some time i was interested in monitoring TCP/UDP connections with detailed information about process that initiated connection
I'have found helpful article about that - Finding short-lived TCP connections owner process
so i'have executed:
auditctl -a exit,always -F arch=b64 -S connect -k MYCONNECT
and started to monitor connections, but after some time i've noticed that any entry in audit.log with "SYSCALL=connect" is only about IPv4 protocol, they all has view like this:
type=SYSCALL msg=audit(1626330176.452:56662005): arch=c000003e syscall=42 success=no exit=-115 a0=1b a1=7ffea6f24b00 a2=10 a3=2 items=0 ppid=1 pid=809 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="NetworkManager" exe="/usr/sbin/NetworkManager" subj=unconfined key="MYCONNECT"ARCH=x86_64 SYSCALL=connect AUID="unset" UID="root" GID="root" EUID="root" SUID="root" FSUID="root" EGID="root" SGID="root" FSGID="root"
type=SOCKADDR msg=audit(1626330176.452:56662005): saddr=0200005023E0AA540000000000000000SADDR={ fam=inet laddr=35.224.170.84 lport=80 }
type=PROCTITLE msg=audit(1626330176.452:56662005): proctitle="(kManager)"
where fam=inet laddr=35.224.170.84 lport=80 - destinaton to connect
i have IPv6 protocol enabled, this can be seen via
ip a
i have inet6 and IPv6 address, through ip6tables i have seen that IPv6 is working and has connects but i do not see them in audit.log - there are only IPv6 connections as i mentioned above
Is it possible to monitor IPv6 via auditd also?
