I am looking for a daemon utility to track all non local TCP connections and which binaries establish the TCP connections (actively and passively) with which IPs and ports.
auditd
seems like a great tool.
Following this post, I notice that the following rule captures all connections:
auditctl -a exit,always -F arch=b64 -S connect -k MYCONNECT
I see many entries like these:
type=SOCKADDR msg=audit(04/01/2021 10:54:23.327:397) : saddr={ fam=local path=/dev/log }
type=SYSCALL msg=audit(04/01/2021 10:54:23.327:397) : arch=x86_64 syscall=connect success=yes exit=0 a0=0x4 a1=0x7fc64b29a6c0 a2=0x6e a3=0x20656c62616e6520 items=1 ppid=3116 pid=3156 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts0 ses=2 comm=sudo exe=/usr/bin/sudo key=MYCONNECT
type=SOCKADDR msg=audit(04/01/2021 10:54:23.328:403) : saddr={ fam=local path=/var/run/dbus/system_bus_socket }
type=SYSCALL msg=audit(04/01/2021 10:54:23.328:403) : arch=x86_64 syscall=connect success=yes exit=0 a0=0x4 a1=0x55e28814cac8 a2=0x21 a3=0x7fff6e3462d0 items=1 ppid=3116 pid=3156 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts0 ses=2 comm=sudo exe=/usr/bin/sudo key=MYCONNECT
I wonder whether there is a way to filter by the AF family, limiting to IPv4 and IPv6.
I can add a filter to capture socket
system call with AF family = IPv4 or IPv6. But for connect
system call, I am not sure how to do so.
Thanks.
0 Answers