auditd reports port number '0' for connect() system call

Kangkook Jee aixer77 at gmail.com
Wed Mar 30 03:19:24 UTC 2016 

Hi all, 

I'm developing custom audit client to monitor Linux system activities. 
I'm testing my client from Ubuntu 14.04 (64-bit) system with the following auditctl rules.

sudo auditctl -l                                                                                                                     
LIST_RULES: exit,always arch=3221225534 (0xc000003e) syscall=open,close,dup,dup2,socket,connect,accept,listen,socketpair,clone,fork,vfork,execve,exit,creat,unlink,exit_group,openat,unlinkat,accept4,dup3

And I captured the raw system messages with the following command.

sudo auditd -f > /tmp/log.txt

While /tmp/log.txt contains a considerable amount of raw audit messages, I grep'ed only connect() system calls with its associated saddr entries.

grep -A1 -e "syscall=42 success=yes" /tmp/log.txt

--
type=SYSCALL msg=audit(1459302277.538:35891018): arch=c000003e syscall=42 success=yes exit=0 a0=61 a1=7f2ec75a1ed0 a2=10 a3=1 items=0 ppid=2779 pid=21581 auid=4294967295 uid=8271 gid=5001 euid=8271 suid=8271 fsuid=8271 egid=5001 sgid=5001 fsgid=5001 tty=(none) ses=4294967295 comm="Chrome_IOThread" exe="/opt/google/chrome/chrome" key=(null)
type=SOCKADDR msg=audit(1459302277.538:35891018): saddr=020000358A0F6C0B0000000000000000
--
type=SYSCALL msg=audit(1459302309.098:35898719): arch=c000003e syscall=42 success=yes exit=0 a0=6 a1=7fffe9a24980 a2=10 a3=7fffe9a246d0 items=0 ppid=20312 pid=2991 auid=4294967295 uid=8271 gid=5001 euid=0 suid=0 fsuid=0 egid=0 sgid=5001 fsgid=0 tty=pts23 ses=4294967295 comm="sudo" exe="/usr/bin/sudo" key=(null)
type=SOCKADDR msg=audit(1459302309.098:35898719): saddr=0200006F8A0FA5090000000000000000
--
type=SYSCALL msg=audit(1459302309.098:35898722): arch=c000003e syscall=42 success=yes exit=0 a0=6 a1=7fffe9a24980 a2=10 a3=7fffe9a246d0 items=0 ppid=20312 pid=2991 auid=4294967295 uid=8271 gid=5001 euid=0 suid=0 fsuid=0 egid=0 sgid=5001 fsgid=0 tty=pts23 ses=4294967295 comm="sudo" exe="/usr/bin/sudo" key=(null)
type=SOCKADDR msg=audit(1459302309.098:35898722): saddr=0200030B8A0FA5090000000000000000
...

For these entries, I decoded saddr entries with the attached program and extracted entries port values '0'.

g++ -o sock_decode sock_decode.cpp
grep -A1 -e "syscall=42 success=yes" /tmp/log.txt |grep saddr | awk 'BEGIN{FS="="} {print “ ./sock_decode " $4}' |sh  |grep "sa_family: 2.* port: 0"  |more

0200000036447A640000000000000000: sa_family: 2 addr: 1685734454, port: 0 (0)
020000003644ECD00000000000000000: sa_family: 2 addr: 3505144886, port: 0 (0)
02000000369520250000000000000000: sa_family: 2 addr: 622892342, port: 0 (0) 
....

If I understood correctly, connect() should return error when sin_port field is set with '0'.
Would anyone explain this to me or help me with fix this problem? 
Thanks a lot for your help in advance!




-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/linux-audit/attachments/20160329/00b05739/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: sock_decode.cpp
Type: application/octet-stream
Size: 2667 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/linux-audit/attachments/20160329/00b05739/attachment.obj>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/linux-audit/attachments/20160329/00b05739/attachment-0001.htm>

More information about the Linux-audit mailing list