Hello, On Thursday, June 8, 2017 9:46:48 PM EDT 358123097 wrote: > Dear Sir/Madam, > > Hello, I‘am a Chinese student, now I studying Linux audit and having some > problems. I want to collect some information from network,such as the > accessor’s IP and port. I defined a audit rule in machine A as follow, then > I used “ping” and “vsftpd” programs to test audit. For example, I run "ping > A" in another machine, I can't collect any information in A's audit log. In > addition, I run "ssh A" , then I get some incomprehensible records that > display in the picture below(eg saddr=inet6 host:::1 serv:45983 and > saddr=inet6 host:::ffff:127.0.0.1 serv:41573). > -a always,exit -F arch=b64 -S connect -S getsockname -S getpeername
I am not sure of your intent (inbound vs outbound info). If you want to collect inbound information, you need to monitor syscalls for inbound events such as accept, accept4, recv, recvfrom. Ping uses ICMP packets and is not likely to show up in normal syscalls. You might find them by placing audit rules in the iptables rules. -Steve -- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
