Hello,
We're configuring TA_netfilter based on the documention on github.
The documentation says:
It's recommended to log the uid and gid of the process that produces egress traffic using 'log-uid'.
For example:-A OUTPUT -j LOG --log-prefix "ACTION=DROP " --log-uid
Perhaps this is just a bad example, but what's the point of logging the UID and GID on a drop message? Won't it always be UID=0 GID=0 for drops?! egress is only outbound traffic.
We are only logging dropped/rejected traffic, not success, so should we just skip this instruction?
Thanks!
Thanks for the question @Intermediate. It's only possible to log the uid/gid of egress traffic because the kernel knows which process produced it. Egress traffic won't always have the uid/gid of 0 (root); let's say for example apache suddenly starts attempting to send traffic it shouldn't, the uid/gid would then indicate it was generated by the apache user, which can then be used by the Network Traffic data model and to assist with determining the source process that produced it.
A colleague offered a possible explanation. Is the intention in this example to determine the UID/GID of processes which have traffic blocked by outbound firewall rules?
Thanks for the question @Intermediate. It's only possible to log the uid/gid of egress traffic because the kernel knows which process produced it. Egress traffic won't always have the uid/gid of 0 (root); let's say for example apache suddenly starts attempting to send traffic it shouldn't, the uid/gid would then indicate it was generated by the apache user, which can then be used by the Network Traffic data model and to assist with determining the source process that produced it.
Thanks Doug that's helpful!
Please ignore my latest "answer" as I posted it before I'd seen your response.
The URL for the documentation was lost when I published my question. It is https://github.com/doksu/TA_netfilter/wiki