Review your favorite Linux distribution.
Go Back > Blogs > unSpawn
User Name


Rating: 2 votes, 3.00 average.

Traffic and Process Id correlation with audit and ULOG on IA-32 Centos-5.7

Posted 11-20-2011 at 08:24 AM by unSpawn

# ...being basically a clarification of dump all packets and list them according to the processes that either sent or received them and what command could display current running processes relating to eth0 so I can refer back to this when needed.

The question: generate an audit trail that includes captured traffic and process information.
The problem: when capturing packets no process information is stored.
Solution: correlation provides the "glue" between traffic and processes.

# whoami
]# uname -r; selinuxenabled; echo $?

# Prep our test set:
]# yum install tor audit ulogd ulogd-pcap

# Determine the UID to track:
]# getent passwd _tor|awk -F':' '{print $3}'

# Prep the audit service:
]# auditctl -D; auditctl -b 10240; auditctl -r 0

# Track execs by UID:
]# auditctl -a exit,always -S execve -F auid=102 -k SYS_exec

# Track socket calls by UID (IA-32):
awk '/^#define.SYS_/ {print "-a entry,always -F arch=b32 -S socketcall -F auid=102 -F a0="$3" -k "$2}' \
/usr/src/kernels/$(uname -r)-$(uname -m)/include/linux/net.h | while read LINE; do auditctl $LINE; done

# Prep LKM:
]# modprobe ipt_ULOG nlbufsiz=65535 flushtimeout=100

# Prep and start Ulogd:
]# sed -i 's|rmem=131071|rmem=65535|g' /etc/ulogd.conf && sed -i 's|nlgroup=1|nlgroup=3|g' /etc/ulogd.conf && service ulogd start

# Add Netfilter rule. Remember to set a corresponding filter table INPUT chain rule if you need one:
]# /sbin/iptables -I OUTPUT 1 -m owner --uid-owner 102 -j ULOG --ulog-nlgroup 3 --ulog-prefix OUT_uid102 --ulog-qthreshold 20 --ulog-cprange 0

# Generate some traffic:
]# service tor start

The result:

/var/log/ulogd/ulogd.syslogemu containing "-j LOG"-like logging set by above used Netfilter rule (and because of using the "owner" module) only for UID 102, listed as: human readable syslog-like timestamp, hostname, ulog-prefix, device name and all the arguments "-j LOG" results in.

/var/log/audit/audit.log containing selectable keys (see 'man ausearch') for execve SYS_exec and on IA-32 the SYS_SOCKET, SYS_BIND, SYS_CONNECT, SYS_LISTEN, SYS_ACCEPT, SYS_GETSOCKNAME, SYS_GETPEERNAME, SYS_SOCKETPAIR, SYS_SEND, SYS_RECV, SYS_SENDTO, SYS_RECVFROM, SYS_SHUTDOWN, SYS_SETSOCKOPT, SYS_GETSOCKOPT, SYS_SENDMSG, SYS_RECVMSG, SYS_ACCEPT4 and SYS_RECVMMSG socket calls (and because of rules having a "-F auid=102" filter) only for UID 102, listed as: hostname, type, epoch, arch, syscall number, success, exit value, arguments, ppid, pid, auid, uid and related Id nfo, executable name and location, and context.
* Note that if you don't know how to deal with epoch you can have ausearch --interpret it for you.

/var/log/ulogd/ulogd.pcap containing complete captured traffic, due to "--ulog-cprange 0", only for UID 102. How this will be listed depends on how you read ulogd.pcap, the time stamp being configurable ('man tcpdump': "-tttt").

Now '( convert human readable timestamps to epoch in ulogd.syslogemu; ausearch --interpret audit.log|awk the epoch field to be the first one|awk out any fields you don't want; tcpdump -n -nn -N -tttt ulogd.pcap|convert timestamps to epoch ) | sort -k1' and away you go...
Posted in Uncategorized
Views 8477 Comments 1
« Prev     Main     Next »
Total Comments 1


  1. Old Comment
    // This probably is easier.
    Posted 02-06-2014 at 01:56 PM by unSpawn unSpawn is offline


All times are GMT -5. The time now is 09:04 PM.

Main Menu
Write for LQ is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration