Traffic and Process Id correlation with audit and ULOG on IA-32 Centos-5.7
Posted 11-20-2011 at 08:24 AM by unSpawn
# ...being basically a clarification of dump all packets and list them according to the processes that either sent or received them and what command could display current running processes relating to eth0 so I can refer back to this when needed.
The question: generate an audit trail that includes captured traffic and process information.
The problem: when capturing packets no process information is stored.
Solution: correlation provides the "glue" between traffic and processes.
The result:
/var/log/ulogd/ulogd.syslogemu containing "-j LOG"-like logging set by above used Netfilter rule (and because of using the "owner" module) only for UID 102, listed as: human readable syslog-like timestamp, hostname, ulog-prefix, device name and all the arguments "-j LOG" results in.
/var/log/audit/audit.log containing selectable keys (see 'man ausearch') for execve SYS_exec and on IA-32 the SYS_SOCKET, SYS_BIND, SYS_CONNECT, SYS_LISTEN, SYS_ACCEPT, SYS_GETSOCKNAME, SYS_GETPEERNAME, SYS_SOCKETPAIR, SYS_SEND, SYS_RECV, SYS_SENDTO, SYS_RECVFROM, SYS_SHUTDOWN, SYS_SETSOCKOPT, SYS_GETSOCKOPT, SYS_SENDMSG, SYS_RECVMSG, SYS_ACCEPT4 and SYS_RECVMMSG socket calls (and because of rules having a "-F auid=102" filter) only for UID 102, listed as: hostname, type, epoch, arch, syscall number, success, exit value, arguments, ppid, pid, auid, uid and related Id nfo, executable name and location, and context.
* Note that if you don't know how to deal with epoch you can have ausearch --interpret it for you.
/var/log/ulogd/ulogd.pcap containing complete captured traffic, due to "--ulog-cprange 0", only for UID 102. How this will be listed depends on how you read ulogd.pcap, the time stamp being configurable ('man tcpdump': "-tttt").
Now '( convert human readable timestamps to epoch in ulogd.syslogemu; ausearch --interpret audit.log|awk the epoch field to be the first one|awk out any fields you don't want; tcpdump -n -nn -N -tttt ulogd.pcap|convert timestamps to epoch ) | sort -k1' and away you go...
The question: generate an audit trail that includes captured traffic and process information.
The problem: when capturing packets no process information is stored.
Solution: correlation provides the "glue" between traffic and processes.
Code:
# whoami
]# uname -r; selinuxenabled; echo $?
2.6.18-274.7.1.el5
0
# Prep our test set:
]# yum install tor audit ulogd ulogd-pcap
# Determine the UID to track:
]# getent passwd _tor|awk -F':' '{print $3}'
102
# Prep the audit service:
]# auditctl -D; auditctl -b 10240; auditctl -r 0
# Track execs by UID:
]# auditctl -a exit,always -S execve -F auid=102 -k SYS_exec
# Track socket calls by UID (IA-32):
awk '/^#define.SYS_/ {print "-a entry,always -F arch=b32 -S socketcall -F auid=102 -F a0="$3" -k "$2}' \
/usr/src/kernels/$(uname -r)-$(uname -m)/include/linux/net.h | while read LINE; do auditctl $LINE; done
# Prep LKM:
]# modprobe ipt_ULOG nlbufsiz=65535 flushtimeout=100
# Prep and start Ulogd:
]# sed -i 's|rmem=131071|rmem=65535|g' /etc/ulogd.conf && sed -i 's|nlgroup=1|nlgroup=3|g' /etc/ulogd.conf && service ulogd start
# Add Netfilter rule. Remember to set a corresponding filter table INPUT chain rule if you need one:
]# /sbin/iptables -I OUTPUT 1 -m owner --uid-owner 102 -j ULOG --ulog-nlgroup 3 --ulog-prefix OUT_uid102 --ulog-qthreshold 20 --ulog-cprange 0
# Generate some traffic:
]# service tor start
The result:
/var/log/ulogd/ulogd.syslogemu containing "-j LOG"-like logging set by above used Netfilter rule (and because of using the "owner" module) only for UID 102, listed as: human readable syslog-like timestamp, hostname, ulog-prefix, device name and all the arguments "-j LOG" results in.
/var/log/audit/audit.log containing selectable keys (see 'man ausearch') for execve SYS_exec and on IA-32 the SYS_SOCKET, SYS_BIND, SYS_CONNECT, SYS_LISTEN, SYS_ACCEPT, SYS_GETSOCKNAME, SYS_GETPEERNAME, SYS_SOCKETPAIR, SYS_SEND, SYS_RECV, SYS_SENDTO, SYS_RECVFROM, SYS_SHUTDOWN, SYS_SETSOCKOPT, SYS_GETSOCKOPT, SYS_SENDMSG, SYS_RECVMSG, SYS_ACCEPT4 and SYS_RECVMMSG socket calls (and because of rules having a "-F auid=102" filter) only for UID 102, listed as: hostname, type, epoch, arch, syscall number, success, exit value, arguments, ppid, pid, auid, uid and related Id nfo, executable name and location, and context.
* Note that if you don't know how to deal with epoch you can have ausearch --interpret it for you.
/var/log/ulogd/ulogd.pcap containing complete captured traffic, due to "--ulog-cprange 0", only for UID 102. How this will be listed depends on how you read ulogd.pcap, the time stamp being configurable ('man tcpdump': "-tttt").
Now '( convert human readable timestamps to epoch in ulogd.syslogemu; ausearch --interpret audit.log|awk the epoch field to be the first one|awk out any fields you don't want; tcpdump -n -nn -N -tttt ulogd.pcap|convert timestamps to epoch ) | sort -k1' and away you go...
