Auditing network traffic
Steve Grubb
sgrubb at redhat.com
Thu Jan 21 16:50:11 UTC 2016
On Thursday, January 21, 2016 11:49:13 AM Lev Stipakov wrote:
> Thank you for your comments! It seems that AUDIT target is better option
> than hooking syscalls and managing fds. I don't have to look inside
> traffic, just src/dest and bytes count is enough for me.
>
> What would be the performance implications of that approach comparison
> to, say, libpcap option?
I'd say it would be better because you don't have to do nearly as much work.
The kernel takes care of all the heavy lifting and you just filter on
NETFILTER_PKT events.
> Mostly I am concerned about logging part - seems that every packet produces
> NETFILTER_PKT record. I could not find any way to disable that, except
> probably disabling logging all together but that will break ausearch.
There are plenty of examples of how to do logging of netfilter events. You can
just copy the examples and substitute AUDIT as the target (but you have to add
a --type argument after it). A couple examples I found after a quick search:
iptables -I INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j AUDIT --type accept
To get any connection attempt:
iptables -I INPUT -p tcp --tcp-flags ALL SYN -j AUDIT --type accept
Of course any use of nmap -sS will flood the logs on this one. But you can
write any kind of netfilter rule. The examples in iptables-extensions man page
are quite limited when compared to what you can really do.
Maybe I should update an audit man page to show some real world examples. If
anyone would like to suggest a few examples, I'll see about adding them.
-Steve
More information about the Linux-audit
mailing list