some questions about Linux audit
Steve Grubb
sgrubb at redhat.com
Fri Jun 9 02:23:26 UTC 2017
Hello,
On Thursday, June 8, 2017 9:46:48 PM EDT 358123097 wrote:
> Dear Sir/Madam,
>
> Hello, I‘am a Chinese student, now I studying Linux audit and having some
> problems. I want to collect some information from network,such as the
> accessor’s IP and port. I defined a audit rule in machine A as follow, then
> I used “ping” and “vsftpd” programs to test audit. For example, I run "ping
> A" in another machine, I can't collect any information in A's audit log. In
> addition, I run "ssh A" , then I get some incomprehensible records that
> display in the picture below(eg saddr=inet6 host:::1 serv:45983 and
> saddr=inet6 host:::ffff:127.0.0.1 serv:41573).
> -a always,exit -F arch=b64 -S connect -S getsockname -S getpeername
I am not sure of your intent (inbound vs outbound info). If you want to
collect inbound information, you need to monitor syscalls for inbound events
such as accept, accept4, recv, recvfrom. Ping uses ICMP packets and is not
likely to show up in normal syscalls. You might find them by placing audit
rules in the iptables rules.
-Steve
More information about the Linux-audit
mailing list