* auditd reports port number '0' for connect() system call
@ 2016-03-30 3:19 Kangkook Jee
2016-03-30 23:29 ` Steve Grubb
0 siblings, 1 reply; 8+ messages in thread
From: Kangkook Jee @ 2016-03-30 3:19 UTC (permalink / raw)
To: linux-audit
[-- Attachment #1.1: Type: text/plain, Size: 2846 bytes --]
Hi all,
I'm developing custom audit client to monitor Linux system activities.
I'm testing my client from Ubuntu 14.04 (64-bit) system with the following auditctl rules.
sudo auditctl -l
LIST_RULES: exit,always arch=3221225534 (0xc000003e) syscall=open,close,dup,dup2,socket,connect,accept,listen,socketpair,clone,fork,vfork,execve,exit,creat,unlink,exit_group,openat,unlinkat,accept4,dup3
And I captured the raw system messages with the following command.
sudo auditd -f > /tmp/log.txt
While /tmp/log.txt contains a considerable amount of raw audit messages, I grep'ed only connect() system calls with its associated saddr entries.
grep -A1 -e "syscall=42 success=yes" /tmp/log.txt
--
type=SYSCALL msg=audit(1459302277.538:35891018): arch=c000003e syscall=42 success=yes exit=0 a0=61 a1=7f2ec75a1ed0 a2=10 a3=1 items=0 ppid=2779 pid=21581 auid=4294967295 uid=8271 gid=5001 euid=8271 suid=8271 fsuid=8271 egid=5001 sgid=5001 fsgid=5001 tty=(none) ses=4294967295 comm="Chrome_IOThread" exe="/opt/google/chrome/chrome" key=(null)
type=SOCKADDR msg=audit(1459302277.538:35891018): saddr=020000358A0F6C0B0000000000000000
--
type=SYSCALL msg=audit(1459302309.098:35898719): arch=c000003e syscall=42 success=yes exit=0 a0=6 a1=7fffe9a24980 a2=10 a3=7fffe9a246d0 items=0 ppid=20312 pid=2991 auid=4294967295 uid=8271 gid=5001 euid=0 suid=0 fsuid=0 egid=0 sgid=5001 fsgid=0 tty=pts23 ses=4294967295 comm="sudo" exe="/usr/bin/sudo" key=(null)
type=SOCKADDR msg=audit(1459302309.098:35898719): saddr=0200006F8A0FA5090000000000000000
--
type=SYSCALL msg=audit(1459302309.098:35898722): arch=c000003e syscall=42 success=yes exit=0 a0=6 a1=7fffe9a24980 a2=10 a3=7fffe9a246d0 items=0 ppid=20312 pid=2991 auid=4294967295 uid=8271 gid=5001 euid=0 suid=0 fsuid=0 egid=0 sgid=5001 fsgid=0 tty=pts23 ses=4294967295 comm="sudo" exe="/usr/bin/sudo" key=(null)
type=SOCKADDR msg=audit(1459302309.098:35898722): saddr=0200030B8A0FA5090000000000000000
...
For these entries, I decoded saddr entries with the attached program and extracted entries port values '0'.
g++ -o sock_decode sock_decode.cpp
grep -A1 -e "syscall=42 success=yes" /tmp/log.txt |grep saddr | awk 'BEGIN{FS="="} {print “ ./sock_decode " $4}' |sh |grep "sa_family: 2.* port: 0" |more
0200000036447A640000000000000000: sa_family: 2 addr: 1685734454, port: 0 (0)
020000003644ECD00000000000000000: sa_family: 2 addr: 3505144886, port: 0 (0)
02000000369520250000000000000000: sa_family: 2 addr: 622892342, port: 0 (0)
....
If I understood correctly, connect() should return error when sin_port field is set with '0'.
Would anyone explain this to me or help me with fix this problem?
Thanks a lot for your help in advance!
