Auditing network traffic
Peter Moody
peter at hda3.com
Thu Jan 21 05:19:05 UTC 2016
I actually did a bunch of work for this at a previous job. it was
supposed to be opensource'd, but then I switched jobs and the new
internal-maintainer never got around to opening it up :(
My short answer is that audit is probably the wrong tool for this,
especially for machines pushing a large amount of traffic.
the longer answer is that you can do it if you hook the discrete
events in the kernel and then correlate them later in your pipeline.
IIRC, the events you need are:
* fork/exec/exit to correlate pid with proc information (exe, argv)
* socket open/close & sock_sendmsg/sock_recvmsg to correlate socket
to pid (i think you might be able to get way without hooking socket
open/close and just hook sendmsg/recvmsg)
* netfilters to correlate saddr/daddr + packet contents with sockets.
the linux sensor module (https://github.com/HoneProject/Linux-Sensor)
did most of this but there were a bunch of issues that made it
unsuitable for enterprise use (funding dried up so the folks at pnnl
who had done all of the heavy lifting weren't able to finish). the
internal fork fixed these issues but like I said, I left before I got
a chance to upstream the fixes.
you could also look at the sysdig module for this.
Cheers,
peter
On Wed, Jan 20, 2016 at 6:26 AM, Lev Stipakov <lstipakov at gmail.com> wrote:
> Hello,
>
> I work on an audisp plugin which audits network traffic – what process has
> send/received data to/from what remote address. So far I see 2 ways of
> accomplishing that:
More information about the Linux-audit
mailing list