[Bug 820895] Re: Log File Viewer does not log "Process Name"

Jamie Strandboge jamie at ubuntu.com
Thu Jan 26 22:22:51 UTC 2012 

To be clear, the kernel is doing the logging, not iptables. Iptables
configures netfilter, the part of the kernel that does all this.

That said, the pid is not logged by the kernel so there is nothing to cross-reference in /proc (which is all netstat is doing). Eg:
Jan 26 15:36:57 localhost kernel: [21281.600175] [UFW BLOCK] IN= OUT=wlan0 SRC=10.0.0.2 DST=91.189.90.41 LEN=60 TOS=0x10 PREC=0x00 TTL=64 ID=37870 DF PROTO=TCP SPT=38053 DPT=23 WINDOW=14600 RES=0x00 SYN URGP=0

What Robbie suggests could kinda work, but because it is polling a
snapshot in time, it is not really a satisfactory solution for people
wanting to continually map outgoing connections to a program name. The
superuser.com site has tips on how to write a program that could poll
various things in /proc, but this is not this bug. This bug is asking
for logging the process name for network packets (the PID could in
theory satisfy this, but there is still the problem of the polling
interval).

Iptables does have a --log-uid option, but that doesn't get us all the way there:
Jan 26 15:45:54 localhost kernel: [21818.931215] [TEST] IN= OUT=wlan0 SRC=10.0.0.2 DST=91.189.89.88 LEN=60 TOS=0x10 PREC=0x00 TTL=64 ID=24075 DF PROTO=TCP SPT=52517 DPT=23 WINDOW=14600 RES=0x00 SYN URGP=0 UID=1000 GID=1000

Most of the desire surrounding this sort of logging has to do with
application firewalls where you have specific firewall rules based on
the application producing the network traffic. There used to be a --cmd-
owner option for iptables that would configure the firewall to more of
less do what you wanted but the kernel as of 2.6.14 stopped supporting
this. The Debian bug report referring to the removal of --cmd-owner is:
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=492284

and the kernel commit is:
http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=34b4a4a624bafe089107966a6c56d2a1aca026d4

The kernel commit states:
"[NETFILTER]: Remove tasklist_lock abuse in ipt{,6}owner

Rip out cmd/sid/pid matching since its unfixable broken and stands in the
way of locking changes to tasklist_lock."

LSMs such as AppArmor could be used to help with application firewalls,
but at this time AppArmor network mediation is very coarse-grained.
Support is planned for better network mediation-- the first cut will
allow specifying network rules by port. After that we would tie in with
secmark which will allow us to filter based on the contents of the
secmark. Both of these would improve the situation for application
firewalls to varying degrees, and a creative complain-mode global
AppArmor policy could in theory be used to show which applications are
making the outgoing connections.

** Bug watch added: Debian Bug tracker #492284
   http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=492284

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to rsyslog in Ubuntu.
https://bugs.launchpad.net/bugs/820895

Title:
  Log File Viewer does not log "Process Name"

Status in “rsyslog” package in Ubuntu:
  Won't Fix

Bug description:
  The gnome "Log File Viewer" does not log the Process Name (or
  Application Name) that generated the log item. For example, if an
  outbound internet connection is blocked and this event is logged, only
  the "ID" (i.e., PID) is shown in the report. But the PID is useless
  because it is ephemeral and does not live past the session. Users are
  left with no way to learn what Application or Process was responsible
  for generating the log item.

  The "Process Name" should be listed in log items instead of the PID.

  ProblemType: Bug
  DistroRelease: Ubuntu 10.04
  Package: gnome-utils 2.30.0-0ubuntu1
  ProcVersionSignature: Ubuntu 2.6.32-33.71-generic 2.6.32.41+drm33.18
  Uname: Linux 2.6.32-33-generic i686
  Architecture: i386
  Date: Thu Aug  4 08:05:47 2011
  ExecutablePath: /usr/bin/gnome-system-log
  InstallationMedia: Ubuntu 10.04.1 LTS "Lucid Lynx" - Release i386 (20100816.1)
  ProcEnviron:
   LC_TIME=en_GB.UTF-8
   LANG=en_US.utf8
   SHELL=/bin/bash
  SourcePackage: gnome-utils
  XsessionErrors: (polkit-gnome-authentication-agent-1:1444): GLib-CRITICAL **: g_once_init_leave: assertion `initialization_value != 0' failed

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/rsyslog/+bug/820895/+subscriptions

More information about the foundations-bugs mailing list