auditd reports port number '0' for connect() system call

Kangkook Jee aixer77 at gmail.com
Mon Apr 4 18:32:02 UTC 2016 

Thanks a lot Steve! I really helps. 


Regards, Kangkook

> On Apr 1, 2016, at 8:13 AM, Steve Grubb <sgrubb at redhat.com> wrote:
> 
> On Thursday, March 31, 2016 06:11:26 PM Kangkook Jee wrote:
>> Here an event directly from auditd for connect() system call (syscall=42)
>> with port number 0. Do you think connect() system call still can be called
>> with port number 0?
> 
> 
> Hello,
> 
> I got the full events. Below is the explanation...
> 
> type=SYSCALL msg=audit(03/29/2016 21:33:27.178:35720094) : arch=x86_64 
> syscall=socket success=yes exit=44 a0=inet a1=SOCK_DGRAM a2=ip a3=0x0 items=0 
> ppid=2779 pid=31713 auid=unset uid=unknown(8271) gid=unknown(5001) 
> euid=unknown(8271) suid=unknown(8271) fsuid=unknown(8271) egid=unknown(5001) 
> sgid=unknown(5001) fsgid=unknown(5001) tty=(none) ses=unset comm=DNS Res~er 
> #465 exe=/usr/lib/firefox/firefox key=(null) 
> 
> So, here ^^^ we are creating a DGRAM socket. This is important because they 
> follow slightly different rules than tcp.
> 
> 
> type=SOCKADDR msg=audit(03/29/2016 21:33:27.178:35720095) : saddr=inet 
> host:54.68.122.100 serv:0 
> type=SYSCALL msg=audit(03/29/2016 21:33:27.178:35720095) : arch=x86_64 
> syscall=connect success=yes exit=0 a0=0x2c a1=0x7f1fbe8f81f0 a2=0x10 a3=0x0 
> items=0 ppid=2779 pid=31713 auid=unset uid=unknown(8271) gid=unknown(5001) 
> euid=unknown(8271) suid=unknown(8271) fsuid=unknown(8271) egid=unknown(5001) 
> sgid=unknown(5001) fsgid=unknown(5001) tty=(none) ses=unset comm=DNS Res~er 
> #465 exe=/usr/lib/firefox/firefox key=(null)
> 
> 
> http://man7.org/linux/man-pages/man2/connect.2.html
> If the socket sockfd is of type SOCK_DGRAM, then addr is the address to which 
> datagrams are sent by default, and the only address from which datagrams are 
> received.
> 
> So, this is just setting up a connectionless socket to a specific server. 
> Judging by the thread name, this is for DNS resolution for Firefox. So, I 
> would say that without a doubt, this is normal system operation.
> 
> -Steve
> 
> 
>> type=SYSCALL msg=audit(1459301607.178:35720095): arch=c000003e syscall=42
>> success=yes exit=0 a0=2c a1=7f1fbe8f81f0 a2=10 a3=0 items=0 ppid=2779
>> pid=31713 auid=4294967295 uid=8271 gid=5001 euid=8271 suid=8271 fsuid=8271
>> egid=5001 sgid=500# type=SOCKADDR msg=audit(1459301607.178:35720095):
>> saddr=0200000036447A640000000000000000
>> 
>> If it is bind() it makes but I’m not sure we can still do this with
>> connect().
>> 
>> Thanks!
>> 
>> /Kangkook
>

More information about the Linux-audit mailing list