Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Can't exclude TCP connections from being audited #409

Open
shark0x00 opened this issue Oct 15, 2024 · 1 comment
Open

Can't exclude TCP connections from being audited #409

shark0x00 opened this issue Oct 15, 2024 · 1 comment

Comments

@shark0x00
Copy link

I am running Proxmox PVE (7.4-19) (Debian 11) to host services like SMTP on internal LXC containers. On my Proxmox Hypervisor I am running auditd (1:3.0-2) with a custom set of rules to monitor IPv4 and IPv6 connections. As I do not want to monitor all the IPv4 or IPv6 especially not connections from and to the internal hosted LXC containers my goal is to exclude (for example) ICINGA2 binaries from being monitored:

Proxmox Host Configuration (audit.rules):
-a never,exit -F arch=b64 -F exe=/usr/lib/nagios/plugins/check_smtp -S connect
...
-a always,exit -F arch=b64 -S connect -F a2=16 -k connection
-a always,exit -F arch=b64 -S connect -F a2=28 -k connection

This filter usually works but not with LXC containers. As soon as a network connection is received from or sent to the container, an auditd event is triggered. Therefore I am not able to filter these kind of events over the Host system.

Here you can see one log entry that shows the filter isn't working like expected:
Oct 15 15:41:27 host001 audispd[1519383]: type=SYSCALL msg=audit(1728999687.183:522673): arch=c000003e syscall=42 success=yes exit=0 a0=3 a1=55b9b0a14390 a2=10 a3=14e49c062ae0 items=0 ppid=3802 pid=1710963 auid=4294967295 uid=100108 gid=100116 euid=100108 suid=100108 fsuid=100108 egid=100116 sgid=100116 fsgid=100116 tty=(none) ses=4294967295 comm="check_smtp" exe="/usr/lib/nagios/plugins/check_smtp" subj=lxc-104_</var/lib/lxc>//&:lxc-104_<-var-lib-lxc>:unconfined key="connection" ARCH=x86_64 SYSCALL=connect AUID="unset" UID="unknown(100108)" GID="unknown(100116)" EUID="unknown(100108)" SUID="unknown(100108)" FSUID="unknown(100108)" EGID="unknown(100116)" SGID="unknown(100116)" FSGID="unknown(100116)"

Maybe this issue is related to: #227

Thanks in advance!
@stevegrubb
Copy link
Contributor

It might be related except network name spaces. There is also the saddr_fam option which can help select/limit what is audited. Normally, when you want to audit networking events, you would use the audit target in the netfilter rules.

-I INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j AUDIT --type accept

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@stevegrubb @shark0x00