Track down processes that connect through tcp (on certain ports) using auditd (in GNU/Linux)

Posted on

Problem :

I’d like to track down processes that tries to connect to a certain port (on remote host).
So, I discovered that auditd is very powerful for these kind of tasks. The following command instruct auditd to log every connect syscall:

auditctl -a always,exit -F arch=b64 -S connect
auditctl -a always,exit -F arch=b32 -S connect

The log is then stored in /var/log/audit/. But the content is pretty complex. There’s ausearch that can be used to filter the log but maybe someone of you already know how to solve this.

P.S I don’t want to use netstat because I want to see even the failed connections etc..

Thanks in advance

Solution :

Auditd’s logs do capture process IDs (see Red Hat’s Documentation). However, these only came from the server’s processes serving incoming connection requests.

However, I do not believe that there is a way to obtain PID of failed or successful connections from clients since it is not transmitted over the network in the first place.

Leave a Reply

Your email address will not be published. Required fields are marked *