Auditing network traffic

Steve Grubb sgrubb at redhat.com
Wed Jan 20 15:18:29 UTC 2016 

On Wednesday, January 20, 2016 04:26:34 PM Lev Stipakov wrote:
> Hello,
> 
> I work on an audisp plugin which audits network traffic – what process
> has send/received data to/from what remote address. So far I see 2 ways
> of accomplishing that:
> 
> Hook syscalls. First, hook socket call with af_inet/inet6 to get pid and
> fd, then read/write/sendto/recvfrom filtered by pid and fd. I see few
> issues with this appoach:
> 
> 1) Fd can be closed or duped, so I should probably hook close/dup2 calls
> too.

It can also be passed to another process by sendmsg. The process can 
fork/clone changing the pid and then the child access the descriptor. It can 
also call sendfile and there are more writing/reading syscalls.


> Not sure, though, if socket could be closed by kernel without any
> syscall.

exit_group

> As a workaroud, one can just hook read/write and check if fd is
> socket (S_ISSOCK) and also somehow filter out af_unix.

what if its mmap'ed?


> 2) Getting saddr/daddr. Seems that dest addr could be obtained from
> connect call. However I am not sure what is the right way to get that -
> I got two records, first SYSCALL and then SOCKADDR. First one has an
> argument which points to memory location where sockaddr structure lays,
> and second one has ”saddr” field.  Latter looks good, but does SOCKADDR
> event type always follows SYSCALL for connect call? Same for sendto call.

Yes.
 
> Another way of getting network stats is the AUDIT target for netfilter.
> Looks good, no need to worry about fds/addrs. However there is no pid.

I am thinking that would be a good addition. However, there are times when 
there really is no pid. For example, it could be masquerading or doing SNAT.


> What would be the ”best” way to get pid for those records? Anything else
> besides looking into /proc/net/tcp?

That might be the best workaround right now. But adding the pid sounds 
reasonable to me. This way it can be correlated to other system activity. I'd 
have to ask Paul or Richard to comment on feasibility.

-Steve

More information about the Linux-audit mailing list