Redhat: Audit outgoing connections

We want to audit all of the outgoing connections from redhat server.

With witch tool or audit rule we can do that?

We will know the programm executable too, from which the connection is initiated,
even if it is not more running.

Interesting information is: time, executable, target ip/port
PostbankAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Slav ZabickiSystem EngineerCommented:
hey,
I recommend shorewall. it's simple to configure and based on zones defined by you.

www.shorewall.net

to log all traffic(incoming or outgoing) you need to install a phaser

   http://www.shorewall.net/pub/shorewall/parsefw/
   http://aaron.marasco.com/linux.html
   http://cert.uni-stuttgart.de/projects/fwlogwatch
   http://www.logwatch.org

regards
0
PostbankAuthor Commented:
hey,
thank you for answer.

Shorewall ist installed now and i can see in logfile the connections,
but steel without the information from which process/program there are initiated.
For example:
Jan  4 07:34:20 testsrv kernel: Shorewall:a2fw:ACCEPT:IN=bond0 OUT= MAC=00:29:29:4f:ac:b4:00:14:c2:75:c0:52:02:00 SRC=172.12.1.211 DST=172.12.2.207 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=50123 DF PROTO=TCP SPT=55818 DPT=5666 WINDOW=5840 RES=0x00 SYN URGP=0 2

there is no information about the program.

phaser shows only:
<table name="restab" width="100%" border>
<tr>
<th>Date</th>
<th>Time</th>
<th>Firewall</th>
<th>Rule</th>
<th>Action</th>
<th>In I/F</th>
<th>Out I/F</th>
<th>From IP</th>
<th>Target IP</th>
<th>Protocol</th>
<th>Src Port</th>
<th>Dest Port</th>



0
Slav ZabickiSystem EngineerCommented:
what phaser did you install?
0
PostbankAuthor Commented:
http://www.shorewall.net/pub/shorewall/parsefw/

parsefw-bin-0.2.tar

this was not an installation, but executable program
-rwxr-xr-x 1 root   root  10052 Mar 21  2003 parsefw
0
Slav ZabickiSystem EngineerCommented:
hmm.
u know, I think that we need to change the approach to the matter.
I've used shorewall in almost all installations I did but I've never set up any parameter for execs.
I have to figure out.
meanwhile,
install http://www.fs-security.com/  FIRESTARTER
it's pretty neat.

I touched squid as well, but the setup takes time.

or

by hand
u can try
netstat

http://www.computerhope.com/unix/unetstat.htm




0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Linux Networking

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.