auditd reports port number '0' for connect() system call
Steve Grubb
sgrubb at redhat.com
Thu Mar 31 21:50:23 UTC 2016
On Thursday, March 31, 2016 08:54:30 AM Kangkook Jee wrote:
> but, last three one didn’t
>
> $ ~/bin/sock_decode 0200000036447A640000000000000000
> 0200000036447A640000000000000000: sa_family: 2 addr: 1685734454, port: 0 (0)
> $ ~/bin/sock_decode 020000003644ECD00000000000000000
> 020000003644ECD00000000000000000: sa_family: 2 addr: 3505144886, port: 0 (0)
> $ ~/bin/sock_decode 02000000369520250000000000000000
> 02000000369520250000000000000000: sa_family: 2 addr: 622892342, port: 0 (0)
>
> Would you check this out?
You didn't give the events, but rather the sockaddr field alone. Port 0 is
valid in some uses. It mean give me an ephemeral port.
http://lxr.free-electrons.com/source/net/ipv4/inet_connection_sock.c#L90
90 /* Obtain a reference to a local port for the given sock,
91 * if snum is zero it means select any available local port.
-Steve
More information about the Linux-audit
mailing list