* Couldn't get audit messages for 'listen' on kernel 4.19.0-6-686-pae
@ 2023-10-20 19:14 Rinat Gadelshin
2023-10-22 5:27 ` Rinat Gadelshin
0 siblings, 1 reply; 5+ messages in thread
From: Rinat Gadelshin @ 2023-10-20 19:14 UTC (permalink / raw)
To: linux-audit
Hello there!
I'm facing a strange problem.
I have not been able to get audit reports for any "network" syscall
on one of the computers from my test bench.
I mean 'connect', 'accept4', 'listen', 'bind', 'socket'.
The following example shows that auditd couldn't get them too ('listen'
at least).
But I've received a report about 'execve' called by the same process.
Could you tell me what can I do in order to receive audit messages for
the syscalls.
from this version of the kernel?
Any help will be will be appreciated.
root@deb101-x86-0009:~# netcat -v -l -p 4242 &
[2] 13481
root@deb101-x86-0009:~# listening on [any] 4242 ...
root@deb101-x86-0009:~# echo "Test" | nc -q 0 127.0.0.1 4242
connect to [127.0.0.1] from localhost [127.0.0.1] 36650
Test
root@deb101-x86-0009:~# skill -p 13481
[2]+ Done netcat -v -l -p 4242
root@deb101-x86-0009:~# ausearch -p 13481
----
time->Fri Oct 20 22:00:42 2023
type=PROCTITLE msg=audit(1697828442.603:2697):
proctitle=6E6574636174002D76002D6C002D700034323432
type=PATH msg=audit(1697828442.603:2697): item=1
name="/lib/ld-linux.so.2" inode=655382 dev=fe:00 mode=0100755 ouid=0
ogid=0 rdev=00:00 nametype=NORMAL cap_fp=0000000000000000
cap_fi=0000000000000000 cap_fe=0 cap_fver=0
type=PATH msg=audit(1697828442.603:2697): item=0 name="/usr/bin/netcat"
inode=664887 dev=fe:00 mode=0100755 ouid=0 ogid=0 rdev=00:00
nametype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0
cap_fver=0
type=CWD msg=audit(1697828442.603:2697): cwd="/root"
type=EXECVE msg=audit(1697828442.603:2697): argc=5 a0="netcat" a1="-v"
a2="-l" a3="-p" a4="4242"
type=SYSCALL msg=audit(1697828442.603:2697): arch=40000003 syscall=11
success=yes exit=0 a0=e36400 a1=d9d9e0 a2=e3a310 a3=584988 items=2
ppid=12968 pid=13481 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0
sgid=0 fsgid=0 tty=pts1 ses=4 comm="netcat"
exe="/usr/bin/nc.traditional" subj==unconfined key=(null)
root@deb101-x86-0009:~# auditctl -l
-a always,exit -F arch=b32 -S fork,execve,clone,vfork,execveat
-a always,exit -F arch=b32 -S bind,connect,listen,accept4
root@deb101-x86-0009:~# auditctl -s
enabled 1
failure 1
pid 13393
rate_limit 0
backlog_limit 8192
lost 0
backlog 0
backlog_wait_time 0
loginuid_immutable 0 unlocked
root@deb101-x86-0009:~# uname -a
Linux deb101-x86-0009.avp.ru.local 4.19.0-6-686-pae #1 SMP Debian
4.19.67-2+deb10u2 (2019-11-11) i686 GNU/Linux
root@deb101-x86-0009:~# cat /etc/debian_version
10.1
root@deb101-x86-0009:~#
Regards
Rinat
--
Linux-audit mailing list
Linux-audit@redhat.com
https://listman.redhat.com/mailman/listinfo/linux-audit
