auditd reports port number '0' for connect() system call

[Kangkook Jee]

Here an event directly from auditd for connect() system call (syscall=42) with port number 0.
Do you think connect() system call still can be called with port number 0?

type=SYSCALL msg=audit(1459301607.178:35720095): arch=c000003e syscall=42 success=yes exit=0 a0=2c a1=7f1fbe8f81f0 a2=10 a3=0 items=0 ppid=2779 pid=31713 auid=4294967295 uid=8271 gid=5001 euid=8271 suid=8271 fsuid=8271 egid=5001 sgid=500#
type=SOCKADDR msg=audit(1459301607.178:35720095): saddr=0200000036447A640000000000000000

If it is bind() it makes but I’m not sure we can still do this with connect().

Thanks! 

/Kangkook



type=SYSCALL msg=audit(1459301607.178:35720095): arch=c000003e syscall=42 success=yes exit=0 a0=2c a1=7f1fbe8f81f0 a2=10 a3=0 items=0 ppid=2779 pid=31713 auid=4294967295 uid=8271 gid=5001 euid=8271 suid=8271 fsuid=8271 egid=5001 sgid=500#
type=SOCKADDR msg=audit(1459301607.178:35720095): saddr=0200000036447A640000000000000000

> On Mar 31, 2016, at 5:50 PM, Steve Grubb <sgrubb at redhat.com> wrote:
> 
> On Thursday, March 31, 2016 08:54:30 AM Kangkook Jee wrote:
>> but, last three one didn’t 
>> 
>> $ ~/bin/sock_decode 0200000036447A640000000000000000
>> 0200000036447A640000000000000000: sa_family: 2 addr: 1685734454, port: 0 (0)
>> $ ~/bin/sock_decode 020000003644ECD00000000000000000
>> 020000003644ECD00000000000000000: sa_family: 2 addr: 3505144886, port: 0 (0)
>> $ ~/bin/sock_decode 02000000369520250000000000000000
>> 02000000369520250000000000000000: sa_family: 2 addr: 622892342, port: 0 (0)
>> 
>> Would you check this out?
> 
> You didn't give the events, but rather the sockaddr field alone. Port 0 is 
> valid in some uses. It mean give me an ephemeral port.
> 
> http://lxr.free-electrons.com/source/net/ipv4/inet_connection_sock.c#L90
> 
> 90 /* Obtain a reference to a local port for the given sock,
> 91  * if snum is zero it means select any available local port.
> 
> -Steve