auditd and hidden ports
Yectli Huerta
yhuerta at umn.edu
Tue Dec 19 20:10:53 UTC 2017
On 12/18/17, Steve Grubb <sgrubb at redhat.com> wrote:
> Hello,
>
..........
>
> If you got rooted, then you may not be able to trust anything. Typically
> they hide
> processes seen by ps and files seen by ls. It might be that they use an
> unknown
> syscall number or its in the kernel itself. I also don't know if they jump
> into a
> network namespace if the audit daemon will see it. It might be an innocent
> explanation like that.
>
> -Steve
>
hi,
thanks for the reply. i'm trying to narrow down the scenarios. i ran
a simple program that i found on the web and i modified to check on
all ports
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <string.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <netdb.h>
/*
* * from https://theredblacktree.wordpress.com/2013/09/30/how-to-check-if-a-port-is-open-or-not-in-c-unixlinux/
* */
int main(int argc, char *argv[])
{
int portno = 22;
char *hostname = "localhost";
int sockfd,i;
struct sockaddr_in serv_addr;
struct hostent *server;
for (i =1; i <= 65535; i++)
{
sockfd = socket(AF_INET, SOCK_STREAM, 0);
if (sockfd < 0) {
error("ERROR opening socket");
}
server = gethostbyname(hostname);
if (server == NULL) {
fprintf(stderr,"ERROR, no such host\n");
exit(0);
}
bzero((char *) &serv_addr, sizeof(serv_addr));
serv_addr.sin_family = AF_INET;
bcopy((char *)server->h_addr,
(char *)&serv_addr.sin_addr.s_addr,
server->h_length);
//serv_addr.sin_port = htons(portno);
serv_addr.sin_port = htons(i);
if (connect(sockfd,(struct sockaddr *)
&serv_addr,sizeof(serv_addr)) < 0) {
//printf("Port is closed, %d\n",i);
} else {
printf("Port is active, %d\n", i);
}
close(sockfd);
}
return 0;
}
}
}
}
}
}
when i run it, it tells me which ports are used b/c the program can't
bind to a port
[/tmp] % sudo autrace ./a.out
Waiting to execute: ./a.out
Port is active, 22
Port is active, 111
....
when i analyze the output
[/tmp] % sudo ausearch -i -p 5502 &> ~/tcp-bind-auditd.log
i see that a.out was able to connect to very high ports, but not lower
ports that were reported to be in use
[ ~] $ grep serv tcp-bind-auditd.log | awk {'print $NF'} | sort | head -n 5
serv:62653
serv:62654
serv:62655
serv:62656
serv:62657
[ ~] $ grep serv tcp-bind-auditd.log | awk {'print $NF'} | sort | tail -n 5
serv:65531
serv:65532
serv:65533
serv:65534
serv:65535
[ ~] $ grep serv:22 tcp-bind-auditd.log
[ ~] $ grep serv:111 tcp-bind-auditd.log
[ ~] $ grep serv:23 tcp-bind-auditd.log
[ ~] $
[~] $ grep 65535 tcp-bind-auditd.log
type=SOCKADDR msg=audit(12/19/2017 13:27:52.377:33949631) : saddr=inet
host:127.0.0.1 serv:65535
is something hiding the lower ports from auditd? is there a way to log
all syscalls to trace what binds to the ports after a reboot. i can
reboot the server and then attempt to trace each network socket .
these rules don't seem to be enough to track network sockets.
[/tmp] % sudo auditctl -l
-a always,exit -F arch=b64 -S connect -F key=CONNECT
-a always,exit -F arch=b64 -S bind -F key=BIND
-a always,exit -F arch=b64 -S socket -F key=SOCKET
-a always,exit -F arch=b64 -S listen -F key=LISTEN
-a always,exit -F arch=b64 -S shutdown -F key=SHUTDOWN
-a always,exit -F arch=b64 -S close -F key=CLOSE
the ports that appeared to be hidden, are no longer showing up so i'm
trying to figure out what is going on.
thanks
yah
More information about the Linux-audit
mailing list