Re: Couldn't get audit messages for 'listen' on kernel 4.19.0-6-686-pae

[Rinat Gadelshin <rgadelsh@gmail.com>]

Hello there!

First of all, I have to apologize for two identical emails as the 
beginning of the stream.
The first one was sent (by occasional) from my work email.
I've received notification, from the mail bot, that I should subscribe 
to the mail list (for the work email).
After that I've resent the second one.

Let's return to the problem.

I've done a following experiment:

`auditctl -D`
`auditctl -a always,exit -S all`
`strace netcat -v -l -p 4242 | tee strace.log` # the pid of the netcat 
was 536
Ctrl+c
`ausearch -p 536 > auditd.pid.536.log`
`grep "syscall=.*traditional" auditd.pid.536.log | awk '{print $4}' | 
sort | uniq -c'

The last command prints the following result:

      11 syscall=102
       1 syscall=11
       6 syscall=125
       6 syscall=140
       6 syscall=174
       1 syscall=175
      14 syscall=192
      33 syscall=195
       9 syscall=197
       2 syscall=20
       1 syscall=243
       1 syscall=27
      41 syscall=295
      14 syscall=3
       5 syscall=33
       2 syscall=4
       5 syscall=45
      11 syscall=6
       3 syscall=91

So the following syscalls are reported (there are no `socket`, `bind`, 
`connect`, `listen`):

     3 (read)
     4 (write)
     6 (close)
     11 (execve)
     20 (getpid)
     27 (alarm)
     33 (access)
     45 (brk)
     91 (munmap)
   102 (socketcall)
   125 (mprotect)
   140 (_llseek)
   174 (rt_sigaction)
   175 (rt_sigprocmask)
   192 (mmap2)
   195 (stat64)
   197 (fstat64)
   243 (set_thread_area)
   295 (openat)

But strace's log shows that `socket`, `bind`, `connect` and `listen` 
were called:

     execve("/usr/bin/netcat", ["netcat", "-v", "-l", "-p", "4242"], 
0xbf9f8f00 /* 22 vars */) = 0
     -- line skipped --
     socket(AF_UNIX, SOCK_STREAM|SOCK_CLOEXEC|SOCK_NONBLOCK, 0) = 3
     connect(3, {sa_family=AF_UNIX, sun_path="/var/run/nscd/socket"}, 
110) = -1 ENOENT (No such file or directory)
     close(3)                                = 0
     -- line skipped --
     socket(AF_UNIX, SOCK_STREAM|SOCK_CLOEXEC|SOCK_NONBLOCK, 0) = 3
     connect(3, {sa_family=AF_UNIX, sun_path="/var/run/nscd/socket"}, 
110) = -1 ENOENT (No such file or directory)
     close(3)                                = 0
     -- line skipped --
     socket(AF_INET, SOCK_STREAM, IPPROTO_TCP) = 3
     setsockopt(3, SOL_SOCKET, SO_REUSEADDR, [1], 4) = 0
     setsockopt(3, SOL_SOCKET, SO_REUSEPORT, [1], 4) = 0
     bind(3, {sa_family=AF_INET, sin_port=htons(4242), 
sin_addr=inet_addr("0.0.0.0")}, 16) = 0
     listen(3, 1)                            = 0
     getsockname(3, {sa_family=AF_INET, sin_port=htons(4242), 
sin_addr=inet_addr("0.0.0.0")}, [16]) = 0
     -- line skipped --

Please, give me a clue! How could it be?

Best regards
Rinat

On 22.10.2023 08:27, Rinat Gadelshin wrote:
> Hello there!
>
> I'm facing a strange problem.
> I have not been able to get audit reports for any "network" syscall
> on one of the computers from my test bench.
> I mean 'connect', 'accept4', 'listen', 'bind', 'socket'.
> The following example shows that auditd couldn't get them too 
> ('listen' at least).
> But I've received a report about 'execve' called by the same process.
>
> Could you tell me what can I do in order to receive audit messages for 
> the syscalls.
> from this version of the kernel?
>
> Any help will be will be appreciated.
>
>
> root@deb101-x86-0009:~# netcat -v -l -p 4242 &
> [2] 13481
> root@deb101-x86-0009:~# listening on [any] 4242 ...
> root@deb101-x86-0009:~# echo "Test" | nc -q 0 127.0.0.1 4242
> connect to [127.0.0.1] from localhost [127.0.0.1] 36650
> Test
> root@deb101-x86-0009:~# skill -p 13481
> [2]+  Done                    netcat -v -l -p 4242
> root@deb101-x86-0009:~# ausearch -p 13481
> ----
> time->Fri Oct 20 22:00:42 2023
> type=PROCTITLE msg=audit(1697828442.603:2697): 
> proctitle=6E6574636174002D76002D6C002D700034323432
> type=PATH msg=audit(1697828442.603:2697): item=1 
> name="/lib/ld-linux.so.2" inode=655382 dev=fe:00 mode=0100755 ouid=0 
> ogid=0 rdev=00:00 nametype=NORMAL cap_fp=0000000000000000 
> cap_fi=0000000000000000 cap_fe=0 cap_fver=0
> type=PATH msg=audit(1697828442.603:2697): item=0 
> name="/usr/bin/netcat" inode=664887 dev=fe:00 mode=0100755 ouid=0 
> ogid=0 rdev=00:00 nametype=NORMAL cap_fp=0000000000000000 
> cap_fi=0000000000000000 cap_fe=0 cap_fver=0
> type=CWD msg=audit(1697828442.603:2697): cwd="/root"
> type=EXECVE msg=audit(1697828442.603:2697): argc=5 a0="netcat" a1="-v" 
> a2="-l" a3="-p" a4="4242"
> type=SYSCALL msg=audit(1697828442.603:2697): arch=40000003 syscall=11 
> success=yes exit=0 a0=e36400 a1=d9d9e0 a2=e3a310 a3=584988 items=2 
> ppid=12968 pid=13481 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 
> sgid=0 fsgid=0 tty=pts1 ses=4 comm="netcat" 
> exe="/usr/bin/nc.traditional" subj==unconfined key=(null)
> root@deb101-x86-0009:~# auditctl -l
> -a always,exit -F arch=b32 -S fork,execve,clone,vfork,execveat
> -a always,exit -F arch=b32 -S bind,connect,listen,accept4
> root@deb101-x86-0009:~# auditctl -s
> enabled 1
> failure 1
> pid 13393
> rate_limit 0
> backlog_limit 8192
> lost 0
> backlog 0
> backlog_wait_time 0
> loginuid_immutable 0 unlocked
> root@deb101-x86-0009:~# uname -a
> Linux deb101-x86-0009.avp.ru.local 4.19.0-6-686-pae #1 SMP Debian 
> 4.19.67-2+deb10u2 (2019-11-11) i686 GNU/Linux
> root@deb101-x86-0009:~# cat /etc/debian_version
> 10.1
> root@deb101-x86-0009:~#
>
>
> Regards
> Rinat
>

--
Linux-audit mailing list
Linux-audit@redhat.com
https://listman.redhat.com/mailman/listinfo/linux-audit