auditd reports port number '0' for connect() system call
Kangkook Jee
aixer77 at gmail.com
Thu Mar 31 12:54:30 UTC 2016
I checked out with strings that I provided from the previous email.
The first 3 ones gave me proper port numbers.
$ ~/bin/sock_decode 020000358A0F6C0B0000000000000000
020000358A0F6C0B0000000000000000: sa_family: 2 addr: 191631242, port: 53 (13568)
$ ~/bin/sock_decode 0200006F8A0FA5090000000000000000
0200006F8A0FA5090000000000000000: sa_family: 2 addr: 161812362, port: 111 (28416)
$ ~/bin/sock_decode 0200030B8A0FA5090000000000000000
0200030B8A0FA5090000000000000000: sa_family: 2 addr: 161812362, port: 779 (2819)
but, last three one didn’t
$ ~/bin/sock_decode 0200000036447A640000000000000000
0200000036447A640000000000000000: sa_family: 2 addr: 1685734454, port: 0 (0)
$ ~/bin/sock_decode 020000003644ECD00000000000000000
020000003644ECD00000000000000000: sa_family: 2 addr: 3505144886, port: 0 (0)
$ ~/bin/sock_decode 02000000369520250000000000000000
02000000369520250000000000000000: sa_family: 2 addr: 622892342, port: 0 (0)
Would you check this out?
/Kangkook
> On Mar 30, 2016, at 7:29 PM, Steve Grubb <sgrubb at redhat.com> wrote:
>
> On Tuesday, March 29, 2016 11:19:24 PM Kangkook Jee wrote:
>> If I understood correctly, connect() should return error when sin_port field
>> is set with '0'. Would anyone explain this to me or help me with fix this
>> problem?
>
> I get 779 as the port from your event.
>
> -Steve
More information about the Linux-audit
mailing list