^ permalink raw reply [flat|nested] 5+ messages in thread* Couldn't get audit messages for 'listen' on kernel 4.19.0-6-686-pae 2023-10-20 19:14 Couldn't get audit messages for 'listen' on kernel 4.19.0-6-686-pae Rinat Gadelshin @ 2023-10-22 5:27 ` Rinat Gadelshin 2023-10-23 13:06 ` Rinat Gadelshin 0 siblings, 1 reply; 5+ messages in thread From: Rinat Gadelshin @ 2023-10-22 5:27 UTC (permalink / raw) To: linux-audit Hello there! I'm facing a strange problem. I have not been able to get audit reports for any "network" syscall on one of the computers from my test bench. I mean 'connect', 'accept4', 'listen', 'bind', 'socket'. The following example shows that auditd couldn't get them too ('listen' at least). But I've received a report about 'execve' called by the same process. Could you tell me what can I do in order to receive audit messages for the syscalls. from this version of the kernel? Any help will be will be appreciated. root@deb101-x86-0009:~# netcat -v -l -p 4242 & [2] 13481 root@deb101-x86-0009:~# listening on [any] 4242 ... root@deb101-x86-0009:~# echo "Test" | nc -q 0 127.0.0.1 4242 connect to [127.0.0.1] from localhost [127.0.0.1] 36650 Test root@deb101-x86-0009:~# skill -p 13481 [2]+ Done netcat -v -l -p 4242 root@deb101-x86-0009:~# ausearch -p 13481 ---- time->Fri Oct 20 22:00:42 2023 type=PROCTITLE msg=audit(1697828442.603:2697): proctitle=6E6574636174002D76002D6C002D700034323432 type=PATH msg=audit(1697828442.603:2697): item=1 name="/lib/ld-linux.so.2" inode=655382 dev=fe:00 mode=0100755 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0 type=PATH msg=audit(1697828442.603:2697): item=0 name="/usr/bin/netcat" inode=664887 dev=fe:00 mode=0100755 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0 type=CWD msg=audit(1697828442.603:2697): cwd="/root" type=EXECVE msg=audit(1697828442.603:2697): argc=5 a0="netcat" a1="-v" a2="-l" a3="-p" a4="4242" type=SYSCALL msg=audit(1697828442.603:2697): arch=40000003 syscall=11 success=yes exit=0 a0=e36400 a1=d9d9e0 a2=e3a310 a3=584988 items=2 ppid=12968 pid=13481 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=4 comm="netcat" exe="/usr/bin/nc.traditional" subj==unconfined key=(null) root@deb101-x86-0009:~# auditctl -l -a always,exit -F arch=b32 -S fork,execve,clone,vfork,execveat -a always,exit -F arch=b32 -S bind,connect,listen,accept4 root@deb101-x86-0009:~# auditctl -s enabled 1 failure 1 pid 13393 rate_limit 0 backlog_limit 8192 lost 0 backlog 0 backlog_wait_time 0 loginuid_immutable 0 unlocked root@deb101-x86-0009:~# uname -a Linux deb101-x86-0009.avp.ru.local 4.19.0-6-686-pae #1 SMP Debian 4.19.67-2+deb10u2 (2019-11-11) i686 GNU/Linux root@deb101-x86-0009:~# cat /etc/debian_version 10.1 root@deb101-x86-0009:~# Regards Rinat -- Linux-audit mailing list Linux-audit@redhat.com https://listman.redhat.com/mailman/listinfo/linux-audit ^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: Couldn't get audit messages for 'listen' on kernel 4.19.0-6-686-pae 2023-10-22 5:27 ` Rinat Gadelshin @ 2023-10-23 13:06 ` Rinat Gadelshin 2023-10-23 16:19 ` Steve Grubb 0 siblings, 1 reply; 5+ messages in thread From: Rinat Gadelshin @ 2023-10-23 13:06 UTC (permalink / raw) To: linux-audit Hello there! First of all, I have to apologize for two identical emails as the beginning of the stream. The first one was sent (by occasional) from my work email. I've received notification, from the mail bot, that I should subscribe to the mail list (for the work email). After that I've resent the second one. Let's return to the problem. I've done a following experiment: `auditctl -D` `auditctl -a always,exit -S all` `strace netcat -v -l -p 4242 | tee strace.log` # the pid of the netcat was 536 Ctrl+c `ausearch -p 536 > auditd.pid.536.log` `grep "syscall=.