevegrubb closed 5 years ago

stevegrubb commented 7 years ago

If you use the nice new audit by executable feature to look for network connections, what you will find is events being recorded for af_unix connections rather than IPV4 or IPv6 which is what was actually desired. For example:

-a always,exit -F arch=b64 -S connect,recvfrom -F auid>=1000 -F auid!=-1 -F exe=/usr/bin/bash -F key=network-test

You get a lot of this kind of events: node=x2 type=PROCTITLE msg=audit(07/27/2017 12:18:27.019:845) : proctitle=bash node=x2 type=PATH msg=audit(07/27/2017 12:18:27.019:845) : item=0 name=/var/run/nscd/socket nametype=UNKNOWN node=x2 type=CWD msg=audit(07/27/2017 12:18:27.019:845) : cwd=/home/sgrubb node=x2 type=SOCKADDR msg=audit(07/27/2017 12:18:27.019:845) : saddr={ fam=local path=/var/run/nscd/socket } node=x2 type=SYSCALL msg=audit(07/27/2017 12:18:27.019:845) : arch=x86_64 syscall=connect success=no exit=ENOENT(No such file or directory) a0=0x3 a1=0x7fff229c4980 a2=0x6e a3=0x6 items=1 ppid=3301 pid=6145 auid=sgrubb uid=sgrubb gid=sgrubb euid=sgrubb suid=sgrubb fsuid=sgrubb egid=sgrubb sgid=sgrubb fsgid=sgrubb tty=pts3 ses=4 comm=bash exe=/usr/bin/bash subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=network-test

Which is not useful. We need a way to tell the rule matching engine that we are only interested in tcp IPv4 or IPv6 connections. There maybe times when we want datagrams, but that creates a problem where we only really want one and not thousands.

pcmoore commented 7 years ago

We need a way to tell the rule matching engine that we are only interested in tcp IPv4 or IPv6 connections.

I think this would be a good enhancement, but just to be clear, I think the filter should allow filtering on any address family, not just AF_INET and AF_INET6.

rgbriggs commented 5 years ago

Posted v1 upstream: https://www.redhat.com/archives/linux-audit/2019-April/msg00111.html

userspace v1 patch: https://www.redhat.com/archives/linux-audit/2019-April/msg00112.html

rgbriggs commented 5 years ago

Audit-testsuite test case: https://github.com/rgbriggs/audit-testsuite/pull/new/ghak64-saddr_fam

rgbriggs commented 5 years ago

Posted v2: https://www.redhat.com/archives/linux-audit/2019-May/msg00007.html

rgbriggs commented 5 years ago

Posted v3: https://www.redhat.com/archives/linux-audit/2019-May/msg00011.html

rgbriggs commented 5 years ago

Staged in audit/next: bf361231c295 ("audit: add saddr_fam filter field")

The-Mule commented 5 years ago

Audit-testsuite test case: https://github.com/rgbriggs/audit-testsuite/pull/new/ghak64-saddr_fam

Richard, I checked test and it needs a minor change - line 116 should be / saddr_fam=([a-z]+) /.

rgbriggs commented 5 years ago

On 2019-07-09 04:15, Ondrej Moris wrote:

Audit-testsuite test case: https://github.com/rgbriggs/audit-testsuite/pull/new/ghak64-saddr_fam

Richard, I checked test and it needs a minor change - line 116 should be / saddr_fam=([a-z]+) /.

Yup, good catch. Thanks.

rgbriggs commented 5 years ago

Merged for v5.3-rc1 in 61fc5771f5e729a2ce235af42f69c8506725e84a

rgbriggs commented 5 years ago

Please close. Upstream in Linux 5.3 4d856f72c10e