[-- Attachment #1.2.1: Type: text/html, Size: 4682 bytes --]
[-- Attachment #1.2.2: sock_decode.cpp --]
[-- Type: application/octet-stream, Size: 2667 bytes --]
#include <string.h>
#include <stdio.h>
#include <stdlib.h>
#include <cctype>
#include <netinet/in.h>
// from Audit source.
static unsigned char x2c(const unsigned char *buf)
{
static const char AsciiArray[17] = "0123456789ABCDEF";
const char *ptr;
unsigned char total=0;
ptr = strchr(AsciiArray, (char)toupper(buf[0]));
if (ptr)
total = (unsigned char)(((ptr-AsciiArray) & 0x0F)<<4);
ptr = strchr(AsciiArray, (char)toupper(buf[1]));
if (ptr)
total += (unsigned char)((ptr-AsciiArray) & 0x0F);
return total;
}
// from Audit source.
char *au_unescape(char *buf) {
int len, i;
char saved, *str, *ptr = buf;
/* Find the end of the name */
if (*ptr == '(') {
ptr = strchr(ptr, ')');
if (ptr == NULL)
{
return NULL;
}
else
ptr++;
} else {
while (isxdigit(*ptr))
ptr++;
}
saved = *ptr;
*ptr = 0;
str = strdup(buf);
*ptr = saved;
/* See if its '(null)' from the kernel */
if (*buf == '(')
return str;
/* We can get away with this since the buffer is 2 times
* bigger than what we are putting there.
*/
len = strlen(str);
if (len < 2) {
free(str);
return NULL;
}
ptr = str;
for (i=0; i<len; i+=2) {
*ptr = x2c((unsigned char *)&str[i]);
ptr++;
}
*ptr = 0;
return str;
}
struct sockaddr* get_au_sockaddr(const char* val, int *ret_len) {
*ret_len = strlen(val) / 2; /* because audit msg uses hexadecimal to
represent sock addr */
// convert hexadecimal sock addr to char string
return (struct sockaddr *) au_unescape((char *) val);
}
int main(int argc, char* argv[]) {
if (argc != 2) {
fprintf(stderr, "<Usage> %s <SOCKSTRING>\n", argv[0]);
exit(-1);
}
int len = 0;
struct sockaddr* sa = get_au_sockaddr(argv[1], &len);
int port = ntohs(((struct sockaddr_in *)sa)->sin_port);
uint32_t addr = ((struct sockaddr_in *)sa)->sin_addr.s_addr;
printf("%s: sa_family: %d addr: %u, port: %d (%d)\n",
argv[1], sa->sa_family, addr, port, ((struct sockaddr_in *)sa)->sin_port);
}
[-- Attachment #1.2.3: Type: text/html, Size: 266 bytes --]
[-- Attachment #2: Type: text/plain, Size: 0 bytes --]
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: auditd reports port number '0' for connect() system call
2016-03-30 3:19 auditd reports port number '0' for connect() system call Kangkook Jee
@ 2016-03-30 23:29 ` Steve Grubb
2016-03-31 11:33 ` Kangkook Jee
2016-03-31 12:54 ` Kangkook Jee
0 siblings, 2 replies; 8+ messages in thread
From: Steve Grubb @ 2016-03-30 23:29 UTC (permalink / raw)
To: linux-audit
On Tuesday, March 29, 2016 11:19:24 PM Kangkook Jee wrote:
> If I understood correctly, connect() should return error when sin_port field
> is set with '0'. Would anyone explain this to me or help me with fix this
> problem?
I get 779 as the port from your event.
-Steve
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: auditd reports port number '0' for connect() system call
2016-03-30 23:29 ` Steve Grubb
@ 2016-03-31 11:33 ` Kangkook Jee
2016-03-31 12:54 ` Kangkook Jee
1 sibling, 0 replies; 8+ messages in thread
From: Kangkook Jee @ 2016-03-31 11:33 UTC (permalink / raw)
To: Steve Grubb; +Cc: linux-audit
[-- Attachment #1.1: Type: text/plain, Size: 698 bytes --]
Dear Steve,
Thanks a lot for your quick response.
Would you tell me from what saddr fields that you get the port number value ‘779’?
This might indicate my code to extract the field might be wrong. Would you also inform me what is the correct way to decode saddr string?
Thanks again!
Regards, Kangkook
> On Mar 30, 2016, at 7:29 PM, Steve Grubb <sgrubb@redhat.com> wrote:
>
> On Tuesday, March 29, 2016 11:19:24 PM Kangkook Jee wrote:
>> If I understood correctly, connect() should return error when sin_port field
>> is set with '0'. Would anyone explain this to me or help me with fix this
>> problem?
