auditd reports port number '0' for connect() system call
Kangkook Jee
aixer77 at gmail.com
Thu Mar 31 22:11:26 UTC 2016
Here an event directly from auditd for connect() system call (syscall=42) with port number 0.
Do you think connect() system call still can be called with port number 0?
type=SYSCALL msg=audit(1459301607.178:35720095): arch=c000003e syscall=42 success=yes exit=0 a0=2c a1=7f1fbe8f81f0 a2=10 a3=0 items=0 ppid=2779 pid=31713 auid=4294967295 uid=8271 gid=5001 euid=8271 suid=8271 fsuid=8271 egid=5001 sgid=500#
type=SOCKADDR msg=audit(1459301607.178:35720095): saddr=0200000036447A640000000000000000
If it is bind() it makes but I’m not sure we can still do this with connect().
Thanks!
/Kangkook
type=SYSCALL msg=audit(1459301607.178:35720095): arch=c000003e syscall=42 success=yes exit=0 a0=2c a1=7f1fbe8f81f0 a2=10 a3=0 items=0 ppid=2779 pid=31713 auid=4294967295 uid=8271 gid=5001 euid=8271 suid=8271 fsuid=8271 egid=5001 sgid=500#
type=SOCKADDR msg=audit(1459301607.178:35720095): saddr=0200000036447A640000000000000000
> On Mar 31, 2016, at 5:50 PM, Steve Grubb <sgrubb at redhat.com> wrote:
>
> On Thursday, March 31, 2016 08:54:30 AM Kangkook Jee wrote:
>> but, last three one didn’t
>>
>> $ ~/bin/sock_decode 0200000036447A640000000000000000
>> 0200000036447A640000000000000000: sa_family: 2 addr: 1685734454, port: 0 (0)
>> $ ~/bin/sock_decode 020000003644ECD00000000000000000
>> 020000003644ECD00000000000000000: sa_family: 2 addr: 3505144886, port: 0 (0)
>> $ ~/bin/sock_decode 02000000369520250000000000000000
>> 02000000369520250000000000000000: sa_family: 2 addr: 622892342, port: 0 (0)
>>
>> Would you check this out?
>
> You didn't give the events, but rather the sockaddr field alone. Port 0 is
> valid in some uses. It mean give me an ephemeral port.
>
> http://lxr.free-electrons.com/source/net/ipv4/inet_connection_sock.c#L90
>
> 90 /* Obtain a reference to a local port for the given sock,
> 91 * if snum is zero it means select any available local port.
>
> -Steve
More information about the Linux-audit
mailing list