type=SOCKADDR record missing for socketcall(accept)?

John D. Ramsdell ramsdell at mitre.org
Thu Mar 23 14:08:11 UTC 2006


Steve,

On a machine running Rawhide, I'm studying the output produced by
ausearch for the socketcall system call.  I noticed that a
socketcall(bind) and socketcall(connect) event contain a record of
type=SOCKADDR, but I cannot see one for a system call event associated
with socketcall(accept).  Recording the sockaddr of an accepted socket
is important for cross platform information flow analysis.

John

$ uname -a
Linux drawlight.mitre.org 2.6.15-1.2032.2.3_FC5.lspp.12smp #1 SMP Fri Mar 10 15\:44:23 EST 2006 i686 i686 i386 GNU/Linux




More information about the Linux-audit mailing list