>
> I get 779 as the port from your event.
>
> -Steve
[-- Attachment #1.2: Type: text/html, Size: 1535 bytes --]
[-- Attachment #2: Type: text/plain, Size: 0 bytes --]
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: auditd reports port number '0' for connect() system call
2016-03-30 23:29 ` Steve Grubb
2016-03-31 11:33 ` Kangkook Jee
@ 2016-03-31 12:54 ` Kangkook Jee
2016-03-31 21:50 ` Steve Grubb
1 sibling, 1 reply; 8+ messages in thread
From: Kangkook Jee @ 2016-03-31 12:54 UTC (permalink / raw)
To: Steve Grubb; +Cc: linux-audit
I checked out with strings that I provided from the previous email.
The first 3 ones gave me proper port numbers.
$ ~/bin/sock_decode 020000358A0F6C0B0000000000000000
020000358A0F6C0B0000000000000000: sa_family: 2 addr: 191631242, port: 53 (13568)
$ ~/bin/sock_decode 0200006F8A0FA5090000000000000000
0200006F8A0FA5090000000000000000: sa_family: 2 addr: 161812362, port: 111 (28416)
$ ~/bin/sock_decode 0200030B8A0FA5090000000000000000
0200030B8A0FA5090000000000000000: sa_family: 2 addr: 161812362, port: 779 (2819)
but, last three one didn’t
$ ~/bin/sock_decode 0200000036447A640000000000000000
0200000036447A640000000000000000: sa_family: 2 addr: 1685734454, port: 0 (0)
$ ~/bin/sock_decode 020000003644ECD00000000000000000
020000003644ECD00000000000000000: sa_family: 2 addr: 3505144886, port: 0 (0)
$ ~/bin/sock_decode 02000000369520250000000000000000
02000000369520250000000000000000: sa_family: 2 addr: 622892342, port: 0 (0)
Would you check this out?
/Kangkook
> On Mar 30, 2016, at 7:29 PM, Steve Grubb <sgrubb@redhat.com> wrote:
>
> On Tuesday, March 29, 2016 11:19:24 PM Kangkook Jee wrote:
>> If I understood correctly, connect() should return error when sin_port field
>> is set with '0'. Would anyone explain this to me or help me with fix this
>> problem?
>
> I get 779 as the port from your event.
>
> -Steve
--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: auditd reports port number '0' for connect() system call
2016-03-31 12:54 ` Kangkook Jee
@ 2016-03-31 21:50 ` Steve Grubb
2016-03-31 22:11 ` Kangkook Jee
0 siblings, 1 reply; 8+ messages in thread
From: Steve Grubb @ 2016-03-31 21:50 UTC (permalink / raw)
To: Kangkook Jee; +Cc: linux-audit
On Thursday, March 31, 2016 08:54:30 AM Kangkook Jee wrote:
> but, last three one didn’t
>
> $ ~/bin/sock_decode 0200000036447A640000000000000000
> 0200000036447A640000000000000000: sa_family: 2 addr: 1685734454, port: 0 (0)
> $ ~/bin/sock_decode 020000003644ECD00000000000000000
> 020000003644ECD00000000000000000: sa_family: 2 addr: 3505144886, port: 0 (0)
> $ ~/bin/sock_decode 02000000369520250000000000000000
> 02000000369520250000000000000000: sa_family: 2 addr: 622892342, port: 0 (0)
>
> Would you check this out?
You didn't give the events, but rather the sockaddr field alone. Port 0 is
valid in some uses. It mean give me an ephemeral port.
http://lxr.free-electrons.com/source/net/ipv4/inet_connection_sock.c#L90
90 /* Obtain a reference to a local port for the given sock,
91 * if snum is zero it means select any available local port.
-Steve
--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: auditd reports port number '0' for connect() system call
2016-03-31 21:50 ` Steve Grubb
@ 2016-03-31 22:11 ` Kangkook Jee
2016-04-01 12:13 ` Steve Grubb
0 siblings, 1 reply; 8+ messages in thread
From: Kangkook Jee @ 2016-03-31 22:11 UTC (permalink / raw)
To: Steve Grubb; +Cc: linux-audit
Here an event directly from auditd for connect() system call (syscall=42) with port number 0.
