I would like to add 3 more pieces of information to the audit target to
be included in the audit logs:
1. pid/uid -> auid + program path (auid and program path is retrievable
once the pid is known) - outgoing packets only, obviously;
2. tcpflags, where applicable; and
3. tos information, again, where applicable;
The last two are more-or-less directly retrievable as they are included
in the tcphdr and iphdr structs respectively, but I am struggling to
find a reliable source for the first one - uid/pid information.
I know this information *should* be available as outgoing packets are
bound to sockets and those are created by a process, but I am struggling
to find a reliable source which I could use. I looked at both ss and
netstat sources, but the approach there is very different as they both
use/scan "/proc" to retrieve this information and I am not sure this is
the best way to approach things for the kernel code of the audit target.
Is there any other quicker/reliable way?
Having pid/uid, the program path and auid in particular (i.e. the audit
id - the "master" session of the root process owning the process to
which the socket/outgoing packet is bound) included in the audit logs
would be invaluable piece of information as the source of the packets
could be easily traced to the process (or processes) which created it
and the user id used. It would also help with cross-referencing with
other uid/pid/auid information from the audit logs to discover patterns
of interest to the auditors/sys admins.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