*traditional" auditd.pid.536.log | awk '{print $4}' | sort | uniq -c' The last command prints the following result: 11 syscall=102 1 syscall=11 6 syscall=125 6 syscall=140 6 syscall=174 1 syscall=175 14 syscall=192 33 syscall=195 9 syscall=197 2 syscall=20 1 syscall=243 1 syscall=27 41 syscall=295 14 syscall=3 5 syscall=33 2 syscall=4 5 syscall=45 11 syscall=6 3 syscall=91 So the following syscalls are reported (there are no `socket`, `bind`, `connect`, `listen`): 3 (read) 4 (write) 6 (close) 11 (execve) 20 (getpid) 27 (alarm) 33 (access) 45 (brk) 91 (munmap) 102 (socketcall) 125 (mprotect) 140 (_llseek) 174 (rt_sigaction) 175 (rt_sigprocmask) 192 (mmap2) 195 (stat64) 197 (fstat64) 243 (set_thread_area) 295 (openat) But strace's log shows that `socket`, `bind`, `connect` and `listen` were called: execve("/usr/bin/netcat", ["netcat", "-v", "-l", "-p", "4242"], 0xbf9f8f00 /* 22 vars */) = 0 -- line skipped -- socket(AF_UNIX, SOCK_STREAM|SOCK_CLOEXEC|SOCK_NONBLOCK, 0) = 3 connect(3, {sa_family=AF_UNIX, sun_path="/var/run/nscd/socket"}, 110) = -1 ENOENT (No such file or directory) close(3) = 0 -- line skipped -- socket(AF_UNIX, SOCK_STREAM|SOCK_CLOEXEC|SOCK_NONBLOCK, 0) = 3 connect(3, {sa_family=AF_UNIX, sun_path="/var/run/nscd/socket"}, 110) = -1 ENOENT (No such file or directory) close(3) = 0 -- line skipped -- socket(AF_INET, SOCK_STREAM, IPPROTO_TCP) = 3 setsockopt(3, SOL_SOCKET, SO_REUSEADDR, [1], 4) = 0 setsockopt(3, SOL_SOCKET, SO_REUSEPORT, [1], 4) = 0 bind(3, {sa_family=AF_INET, sin_port=htons(4242), sin_addr=inet_addr("0.0.0.0")}, 16) = 0 listen(3, 1) = 0 getsockname(3, {sa_family=AF_INET, sin_port=htons(4242), sin_addr=inet_addr("0.0.0.0")}, [16]) = 0 -- line skipped -- Please, give me a clue! How could it be? Best regards Rinat On 22.10.2023 08:27, Rinat Gadelshin wrote: > Hello there! > > I'm facing a strange problem. > I have not been able to get audit reports for any "network" syscall > on one of the computers from my test bench. > I mean 'connect', 'accept4', 'listen', 'bind', 'socket'. > The following example shows that auditd couldn't get them too > ('listen' at least). > But I've received a report about 'execve' called by the same process. > > Could you tell me what can I do in order to receive audit messages for > the syscalls. > from this version of the kernel? > > Any help will be will be appreciated. > > > root@deb101-x86-0009:~# netcat -v -l -p 4242 & > [2] 13481 > root@deb101-x86-0009:~# listening on [any] 4242 ... > root@deb101-x86-0009:~# echo "Test" | nc -q 0 127.0.0.1 4242 > connect to [127.0.0.1] from localhost [127.0.0.1] 36650 > Test > root@deb101-x86-0009:~# skill -p 13481 > [2]+ Done netcat -v -l -p 4242 > root@deb101-x86-0009:~# ausearch -p 13481 > ---- > time->Fri Oct 20 22:00:42 2023 > type=PROCTITLE msg=audit(1697828442.603:2697): > proctitle=6E6574636174002D76002D6C002D700034323432 > type=PATH msg=audit(1697828442.603:2697): item=1 > name="/lib/ld-linux.so.2" inode=655382 dev=fe:00 mode=0100755 ouid=0 > ogid=0 rdev=00:00 nametype=NORMAL cap_fp=0000000000000000 > cap_fi=0000000000000000 cap_fe=0 cap_fver=0 > type=PATH msg=audit(1697828442.603:2697): item=0 > name="/usr/bin/netcat" inode=664887 dev=fe:00 mode=0100755 ouid=0 > ogid=0 rdev=00:00 nametype=NORMAL cap_fp=0000000000000000 > cap_fi=0000000000000000 cap_fe=0 cap_fver=0 > type=CWD msg=audit(1697828442.603:2697): cwd="/root" > type=EXECVE msg=audit(1697828442.603:2697): argc=5 a0="netcat" a1="-v" > a2="-l" a3="-p" a4="4242" > type=SYSCALL msg=audit(1697828442.603:2697): arch=40000003 syscall=11 > success=yes exit=0 a0=e36400 a1=d9d9e0 a2=e3a310 a3=584988 items=2 > ppid=12968 pid=13481 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 > sgid=0 fsgid=0 tty=pts1 ses=4 comm="netcat" > exe="/usr/bin/nc.traditional" subj==unconfined key=(null) > root@deb101-x86-0009:~# auditctl -l > -a always,exit -F arch=b32 -S fork,execve,clone,vfork,execveat > -a always,exit -F arch=b32 -S bind,connect,listen,accept4 > root@deb101-x86-0009:~# auditctl -s > enabled 1 > failure 1 > pid 13393 > rate_limit 0 > backlog_limit 8192 > lost 0 > backlog 0 > backlog_wait_time 0 > loginuid_immutable 0 unlocked > root@deb101-x86-0009:~# uname -a > Linux deb101-x86-0009.avp.ru.local 4.19.0-6-686-pae #1 SMP Debian > 4.19.67-2+deb10u2 (2019-11-11) i686 GNU/Linux > root@deb101-x86-0009:~# cat /etc/debian_version > 10.1 > root@deb101-x86-0009:~# > > > Regards > Rinat > -- Linux-audit mailing list Linux-audit@redhat.com https://listman.redhat.com/mailman/listinfo/linux-audit ^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: Couldn't get audit messages for 'listen' on kernel 4.19.0-6-686-pae 2023-10-23 13:06 ` Rinat Gadelshin @ 2023-10-23 16:19 ` Steve Grubb 2023-10-23 17:37 ` Rinat Gadelshin 0 siblings, 1 reply; 5+ messages in thread From: Steve Grubb @ 2023-10-23 16:19 UTC (permalink / raw) To: linux-audit; +Cc: Rinat Gadelshin On Monday, October 23, 2023 9:06:16 AM EDT Rinat Gadelshin wrote: > Hello there! > > First of all, I have to apologize for two identical emails as the > beginning of the stream. > The first one was sent (by occasional) from my work email. > I've received notification, from the mail bot, that I should subscribe > to the mail list (for the work email). > After that I've resent the second one. > > Let's return to the problem. > > I've done a following experiment: > > `auditctl -D` > `auditctl -a always,exit -S all` > `strace netcat -v -l -p 4242 | tee strace.log` # the pid of the netcat > was 536 > Ctrl+c > `ausearch -p 536 > auditd.pid.536.log` > `grep "syscall=.*traditional" auditd.pid.536.log | awk '{print $4}' | > sort | uniq -c' > > The last command prints the following result: > > 11 syscall=102 > 1 syscall=11 > 6 syscall=125 > 6 syscall=140 > 6 syscall=174 > 1 syscall=175 > 14 syscall=192 > 33 syscall=195 > 9 syscall=197 > 2 syscall=20 > 1 syscall=243 > 1 syscall=27 > 41 syscall=295 > 14 syscall=3 > 5 syscall=33 > 2 syscall=4 > 5 syscall=45 > 11 syscall=6 > 3 syscall=91 > > So the following syscalls are reported (there are no `socket`, `bind`, > `connect`, `listen`): > > 3 (read) > 4 (write) > 6 (close) > 11 (execve) > 20 (getpid) > 27 (alarm) > 33 (access) > 45 (brk) > 91 (munmap) > 102 (socketcall) On old 386 kernels, they use socketcall