Re: Auditing network traffic
Perhaps this is of use. My goal was to restrict audit logs to outbound
connections only to reduce the amount of logs.
# Outbound connections could indicate exfiltration of data (connect vs
accept)
# Log 64 bit processes (a2!=6e filters local unix socket calls)
-a exit,always -F arch=b64 -S connect -F a2!=110 -k network_outbound64
# Log 32 bit processes (a0=3 means only outbound sys_connect calls)
-a exit,always -F arch=b32 -S socketcall -F a0=3 -k network_outbound32
-Farhan
PS: I'd appreciate if someone could poke holes in this.
On Wed, Jan 20, 2016 at 10:29 AM, Steve Grubb <sgrubb(a)redhat.com> wrote:
On Wednesday, January 20, 2016 10:18:29 AM Steve Grubb wrote:
> > I work on an audisp plugin which audits network traffic – what process
> > has send/received data to/from what remote address. So far I see 2 ways
> > of accomplishing that:
> >
> > Hook syscalls. First, hook socket call with af_inet/inet6 to get pid
and
> > fd, then read/write/sendto/recvfrom filtered by pid and fd
One other thing, read and write will tell you that a read or write
happened.
It does not record what was read or written. If you need that, you will
have
to sniff network traffic. Audit won't be able to help much.
-Steve
--
Linux-audit mailing list
Linux-audit(a)redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit
Attachments:
- attachment.html (text/html — 2.0 KB)