Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

RFE: provide a method to filter on network address family #93

Closed
rgbriggs opened this issue Apr 17, 2019 · 8 comments

Comments

@rgbriggs
Copy link
Member

commented Apr 17, 2019

Provide a method to filter on network address family.

Existing SOCKADDR records are listed for any network activity. It would be helpful to be able to classify or limit records to specific network address families, such as AF_INET or AF_INET6.

An example of a network record that is unlikely to be useful and flood the logs:

type=SOCKADDR msg=audit(07/27/2017 12:18:27.019:845) : saddr={ fam=local path=/var/run/nscd/socket }
type=SYSCALL msg=audit(07/27/2017 12:18:27.019:845) : arch=x86_64 syscall=connect success=no exit=ENOENT(No such file or directory) a0=0x3 a1=0x7fff229c4980 a2=0x6e a3=0x6 items=1 ppid=3301 pid=6145 auid=sgrubb uid=sgrubb gid=sgrubb euid=sgrubb suid=sgrubb fsuid=sgrubb egid=sgrubb sgid=sgrubb fsgid=sgrubb tty=pts3 ses=4 comm=bash exe=/usr/bin/bash subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=network-test

Propose the filter field selector "AUDIT_SADDR_FAM" and command line parameter name "saddr_fam".

See kernel support: linux-audit/audit-kernel#64

@stevegrubb

This comment has been minimized.

Copy link
Member

commented Apr 18, 2019

I would expect that the user space side would be to add a new field to a rule, perhaps domain, which would take the exact number for the address family and pass that to the kernel. Then on the kernel side, if the syscall is associated with an address family and matches the domain in the rule, it would trigger the event. For example, a connect or bind syscall could be matched on. But a read, write, open would not because no address family is associated as an argument.

@rgbriggs

This comment has been minimized.

Copy link
Member Author

commented Apr 18, 2019

@stevegrubb

This comment has been minimized.

Copy link
Member

commented Apr 18, 2019

I think when we run ausearch -i, it will decode the SADDR record and output the family. The rule field name should match what ausearch output field name so that we can say you asked for x and x is in the report. And that would be great if the kernel side is done.

@rgbriggs

This comment has been minimized.

Copy link
Member Author

commented Apr 18, 2019

@rgbriggs

This comment has been minimized.

Copy link
Member Author

commented Apr 26, 2019

@stevegrubb

This comment has been minimized.

Copy link
Member

commented May 5, 2019

Ok, I understand the desire/need to have the field name match the field name macro and command line option, however, it is currently called "fam" within the explicit scope/subcontext of an "saddr" field, which I think is a bit too terse for a auditctl or ausearch command line option or field name macro. "netfam" is what I had chosen, but maybe something like "saddr_fam" (and AUDIT_SADDR_FAM) would be more appropriate.

Yeah, that last one seems logical. I'll sync user space to it.

Will there be any interest or need to also filter on or search on address or port number? (saddr_laddr/AUDIT_SADDR_LADDR, saddr_lport/AUDIT_SADDR_LPORT)

Yes, that would be nice. However, there are lots of address families and variations in addr/port. So, I'd suggest moving forward with it as is. And let's come back to address and ports another day.

@rgbriggs

This comment has been minimized.

Copy link
Member Author

commented May 6, 2019

pcmoore added a commit to linux-audit/audit-kernel that referenced this issue May 24, 2019
Provide a method to filter out sockaddr and bind calls by network
address family.

Existing SOCKADDR records are listed for any network activity.
Implement the AUDIT_SADDR_FAM field selector to be able to classify or
limit records to specific network address families, such as AF_INET or
AF_INET6.

An example of a network record that is unlikely to be useful and flood
the logs:

type=SOCKADDR msg=audit(07/27/2017 12:18:27.019:845) : saddr={ fam=local
path=/var/run/nscd/socket }
type=SYSCALL msg=audit(07/27/2017 12:18:27.019:845) : arch=x86_64
syscall=connect success=no exit=ENOENT(No such file or directory) a0=0x3
a1=0x7fff229c4980 a2=0x6e a3=0x6 items=1 ppid=3301 pid=6145 auid=sgrubb
uid=sgrubb gid=sgrubb euid=sgrubb suid=sgrubb fsuid=sgrubb egid=sgrubb
sgid=sgrubb fsgid=sgrubb tty=pts3 ses=4 comm=bash exe=/usr/bin/bash
subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
key=network-test

Please see the audit-testsuite PR at
linux-audit/audit-testsuite#87
Please see the github issue
#64
Please see the github issue for the accompanying userspace support
linux-audit/audit-userspace#93

Signed-off-by: Richard Guy Briggs <rgb@redhat.com>
[PM: merge fuzz in auditfilter.c]
Signed-off-by: Paul Moore <paul@paul-moore.com>
stevegrubb added a commit that referenced this issue May 31, 2019
Provide a method to filter on network address family.

This adds support for the kernel filter for sockaddr family,
AUDIT_SADDR_FAM, adding the command line option "saddr_fam" to auditctl.

See: linux-audit/audit-kernel#64
See: #93

Signed-off-by: Richard Guy Briggs <rgb@redhat.com>
@stevegrubb

This comment has been minimized.

Copy link
Member

commented May 31, 2019

commit fef4978

@stevegrubb stevegrubb closed this May 31, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
2 participants
You can’t perform that action at this time.