as the networking API. Glibc under the hood sets arg0 to a number which represents the actual functionality to call and calls socketcall. You could say it multiplexes the network API. Somewhere along the way, they decided to modernize and make actual calls for each network function. So, if you have an audit library that is much newer than the kernel, it will assume you are using the updated API rather than the socketcall based API. In this case, you have an old glibc which still uses socketcall. So, if you wanted to audit socket, bind, connect, and listen you would use: -a always,exit -F arch=b32 -S socketcall -F arg0=1 -F key=socket -a always,exit -F arch=b32 -S socketcall -F arg0=2 -F key=bind -a always,exit -F arch=b32 -S socketcall -F arg0=3 -F key=connect -a always,exit -F arch=b32 -S socketcall -F arg0=4 -F key=listen A listing of the numbers to use can be found at: /usr/include/linux/net.h Hope this helps... -Steve > 125 (mprotect) > 140 (_llseek) > 174 (rt_sigaction) > 175 (rt_sigprocmask) > 192 (mmap2) > 195 (stat64) > 197 (fstat64) > 243 (set_thread_area) > 295 (openat) > > But strace's log shows that `socket`, `bind`, `connect` and `listen` > were called: > > execve("/usr/bin/netcat", ["netcat", "-v", "-l", "-p", "4242"], > 0xbf9f8f00 /* 22 vars */) = 0 > -- line skipped -- > socket(AF_UNIX, SOCK_STREAM|SOCK_CLOEXEC|SOCK_NONBLOCK, 0) = 3 > connect(3, {sa_family=AF_UNIX, sun_path="/var/run/nscd/socket"}, > 110) = -1 ENOENT (No such file or directory) > close(3) = 0 > -- line skipped -- > socket(AF_UNIX, SOCK_STREAM|SOCK_CLOEXEC|SOCK_NONBLOCK, 0) = 3 > connect(3, {sa_family=AF_UNIX, sun_path="/var/run/nscd/socket"}, > 110) = -1 ENOENT (No such file or directory) > close(3) = 0 > -- line skipped -- > socket(AF_INET, SOCK_STREAM, IPPROTO_TCP) = 3 > setsockopt(3, SOL_SOCKET, SO_REUSEADDR, [1], 4) = 0 > setsockopt(3, SOL_SOCKET, SO_REUSEPORT, [1], 4) = 0 > bind(3, {sa_family=AF_INET, sin_port=htons(4242), > sin_addr=inet_addr("0.0.0.0")}, 16) = 0 > listen(3, 1) = 0 > getsockname(3, {sa_family=AF_INET, sin_port=htons(4242), > sin_addr=inet_addr("0.0.0.0")}, [16]) = 0 > -- line skipped -- > > Please, give me a clue! How could it be? > > Best regards > Rinat > > On 22.10.2023 08:27, Rinat Gadelshin wrote: > > Hello there! > > > > I'm facing a strange problem. > > I have not been able to get audit reports for any "network" syscall > > on one of the computers from my test bench. > > I mean 'connect', 'accept4', 'listen', 'bind', 'socket'. > > The following example shows that auditd couldn't get them too > > ('listen' at least). > > But I've received a report about 'execve' called by the same process. > > > > Could you tell me what can I do in order to receive audit messages for > > the syscalls. > > from this version of the kernel? > > > > Any help will be will be appreciated. > > > > > > root@deb101-x86-0009:~# netcat -v -l -p 4242 & > > [2] 13481 > > root@deb101-x86-0009:~# listening on [any] 4242 ... > > root@deb101-x86-0009:~# echo "Test" | nc -q 0 127.0.0.1 4242 > > connect to [127.0.0.1] from localhost [127.0.0.1] 36650 > > Test > > root@deb101-x86-0009:~# skill -p 13481 > > [2]+ Done netcat -v -l -p 4242 > > root@deb101-x86-0009:~# ausearch -p 13481 > > ---- > > time->Fri Oct 20 22:00:42 2023 > > type=PROCTITLE msg=audit(1697828442.603:2697): > > proctitle=6E6574636174002D76002D6C002D700034323432 > > type=PATH msg=audit(1697828442.603:2697): item=1 > > name="/lib/ld-linux.so.2" inode=655382 dev=fe:00 mode=0100755 ouid=0 > > ogid=0 rdev=00:00 nametype=NORMAL cap_fp=0000000000000000 > > cap_fi=0000000000000000 cap_fe=0 cap_fver=0 > > type=PATH msg=audit(1697828442.603:2697): item=0 > > name="/usr/bin/netcat" inode=664887 dev=fe:00 mode=0100755 ouid=0 > > ogid=0 rdev=00:00 nametype=NORMAL cap_fp=0000000000000000 > > cap_fi=0000000000000000 cap_fe=0 cap_fver=0 > > type=CWD msg=audit(1697828442.603:2697): cwd="/root" > > type=EXECVE msg=audit(1697828442.603:2697): argc=5 a0="netcat" a1="-v" > > a2="-l" a3="-p" a4="4242" > > type=SYSCALL msg=audit(1697828442.603:2697): arch=40000003 syscall=11 > > success=yes exit=0 a0=e36400 a1=d9d9e0 a2=e3a310 a3=584988 items=2 > > ppid=12968 pid=13481 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 > > sgid=0 fsgid=0 tty=pts1 ses=4 comm="netcat" > > exe="/usr/bin/nc.traditional" subj==unconfined key=(null) > > root@deb101-x86-0009:~# auditctl -l > > -a always,exit -F arch=b32 -S fork,execve,clone,vfork,execveat > > -a always,exit -F arch=b32 -S bind,connect,listen,accept4 > > root@deb101-x86-0009:~# auditctl -s > > enabled 1 > > failure 1 > > pid 13393 > > rate_limit 0 > > backlog_limit 8192 > > lost 0 > > backlog 0 > > backlog_wait_time 0 > > loginuid_immutable 0 unlocked > > root@deb101-x86-0009:~# uname -a > > Linux deb101-x86-0009.avp.ru.local 4.19.0-6-686-pae #1 SMP Debian > > 4.19.67-2+deb10u2 (2019-11-11) i686 GNU/Linux > > root@deb101-x86-0009:~# cat /etc/debian_version > > 10.1 > > root@deb101-x86-0009:~# > > > > > > Regards > > Rinat > > -- > Linux-audit mailing list > Linux-audit@redhat.com > https://listman.redhat.com/mailman/listinfo/linux-audit -- Linux-audit mailing list Linux-audit@redhat.com https://listman.redhat.com/mailman/listinfo/linux-audit ^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: Couldn't get audit messages for 'listen' on kernel 4.19.0-6-686-pae 2023-10-23 16:19 ` Steve Grubb @ 2023-10-23 17:37 ` Rinat Gadelshin 0 siblings, 0 replies; 5+ messages in thread From: Rinat Gadelshin @ 2023-10-23 17:37 UTC (permalink / raw) To: Steve Grubb; +Cc: linux-audit Steve, thank you so much! You've saved my life =) Best regards Rinat. On 23.10.2023 19:19, Steve Grubb wrote: > On Monday, October 23, 2023 9:06:16 AM EDT Rinat Gadelshin wrote: >> Hello there! >> >> First of all, I have to apologize for two identical emails as the >> beginning of the stream. >> The first one was sent (by occasional) from my work email. >> I've received notification, from the mail bot, that I should subscribe >> to the mail list (for the work email). >> After that I've resent the second one. >> >> Let's return to the problem. >> >> I've done a following experiment: >> >> `auditctl -D` >> `auditctl -a always,exit -S all` >> `strace netcat -v -l -p 4242 | tee strace.log` # the pid of the netcat >> was 536 >> Ctrl+c >> `ausearch -p 536 > auditd.pid.536.log` >> `grep "syscall=.