Auditing network traffic
Steve Grubb
sgrubb at redhat.com
Wed Jan 20 15:29:21 UTC 2016
On Wednesday, January 20, 2016 10:18:29 AM Steve Grubb wrote:
> > I work on an audisp plugin which audits network traffic – what process
> > has send/received data to/from what remote address. So far I see 2 ways
> > of accomplishing that:
> >
> > Hook syscalls. First, hook socket call with af_inet/inet6 to get pid and
> > fd, then read/write/sendto/recvfrom filtered by pid and fd
One other thing, read and write will tell you that a read or write happened.
It does not record what was read or written. If you need that, you will have
to sniff network traffic. Audit won't be able to help much.
-Steve
More information about the Linux-audit
mailing list