-
-
Notifications
You must be signed in to change notification settings - Fork 520
monitor method auditd
In order to use auditd to get the name of a process which is opening a new connection, you have to install and configure it first.
On Debian/Ubuntu:
-
apt install auditd audispd_plugins
-
enable af_unix plugin
/etc/audisp/plugins.d/af_unix.conf
(active = yes) -
add a test rule:
auditctl -a always,exit -F arch=b64 -S socket,connect,execve -k test
- increase
/etc/audisp/audispd.conf
q_depth if there're dropped events: q_depth = 4096) - set
write_logs
to no if you don't need/want audit logs to be stored in the disk.
- increase
-
read messages from the pipe to verify that it's working:
socat unix-connect:/var/run/audispd_events stdio
You'll see lot of messages like these ones:
mar 08 18:37:48 ono-sendai audit[12704]: SYSCALL arch=c000003e syscall=41 success=yes exit=204 a0=a a1=2 a2=0 a3=7f02480008d0 items=0 ppid=12654 pid=12704 auid=1000 uid=1000 gid=1000 euid=1000 suid>
mar 08 18:37:48 ono-sendai audit: PROCTITLE proctitle="iceweasel"
mar 08 18:37:48 ono-sendai audit: PATH item=0 name="/run/user/1000/bus" inode=41813 dev=00:15 mode=0100400 ouid=0 ogid=0 rdev=00:00 obj=unconfined_u:object_r:var_run_t:s0 nametype=NORMAL cap_fp=0 c>
mar 08 18:37:48 ono-sendai audit: CWD cwd="/tmp"
mar 08 18:37:48 ono-sendai audit: SOCKADDR saddr=01002FF2756E2F7FF573613030302F343435627573
Possible errors:
-
AuditReader: auditd error%!(EXTRA *net.OpError=read unix @->/var/run/audispd_events: use of closed network connection)
You need to restart auditd (service auditd restart)
More information on this system:
Audit event fields: https://github.com/linux-audit/audit-documentation/blob/master/specs/fields/field-dictionary.csv
Record types: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Security_Guide/sec-Audit_Record_Types.html
Documentation: https://github.com/linux-audit/audit-documentation
Please help us make this wiki better.
How to submit changes: https://github.com/evilsocket/opensnitch/blob/wiki/README.md
- Installation
- Getting started
- Configuration
- Compilation
- GUI translations
- FAQs and common errors
- Examples OpenSnitch in action