*traditional" auditd.pid.536.log | awk '{print $4}' | >> sort | uniq -c' >> >> The last command prints the following result: >> >> 11 syscall=102 >> 1 syscall=11 >> 6 syscall=125 >> 6 syscall=140 >> 6 syscall=174 >> 1 syscall=175 >> 14 syscall=192 >> 33 syscall=195 >> 9 syscall=197 >> 2 syscall=20 >> 1 syscall=243 >> 1 syscall=27 >> 41 syscall=295 >> 14 syscall=3 >> 5 syscall=33 >> 2 syscall=4 >> 5 syscall=45 >> 11 syscall=6 >> 3 syscall=91 >> >> So the following syscalls are reported (there are no `socket`, `bind`, >> `connect`, `listen`): >> >> 3 (read) >> 4 (write) >> 6 (close) >> 11 (execve) >> 20 (getpid) >> 27 (alarm) >> 33 (access) >> 45 (brk) >> 91 (munmap) >> 102 (socketcall) > On old 386 kernels, they use socketcall as the networking API. Glibc under > the hood sets arg0 to a number which represents the actual functionality to > call and calls socketcall. You could say it multiplexes the network API. > Somewhere along the way, they decided to modernize and make actual calls for > each network function. So, if you have an audit library that is much newer > than the kernel, it will assume you are using the updated API rather than the > socketcall based API. In this case, you have an old glibc which still uses > socketcall. > > So, if you wanted to audit socket, bind, connect, and listen you would use: > > -a always,exit -F arch=b32 -S socketcall -F arg0=1 -F key=socket > -a always,exit -F arch=b32 -S socketcall -F arg0=2 -F key=bind > -a always,exit -F arch=b32 -S socketcall -F arg0=3 -F key=connect > -a always,exit -F arch=b32 -S socketcall -F arg0=4 -F key=listen > > A listing of the numbers to use can be found at: > /usr/include/linux/net.h > > Hope this helps... > > -Steve > >> 125 (mprotect) >> 140 (_llseek) >> 174 (rt_sigaction) >> 175 (rt_sigprocmask) >> 192 (mmap2) >> 195 (stat64) >> 197 (fstat64) >> 243 (set_thread_area) >> 295 (openat) >> >> But strace's log shows that `socket`, `bind`, `connect` and `listen` >> were called: >> >> execve("/usr/bin/netcat", ["netcat", "-v", "-l", "-p", "4242"], >> 0xbf9f8f00 /* 22 vars */) = 0 >> -- line skipped -- >> socket(AF_UNIX, SOCK_STREAM|SOCK_CLOEXEC|SOCK_NONBLOCK, 0) = 3 >> connect(3, {sa_family=AF_UNIX, sun_path="/var/run/nscd/socket"}, >> 110) = -1 ENOENT (No such file or directory) >> close(3) = 0 >> -- line skipped -- >> socket(AF_UNIX, SOCK_STREAM|SOCK_CLOEXEC|SOCK_NONBLOCK, 0) = 3 >> connect(3, {sa_family=AF_UNIX, sun_path="/var/run/nscd/socket"}, >> 110) = -1 ENOENT (No such file or directory) >> close(3) = 0 >> -- line skipped -- >> socket(AF_INET, SOCK_STREAM, IPPROTO_TCP) = 3 >> setsockopt(3, SOL_SOCKET, SO_REUSEADDR, [1], 4) = 0 >> setsockopt(3, SOL_SOCKET, SO_REUSEPORT, [1], 4) = 0 >> bind(3, {sa_family=AF_INET, sin_port=htons(4242), >> sin_addr=inet_addr("0.0.0.0")}, 16) = 0 >> listen(3, 1) = 0 >> getsockname(3, {sa_family=AF_INET, sin_port=htons(4242), >> sin_addr=inet_addr("0.0.0.0")}, [16]) = 0 >> -- line skipped -- >> >> Please, give me a clue! How could it be? >> >> Best regards >> Rinat >> >> On 22.10.2023 08:27, Rinat Gadelshin wrote: >>> Hello there! >>> >>> I'm facing a strange problem. >>> I have not been able to get audit reports for any "network" syscall >>> on one of the computers from my test bench. >>> I mean 'connect', 'accept4', 'listen', 'bind', 'socket'. >>> The following example shows that auditd couldn't get them too >>> ('listen' at least). >>> But I've received a report about 'execve' called by the same process. >>> >>> Could you tell me what can I do in order to receive audit messages for >>> the syscalls. >>> from this version of the kernel? >>> >>> Any help will be will be appreciated. >>> >>> >>> root@deb101-x86-0009:~# netcat -v -l -p 4242 & >>> [2] 13481 >>> root@deb101-x86-0009:~# listening on [any] 4242 ... >>> root@deb101-x86-0009:~# echo "Test" | nc -q 0 127.0.0.1 4242 >>> connect to [127.0.0.1] from localhost [127.0.0.1] 36650 >>> Test >>> root@deb101-x86-0009:~# skill -p 13481 >>> [2]+ Done netcat -v -l -p 4242 >>> root@deb101-x86-0009:~# ausearch -p 13481 >>> ---- >>> time->Fri Oct 20 22:00:42 2023 >>> type=PROCTITLE msg=audit(1697828442.603:2697): >>> proctitle=6E6574636174002D76002D6C002D700034323432 >>> type=PATH msg=audit(1697828442.603:2697): item=1 >>> name="/lib/ld-linux.so.2" inode=655382 dev=fe:00 mode=0100755 ouid=0 >>> ogid=0 rdev=00:00 nametype=NORMAL cap_fp=0000000000000000 >>> cap_fi=0000000000000000 cap_fe=0 cap_fver=0 >>> type=PATH msg=audit(1697828442.603:2697): item=0 >>> name="/usr/bin/netcat" inode=664887 dev=fe:00 mode=0100755 ouid=0 >>> ogid=0 rdev=00:00 nametype=NORMAL cap_fp=0000000000000000 >>> cap_fi=0000000000000000 cap_fe=0 cap_fver=0 >>> type=CWD msg=audit(1697828442.603:2697): cwd="/root" >>> type=EXECVE msg=audit(1697828442.603:2697): argc=5 a0="netcat" a1="-v" >>> a2="-l" a3="-p" a4="4242" >>> type=SYSCALL msg=audit(1697828442.603:2697): arch=40000003 syscall=11 >>> success=yes exit=0 a0=e36400 a1=d9d9e0 a2=e3a310 a3=584988 items=2 >>> ppid=12968 pid=13481 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 >>> sgid=0 fsgid=0 tty=pts1 ses=4 comm="netcat" >>> exe="/usr/bin/nc.traditional" subj==unconfined key=(null) >>> root@deb101-x86-0009:~# auditctl -l >>> -a always,exit -F arch=b32 -S fork,execve,clone,vfork,execveat >>> -a always,exit -F arch=b32 -S bind,connect,listen,accept4 >>> root@deb101-x86-0009:~# auditctl -s >>> enabled 1 >>> failure 1 >>> pid 13393 >>> rate_limit 0 >>> backlog_limit 8192 >>> lost 0 >>> backlog 0 >>> backlog_wait_time 0 >>> loginuid_immutable 0 unlocked >>> root@deb101-x86-0009:~# uname -a >>> Linux deb101-x86-0009.avp.ru.local 4.19.0-6-686-pae #1 SMP Debian >>> 4.19.67-2+deb10u2 (2019-11-11) i686 GNU/Linux >>> root@deb101-x86-0009:~# cat /etc/debian_version >>> 10.1 >>> root@deb101-x86-0009:~# >>> >>> >>> Regards >>> Rinat >> -- >> Linux-audit mailing list >> Linux-audit@redhat.com >> https://listman.redhat.com/mailman/listinfo/linux-audit > > > -- Linux-audit mailing list Linux-audit@redhat.com https://listman.redhat.com/mailman/listinfo/linux-audit ^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2023-10-23 17:38 UTC | newest] Thread overview: 5+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2023-10-20 19:14 Couldn't get audit messages for 'listen' on kernel 4.19.0-6-686-pae Rinat Gadelshin 2023-10-22 5:27 ` Rinat Gadelshin 2023-10-23 13:06 ` Rinat Gadelshin 2023-10-23 16:19 ` Steve Grubb 2023-10-23 17:37 ` Rinat Gadelshin
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.