Skip to content
This repository has been archived by the owner on Jun 2, 2020. It is now read-only.
/ auditr Public archive

A small Go program to read /var/log/audit/audit.log

12 stars 2 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

alex-leonhardt/auditr

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

13 Commits
.gitignore
.gitignore
 
 
README.md
README.md
 
 
Vagrantfile
Vagrantfile
 
 
_config.yml
_config.yml
 
 
ci.gocd.yaml
ci.gocd.yaml
 
 
main.go
main.go
 
 

Repository files navigation

A small Go program to read /var/log/audit/audit.log

Ever wondered where your host is trying to connect to ? Enable auditing of outogoing connections and use this tool to get a simple list of outgoing connections detailing the date/time the application, parent pid and pid, the user and group id and the destination IP:PORT.

Pre-req

  • you must have auditd installed

Enable the auditing

Monitoring syscalls can be expensive, try to limit the number of rules to a minimum by applying filters, the one below works, but may need some optimisation for your system.

# auditctl -a exit,always -F arch=b64 -S connect -F a2!=110 -k network_outbound

Do some curls

curl -v -g -6 "https://[2a00:1450:4009:80d::200e]/" 1>/dev/null
curl -v https://www.google.com 1>/dev/null

Example log

type=SYSCALL msg=audit(1531903575.684:1152): arch=c000003e syscall=42 success=no exit=-115 a0=3 a1=7ffc57d16b70 a2=10 a3=7ffc57d16460 items=0 ppid=2076 pid=6422 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=31 comm="curl" exe="/usr/bin/curl" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key="network_outbound"
type=SOCKADDR msg=audit(1531903575.684:1152): saddr=020001BBD83AD5440000000000000000
type=PROCTITLE msg=audit(1531903575.684:1152): proctitle=6375726C002D760068747470733A2F2F7777772E676F6F676C652E636F6D

Run auditr

run

go run main.go -f /var/log/audit/audit.log

install & run

go get github.com/alex-leonhardt/auditr
(${GOPATH}/bin/)auditr -f /path/to/audit.log

get help

$GOPATH/bin/auditr -h

Example Output

2018-07-18 09:40:25 +0000 UTC prog=/usr/bin/curl uid=0 gid=0 pid=2076:9471 exit=-101 key=network_outbound type=ipv6 addr=2A00:1450:4009:080D:0000:0000:0000:200E port=443
2018-07-18 09:40:28 +0000 UTC prog=/usr/bin/curl uid=0 gid=0 pid=2076:9475 exit=0 key=network_outbound type=ipv4 addr=10.0.2.3 port=53
2018-07-18 09:40:28 +0000 UTC prog=/usr/bin/curl uid=0 gid=0 pid=2076:9475 exit=0 key=network_outbound type=ipv4 addr=216.58.198.228 port=443
2018-07-18 09:40:28 +0000 UTC prog=/usr/bin/curl uid=0 gid=0 pid=2076:9475 exit=-101 key=network_outbound type=ipv6 addr=2A00:1450:4009:0811:0000:0000:0000:2004 port=443
2018-07-18 09:40:28 +0000 UTC prog=/usr/bin/curl uid=0 gid=0 pid=2076:9475 exit=-115 key=network_outbound type=ipv4 addr=216.58.198.228 port=443

About

A small Go program to read /var/log/audit/audit.log

Topics

go linux golang security-audit auditd golang-tools golang-application linux-tools security-tools ci-gocd

Resources

Readme
Activity

Stars

12 stars

Watchers

2 watching

Forks

2 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages
pFad - Phonifier reborn

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.


Alternative Proxies:

Alternative Proxy

pFad Proxy

pFad v3 Proxy

pFad v4 Proxy