Administrace komentářů

Dle dokumentace kdyz mam zaple:

# auditctl -l
-a always,exit -F arch=b64 -S socket -F a0=0x2 -F key=TEST
#

Mel bych videt vsechna volani tcp socketu.

Pokud udelam:

nc 216.58.201.78 443

skutecne v /var/log/audit/audit.log vidim:

type=SYSCALL msg=audit(1484664247.522:74459): arch=c000003e syscall=41 success=yes exit=3 a0=2 a1=1 a2=6 a3=55de58c59140 items=0 ppid=18935 pid=19137 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=pts22 ses=1 comm="nc" exe="/usr/bin/ncat" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key="TEST"
type=PROCTITLE msg=audit(1484664247.522:74459): proctitle=6E63003231362E35382E3230312E373800343433

v tcpdump vidim odpovidajici:

15:45:02.357762 IP 172.24.146.215.34144 > 216.58.201.78.443: Flags [S], seq 2203129635, win 29200, options [mss 1460,sackOK,TS val 1204233792 ecr 0,nop,wscale 7], length 0
15:45:02.358440 IP 216.58.201.78.443 > 172.24.146.215.34144: Flags [R.], seq 1769143029, ack 2203129636, win 29200, length 0

Potud v poradku.

V tcpdump se mi ale objevuji spojeni, ke kterym neni adekvatni zaznam v /var/log/audit/audit.log:

15:50:55.349067 IP 172.24.146.215.34498 > 216.58.201.78.443: Flags [S], seq 2932252123, win 29200, options [mss 1460,sackOK,TS val 1204586783 ecr 0,nop,wscale 7], length 0
15:50:55.349663 IP 216.58.201.78.443 > 172.24.146.215.34498: Flags [R.], seq 1628348476, ack 2932252124, win 29200, length 0

Pokud nahodou to spojeni chytim pomoci ss nema vyplnen proces:

#while true; do  ss -napt; done | grep 216.58.201.78             
SYN-SENT   0      1      172.24.146.215:34872              216.58.201.78:443                
^C
#

Tusite nekdo, jak zjistim co to dela?