From: Steve Grubb <sgrubb@redhat.com>
To: F Rafi <farhanible@gmail.com>
Cc: "linux-audit@redhat.com" <linux-audit@redhat.com>
Subject: Re: Auditing network traffic
Date: Wed, 20 Jan 2016 13:30:11 -0500 [thread overview]
Message-ID: <3102468.QIbiTVrbEb@x2> (raw)
In-Reply-To: <CABXp1cuXBeKcGaeYcSiZeKc9AwXwcNZSNLqL3G8d2wrAjhm1NA@mail.gmail.com>
On Wednesday, January 20, 2016 01:05:45 PM F Rafi wrote:
> Perhaps this is of use. My goal was to restrict audit logs to outbound
> connections only to reduce the amount of logs.
>
> # Outbound connections could indicate exfiltration of data (connect vs
> accept)
> # Log 64 bit processes (a2!=6e filters local unix socket calls)
>
> -a exit,always -F arch=b64 -S connect -F a2!=110 -k network_outbound64
This is good for TCP connections. There's always UDP where you would need
sendto and sendmsg. Imagine someone exfiltrating on what seems to be DNS lookup
requests.
The IPTables AUDIT target is what is really meant to audit information flow in
or out of the system. I think this is the first discussion on the mail list
where someone might be trying to use it. I'm hoping this leads to making it
better.
-Steve
> # Log 32 bit processes (a0=3 means only outbound sys_connect calls)
>
> -a exit,always -F arch=b32 -S socketcall -F a0=3 -k network_outbound32
>
>
> -Farhan
>
> PS: I'd appreciate if someone could poke holes in this.
>
> On Wed, Jan 20, 2016 at 10:29 AM, Steve Grubb <sgrubb@redhat.com> wrote:
> > On Wednesday, January 20, 2016 10:18:29 AM Steve Grubb wrote:
> > > > I work on an audisp plugin which audits network traffic – what process
> > > > has send/received data to/from what remote address. So far I see 2
> > > > ways
> > > > of accomplishing that:
> > > >
> > > > Hook syscalls. First, hook socket call with af_inet/inet6 to get pid
> >
> > and
> >
> > > > fd, then read/write/sendto/recvfrom filtered by pid and fd
> >
> > One other thing, read and write will tell you that a read or write
> > happened.
> > It does not record what was read or written. If you need that, you will
> > have
> > to sniff network traffic. Audit won't be able to help much.
> >
> > -Steve
> >
> > --
> > Linux-audit mailing list
> > Linux-audit@redhat.com
> > https://www.redhat.com/mailman/listinfo/linux-audit
--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit
next prev parent reply other threads:[~2016-01-20 18:30 UTC|newest]
Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-01-20 14:26 Auditing network traffic Lev Stipakov
2016-01-20 15:18 ` Steve Grubb
2016-01-20 15:29 ` Steve Grubb
2016-01-20 18:05 ` F Rafi
2016-01-20 18:30 ` Steve Grubb [this message]
2016-01-21 9:49 ` Lev Stipakov
2016-01-21 16:50 ` Steve Grubb
2016-01-21 20:49 ` Lev Stipakov
2016-01-21 22:09 ` Steve Grubb
2016-01-20 21:40 ` Paul Moore
2016-01-21 5:19 ` Peter Moody
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=3102468.QIbiTVrbEb@x2 \
--to=sgrubb@redhat.com \
--cc=farhanible@gmail.com \
--cc=linux-audit@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox