1

I am looking for a daemon utility to track all non local TCP connections and which binaries establish the TCP connections (actively and passively) with which IPs and ports.

auditd seems like a great tool.

Following this post, I notice that the following rule captures all connections: auditctl -a exit,always -F arch=b64 -S connect -k MYCONNECT

I see many entries like these:

type=SOCKADDR msg=audit(04/01/2021 10:54:23.327:397) : saddr={ fam=local path=/dev/log } 
type=SYSCALL msg=audit(04/01/2021 10:54:23.327:397) : arch=x86_64 syscall=connect success=yes exit=0 a0=0x4 a1=0x7fc64b29a6c0 a2=0x6e a3=0x20656c62616e6520 items=1 ppid=3116 pid=3156 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts0 ses=2 comm=sudo exe=/usr/bin/sudo key=MYCONNECT 
type=SOCKADDR msg=audit(04/01/2021 10:54:23.328:403) : saddr={ fam=local path=/var/run/dbus/system_bus_socket } 
type=SYSCALL msg=audit(04/01/2021 10:54:23.328:403) : arch=x86_64 syscall=connect success=yes exit=0 a0=0x4 a1=0x55e28814cac8 a2=0x21 a3=0x7fff6e3462d0 items=1 ppid=3116 pid=3156 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts0 ses=2 comm=sudo exe=/usr/bin/sudo key=MYCONNECT

I wonder whether there is a way to filter by the AF family, limiting to IPv4 and IPv6.

I can add a filter to capture socket system call with AF family = IPv4 or IPv6. But for connect system call, I am not sure how to do so.

Thanks.

HCSF
  • 245
  • 2
  • 13
  • this could be useful (it's really a technical page): https://www.linkedin.com/pulse/using-auditd-monitor-network-connections-alex-maestretti – A.B Apr 02 '21 at 12:21
  • @A.B Thanks for sharing the link. If I read the article correctly, filtering can be done by specifying value of system call's arguments and/or the return value. However, AF family is specified in the pointer to `struct sockaddr` in `connect()`. I am not sure there is a way to specify it. – HCSF Apr 07 '21 at 00:30

0 Answers0