1

I'd like to track down processes that tries to connect to a certain port (on remote host). So, I discovered that auditd is very powerful for these kind of tasks. The following command instruct auditd to log every connect syscall:

auditctl -a always,exit -F arch=b64 -S connect
auditctl -a always,exit -F arch=b32 -S connect

The log is then stored in /var/log/audit/. But the content is pretty complex. There's ausearch that can be used to filter the log but maybe someone of you already know how to solve this.

P.S I don't want to use netstat because I want to see even the failed connections etc..

Thanks in advance

user2543740
  • 11
  • 4
  • What is a **failed connection**? If you are thinking about port 80/443, then there is no such thing. If instead you are thinking of *ssh/ftp/telnet* connections, you do **not** need *auditd*, all the info you will ever be able to obtain are in */var/log/auth.log*. – MariusMatutiae Dec 03 '16 at 09:27
  • With **failed connection** I mean when a program try to establish a TCP connection and get an RST flag in the TCP response or just no response... I want to track down attempt to establish connections (from local to somewhere else) on certain ports – user2543740 Dec 03 '16 at 14:55
  • 1
    In your shoes, I would use *iptables*´ LOG queue. – MariusMatutiae Dec 03 '16 at 21:21
  • thanks, seems a nice idea, but how do I specify to log the process id or similar? I looked up but seems no one do that – user2543740 Dec 04 '16 at 01:36

1 Answers1

0

Auditd's logs do capture process IDs (see Red Hat's Documentation). However, these only came from the server's processes serving incoming connection requests.

However, I do not believe that there is a way to obtain PID of failed or successful connections from clients since it is not transmitted over the network in the first place.

Jomah
  • 1