Linux auditd

Since Linux 2.6, you can trace system call through auditd daemon Once activate it can monitor and log (/var/log/audit/audit.log) based on rules.

Check auditd status

auditctl -s

Enable auditd

auditctl -e 1

Disable auditd

auditctl -e 0

List rules

[root@cmserver ~]# auditctl -l
No rules

Flush all rules

[root@cmserver ~]# auditctl -D
No rules

Now let's try to find the process doing DNS calls:

First, we need to add a rule to log all "socketcall" system call

auditctl -a exit,always -S socketcall

You first need to create a hex string to look for in the audit log. The format is the following:

020000350A001F0B0000000000000000

  • 0x02 : AF_INET (IP connection, reference /usr/include/linux/socket.h)
  • 0x35 : port in hex, port 53 in this case
  • 0A001F0B : IP address in hex, here 10.0.31.11

grep for that string in the audit.log in order to find who did connection to that IP:port

[root@cmserver audit]# grep 020000350A001F0B audit.log
type=SOCKADDR msg=audit(1299182707.454:8089778): saddr=020000350A001F0B00000000000000000000000000000000B03DED09
type=SOCKADDR msg=audit(1299182707.467:8089780): saddr=020000350A001F0B0000000000000000
type=SOCKADDR msg=audit(1299182707.482:8089790): saddr=020000350A001F0B00000000000000000000000000000000B03DED09
type=SOCKADDR msg=audit(1299182707.482:8089792): saddr=020000350A001F0B0000000000000000
type=SOCKADDR msg=audit(1299522789.030:8196946): saddr=020000350A001F0B0000000000000000
type=SOCKADDR msg=audit(1299522789.078:8196948): saddr=020000350A001F0B0000000000000000
[root@cmserver audit]#

Then you can grep for the timestamp (ex: 1299522789.030:8196946) of each of those lines, you might be able to get a SYSCALL line like the following, giving you the process command and pid/gid.

type=SYSCALL msg=audit(1299182707.482:8089792): arch=40000003 syscall=102 success=yes exit=101 a0=c a1=bf81a128 a2=fafff4 a3=400 items=0 ppid=31432 pid=17924 auid=505 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=367623 comm="smbd" exe="/usr/sbin/smbd" subj=user_u:system_r:smbd_t:s0 key=(null)

In this case we can see that process /usr/sbin/smbd running as root was doing DNS request to 10.0.31.11.

External references:

Unless otherwise stated, the content of this page is licensed under Creative Commons Attribution-ShareAlike 3.0 License