Auditing network traffic
F Rafi
farhanible at gmail.com
Wed Jan 20 18:05:45 UTC 2016
Perhaps this is of use. My goal was to restrict audit logs to outbound
connections only to reduce the amount of logs.
# Outbound connections could indicate exfiltration of data (connect vs
accept)
# Log 64 bit processes (a2!=6e filters local unix socket calls)
-a exit,always -F arch=b64 -S connect -F a2!=110 -k network_outbound64
# Log 32 bit processes (a0=3 means only outbound sys_connect calls)
-a exit,always -F arch=b32 -S socketcall -F a0=3 -k network_outbound32
-Farhan
PS: I'd appreciate if someone could poke holes in this.
On Wed, Jan 20, 2016 at 10:29 AM, Steve Grubb <sgrubb at redhat.com> wrote:
> On Wednesday, January 20, 2016 10:18:29 AM Steve Grubb wrote:
> > > I work on an audisp plugin which audits network traffic – what process
> > > has send/received data to/from what remote address. So far I see 2 ways
> > > of accomplishing that:
> > >
> > > Hook syscalls. First, hook socket call with af_inet/inet6 to get pid
> and
> > > fd, then read/write/sendto/recvfrom filtered by pid and fd
>
> One other thing, read and write will tell you that a read or write
> happened.
> It does not record what was read or written. If you need that, you will
> have
> to sniff network traffic. Audit won't be able to help much.
>
> -Steve
>
> --
> Linux-audit mailing list
> Linux-audit at redhat.com
> https://www.redhat.com/mailman/listinfo/linux-audit
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/linux-audit/attachments/20160120/f3f26409/attachment.htm>
More information about the Linux-audit
mailing list