Closed stevegrubb closed 4 years ago
We need a way to tell the rule matching engine that we are only interested in tcp IPv4 or IPv6 connections.
I think this would be a good enhancement, but just to be clear, I think the filter should allow filtering on any address family, not just AF_INET
and AF_INET6
.
Posted v1 upstream: https://www.redhat.com/archives/linux-audit/2019-April/msg00111.html
userspace v1 patch: https://www.redhat.com/archives/linux-audit/2019-April/msg00112.html
Audit-testsuite test case: https://github.com/rgbriggs/audit-testsuite/pull/new/ghak64-saddr_fam
Staged in audit/next: bf361231c295 ("audit: add saddr_fam filter field")
Audit-testsuite test case: https://github.com/rgbriggs/audit-testsuite/pull/new/ghak64-saddr_fam
Richard, I checked test and it needs a minor change - line 116 should be / saddr_fam=([a-z]+) /
.
On 2019-07-09 04:15, Ondrej Moris wrote:
Audit-testsuite test case: https://github.com/rgbriggs/audit-testsuite/pull/new/ghak64-saddr_fam
Richard, I checked test and it needs a minor change - line 116 should be
/ saddr_fam=([a-z]+) /
.
Yup, good catch. Thanks.
Merged for v5.3-rc1 in 61fc5771f5e729a2ce235af42f69c8506725e84a
Please close. Upstream in Linux 5.3 4d856f72c10e
If you use the nice new audit by executable feature to look for network connections, what you will find is events being recorded for af_unix connections rather than IPV4 or IPv6 which is what was actually desired. For example:
-a always,exit -F arch=b64 -S connect,recvfrom -F auid>=1000 -F auid!=-1 -F exe=/usr/bin/bash -F key=network-test
You get a lot of this kind of events: node=x2 type=PROCTITLE msg=audit(07/27/2017 12:18:27.019:845) : proctitle=bash node=x2 type=PATH msg=audit(07/27/2017 12:18:27.019:845) : item=0 name=/var/run/nscd/socket nametype=UNKNOWN node=x2 type=CWD msg=audit(07/27/2017 12:18:27.019:845) : cwd=/home/sgrubb node=x2 type=SOCKADDR msg=audit(07/27/2017 12:18:27.019:845) : saddr={ fam=local path=/var/run/nscd/socket } node=x2 type=SYSCALL msg=audit(07/27/2017 12:18:27.019:845) : arch=x86_64 syscall=connect success=no exit=ENOENT(No such file or directory) a0=0x3 a1=0x7fff229c4980 a2=0x6e a3=0x6 items=1 ppid=3301 pid=6145 auid=sgrubb uid=sgrubb gid=sgrubb euid=sgrubb suid=sgrubb fsuid=sgrubb egid=sgrubb sgid=sgrubb fsgid=sgrubb tty=pts3 ses=4 comm=bash exe=/usr/bin/bash subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=network-test
Which is not useful. We need a way to tell the rule matching engine that we are only interested in tcp IPv4 or IPv6 connections. There maybe times when we want datagrams, but that creates a problem where we only really want one and not thousands.