auditd reports port number '0' for connect() system call
Kangkook Jee
aixer77 at gmail.com
Mon Apr 4 18:32:02 UTC 2016
Thanks a lot Steve! I really helps.
Regards, Kangkook
> On Apr 1, 2016, at 8:13 AM, Steve Grubb <sgrubb at redhat.com> wrote:
>
> On Thursday, March 31, 2016 06:11:26 PM Kangkook Jee wrote:
>> Here an event directly from auditd for connect() system call (syscall=42)
>> with port number 0. Do you think connect() system call still can be called
>> with port number 0?
>
>
> Hello,
>
> I got the full events. Below is the explanation...
>
> type=SYSCALL msg=audit(03/29/2016 21:33:27.178:35720094) : arch=x86_64
> syscall=socket success=yes exit=44 a0=inet a1=SOCK_DGRAM a2=ip a3=0x0 items=0
> ppid=2779 pid=31713 auid=unset uid=unknown(8271) gid=unknown(5001)
> euid=unknown(8271) suid=unknown(8271) fsuid=unknown(8271) egid=unknown(5001)
> sgid=unknown(5001) fsgid=unknown(5001) tty=(none) ses=unset comm=DNS Res~er
> #465 exe=/usr/lib/firefox/firefox key=(null)
>
> So, here ^^^ we are creating a DGRAM socket. This is important because they
> follow slightly different rules than tcp.
>
>
> type=SOCKADDR msg=audit(03/29/2016 21:33:27.178:35720095) : saddr=inet
> host:54.68.122.100 serv:0
> type=SYSCALL msg=audit(03/29/2016 21:33:27.178:35720095) : arch=x86_64
> syscall=connect success=yes exit=0 a0=0x2c a1=0x7f1fbe8f81f0 a2=0x10 a3=0x0
> items=0 ppid=2779 pid=31713 auid=unset uid=unknown(8271) gid=unknown(5001)
> euid=unknown(8271) suid=unknown(8271) fsuid=unknown(8271) egid=unknown(5001)
> sgid=unknown(5001) fsgid=unknown(5001) tty=(none) ses=unset comm=DNS Res~er
> #465 exe=/usr/lib/firefox/firefox key=(null)
>
>
> http://man7.org/linux/man-pages/man2/connect.2.html
> If the socket sockfd is of type SOCK_DGRAM, then addr is the address to which
> datagrams are sent by default, and the only address from which datagrams are
> received.
>
> So, this is just setting up a connectionless socket to a specific server.
> Judging by the thread name, this is for DNS resolution for Firefox. So, I
> would say that without a doubt, this is normal system operation.
>
> -Steve
>
>
>> type=SYSCALL msg=audit(1459301607.178:35720095): arch=c000003e syscall=42
>> success=yes exit=0 a0=2c a1=7f1fbe8f81f0 a2=10 a3=0 items=0 ppid=2779
>> pid=31713 auid=4294967295 uid=8271 gid=5001 euid=8271 suid=8271 fsuid=8271
>> egid=5001 sgid=500# type=SOCKADDR msg=audit(1459301607.178:35720095):
>> saddr=0200000036447A640000000000000000
>>
>> If it is bind() it makes but I’m not sure we can still do this with
>> connect().
>>
>> Thanks!
>>
>> /Kangkook
>
More information about the Linux-audit
mailing list