Audit reporting misses AUDIT_SOCKETCALL (1306) message when 32-bit binary is running form 64-bit machine.

Kangkook Jee aixer77 at gmail.com
Wed May 4 21:21:22 UTC 2016


Hi all,

We are running a 32-bit program on a 64-bit machine (Ubuntu 14.04, 3.13.0-57-generic kernel - x86_64) typically issuing network related system calls which, in turn, would invoke the one of socketcall() system call.

However, an expected audit raw message -- AUDIT_SOCKETCALL (1304)  is reported when we run the 32-bit binary from a 64-bit machine. The following is the raw audit messages captured for connect() system from a 64-bit machine running 32-bit binary.

MSG (1300): audit(1462273146.351:21482453): arch=40000003 syscall=102 success=no exit=-2 a0=3 a1=ffe38240 a2=f7751000 a3=4 items=0 ppid=10269 pid=10755 auid=19287 uid=19287 gid=19287 euid=19287 suid=19287 fsuid=19287 egid=19287 sgid=19287 fsgid=19287 tty=pts16 ses=12 comm="conn" exe="/home/accountname/32bit_test/conn" key=(null)
MSG (1306): audit(1462273146.351:21482453): saddr=01002F7661722F72756E2F6E7363642F736F636B657400B7160054B7160054B71600130000001300000004000000010000000100000000000000000000000000000028791A0028791A000500000000100000CD5D77F734D676F748A15BF7D4811A00E82C0000A858000006000000
MSG (1320): audit(1462273146.351:21482453):

And this is the raw audit message captured from a 32-bit machine (CentOS 5 2.6.18-404.el5 i686) running 32-bit binary.

MSG (1300): audit(1462289555.340:807319): arch=40000003 syscall=102 success=yes exit=0 a0=3 a1=bfef25b0 a2=67dff4 a3=816840 items=0 ppid=28509 pid=28560 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts2 ses=10 comm="conn" exe="/home/kjee/conn" subj=user_u:system_r:unconfined_t:s0 key=(null)
MSG (1306): audit(1462289555.340:807319): saddr=020000358A0F6D630000000000000000000000000000000000000000
MSG (1304): audit(1462289555.340:807319): nargs=3 a0=4 a1=859c4b8 a2=1c
MSG (1320): audit(1462289555.340:807319):•

I hope you to catch the difference. While the first case does not report AUDIT_SOCKETCALL (1304) event, but the second case report the entry providing the list of arguments starting with "nargs=".

Could you tell me whether this is an expected behavior? Or is there any way that I can fix it?

I'm attaching the source code of the test program (conn.c) and summarizes the procedure to reproduce the problem. If you have any difficulty producing the issue, please let me know. 

1. we added the following the audit rules from a 64-bit machine. It is intended to capture events from both 64-bit and 32-bit system calls.

/sbin/auditctl -a exit,always -F arch=b64 -S clone -S close -S creat -S dup -S dup2 -S dup3 -S execve -S exit -S exit_group -S fork -S open -S openat -S rename -S renameat -S unlink -S unlinkat -S vfork -S 288 -S accept -S connect -S listen -S socket -S socketpair
/sbin/auditctl -a exit,always -F arch=b32 -S clone -S close -S creat -S dup -S dup2 -S dup3 -S execve -S exit -S exit_group -S fork -S open -S openat -S rename -S renameat -S unlink -S unlinkat -S vfork
/sbin/auditctl -a exit,always -F arch=b32 -S socketcall -F a0=3 # connect
/sbin/auditctl -a exit,always -F arch=b32 -S socketcall -F a0=4 # listen
/sbin/auditctl -a exit,always -F arch=b32 -S socketcall -F a0=5 # accept
/sbin/auditctl -a exit,always -F arch=b32 -S socketcall -F a0=8 # socketpair
/sbin/auditctl -a exit,always -F arch=b32 -S socketcall -F a0=18 # accept4

$ sudo auditctl -l
LIST_RULES: exit,always arch=3221225534 (0xc000003e) syscall=open,close,dup,dup2,socket,connect,accept,listen,socketpair,clone,fork,vfork,execve,exit,rename,creat,unlink,exit_group,openat,unlinkat,renameat,accept4,dup3
LIST_RULES: exit,always arch=1073741827 (0x40000003) syscall=exit,fork,open,close,creat,unlink,execve,rename,dup,dup2,clone,vfork,exit_group,openat,unlinkat,renameat,dup3
LIST_RULES: exit,always arch=1073741827 (0x40000003) a0=1 (0x1) syscall=socketcall
LIST_RULES: exit,always arch=1073741827 (0x40000003) a0=3 (0x3) syscall=socketcall
LIST_RULES: exit,always arch=1073741827 (0x40000003) a0=4 (0x4) syscall=socketcall
LIST_RULES: exit,always arch=1073741827 (0x40000003) a0=5 (0x5) syscall=socketcall
LIST_RULES: exit,always arch=1073741827 (0x40000003) a0=8 (0x8) syscall=socketcall
LIST_RULES: exit,always arch=1073741827 (0x40000003) a0=18 (0x12) syscall=socketcall

2. We added the following the audit rules from a 32-bit machine.

/sbin/auditctl -a exit,always -F arch=b32 -S clone -S close -S creat -S dup -S dup2 -S dup3 -S execve -S exit -S exit_group -S fork -S open -S openat -S rename -S renameat -S unlink -S unlinkat -S vfork
/sbin/auditctl -a exit,always -F arch=b32 -S socketcall -F a0=2
/sbin/auditctl -a exit,always -F arch=b32 -S socketcall -F a0=3
/sbin/auditctl -a exit,always -F arch=b32 -S socketcall -F a0=4
/sbin/auditctl -a exit,always -F arch=b32 -S socketcall -F a0=5
/sbin/auditctl -a exit,always -F arch=b32 -S socketcall -F a0=8
/sbin/auditctl -a exit,always -F arch=b32 -S socketcall -F a0=18

LIST_RULES: exit,always arch=1073741827 (0x40000003) syscall=exit,fork,open,close,creat,unlink,execve,rename,dup,dup2,clone,vfork,exit_group,openat,unlinkat,renameat,dup3
LIST_RULES: exit,always arch=1073741827 (0x40000003) a0=1 (0x1) syscall=socketcall
LIST_RULES: exit,always arch=1073741827 (0x40000003) a0=2 (0x2) syscall=socketcall
LIST_RULES: exit,always arch=1073741827 (0x40000003) a0=3 (0x3) syscall=socketcall
LIST_RULES: exit,always arch=1073741827 (0x40000003) a0=4 (0x4) syscall=socketcall
LIST_RULES: exit,always arch=1073741827 (0x40000003) a0=5 (0x5) syscall=socketcall
LIST_RULES: exit,always arch=1073741827 (0x40000003) a0=8 (0x8) syscall=socketcall
LIST_RULES: exit,always arch=1073741827 (0x40000003) a0=18 (0x12) syscall=socketcall

3. Build conn.c source and running
  conn.c is a simple connection client.
  $ cc -o conn conn.c
  $ ./conn <remote_host> <port>

  Example run
  
  $ ./conn localhost 22
  $ Please enter the message: this is random message
    SSH-2.0-OpenSSH_4.3

Thanks a lot for your help in advance.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/linux-audit/attachments/20160504/1913d804/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: conn.c
Type: application/octet-stream
Size: 1656 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/linux-audit/attachments/20160504/1913d804/attachment.obj>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/linux-audit/attachments/20160504/1913d804/attachment-0001.htm>


More information about the Linux-audit mailing list