Do you think connect() system call still can be called with port number 0?
type=SYSCALL msg=audit(1459301607.178:35720095): arch=c000003e syscall=42 success=yes exit=0 a0=2c a1=7f1fbe8f81f0 a2=10 a3=0 items=0 ppid=2779 pid=31713 auid=4294967295 uid=8271 gid=5001 euid=8271 suid=8271 fsuid=8271 egid=5001 sgid=500#
type=SOCKADDR msg=audit(1459301607.178:35720095): saddr=0200000036447A640000000000000000
If it is bind() it makes but I’m not sure we can still do this with connect().
Thanks!
/Kangkook
type=SYSCALL msg=audit(1459301607.178:35720095): arch=c000003e syscall=42 success=yes exit=0 a0=2c a1=7f1fbe8f81f0 a2=10 a3=0 items=0 ppid=2779 pid=31713 auid=4294967295 uid=8271 gid=5001 euid=8271 suid=8271 fsuid=8271 egid=5001 sgid=500#
type=SOCKADDR msg=audit(1459301607.178:35720095): saddr=0200000036447A640000000000000000
> On Mar 31, 2016, at 5:50 PM, Steve Grubb <sgrubb@redhat.com> wrote:
>
> On Thursday, March 31, 2016 08:54:30 AM Kangkook Jee wrote:
>> but, last three one didn’t
>>
>> $ ~/bin/sock_decode 0200000036447A640000000000000000
>> 0200000036447A640000000000000000: sa_family: 2 addr: 1685734454, port: 0 (0)
>> $ ~/bin/sock_decode 020000003644ECD00000000000000000
>> 020000003644ECD00000000000000000: sa_family: 2 addr: 3505144886, port: 0 (0)
>> $ ~/bin/sock_decode 02000000369520250000000000000000
>> 02000000369520250000000000000000: sa_family: 2 addr: 622892342, port: 0 (0)
>>
>> Would you check this out?
>
> You didn't give the events, but rather the sockaddr field alone. Port 0 is
> valid in some uses. It mean give me an ephemeral port.
>
> http://lxr.free-electrons.com/source/net/ipv4/inet_connection_sock.c#L90
>
> 90 /* Obtain a reference to a local port for the given sock,
> 91 * if snum is zero it means select any available local port.
>
> -Steve
--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: auditd reports port number '0' for connect() system call
2016-03-31 22:11 ` Kangkook Jee
@ 2016-04-01 12:13 ` Steve Grubb
2016-04-04 18:32 ` Kangkook Jee
0 siblings, 1 reply; 8+ messages in thread
From: Steve Grubb @ 2016-04-01 12:13 UTC (permalink / raw)
To: Kangkook Jee; +Cc: linux-audit
On Thursday, March 31, 2016 06:11:26 PM Kangkook Jee wrote:
> Here an event directly from auditd for connect() system call (syscall=42)
> with port number 0. Do you think connect() system call still can be called
> with port number 0?
Hello,
I got the full events. Below is the explanation...
type=SYSCALL msg=audit(03/29/2016 21:33:27.178:35720094) : arch=x86_64
syscall=socket success=yes exit=44 a0=inet a1=SOCK_DGRAM a2=ip a3=0x0 items=0
ppid=2779 pid=31713 auid=unset uid=unknown(8271) gid=unknown(5001)
euid=unknown(8271) suid=unknown(8271) fsuid=unknown(8271) egid=unknown(5001)
sgid=unknown(5001) fsgid=unknown(5001) tty=(none) ses=unset comm=DNS Res~er
#465 exe=/usr/lib/firefox/firefox key=(null)
So, here ^^^ we are creating a DGRAM socket. This is important because they
follow slightly different rules than tcp.
type=SOCKADDR msg=audit(03/29/2016 21:33:27.178:35720095) : saddr=inet
host:54.68.122.100 serv:0
type=SYSCALL msg=audit(03/29/2016 21:33:27.178:35720095) : arch=x86_64
syscall=connect success=yes exit=0 a0=0x2c a1=0x7f1fbe8f81f0 a2=0x10 a3=0x0
items=0 ppid=2779 pid=31713 auid=unset uid=unknown(8271) gid=unknown(5001)
euid=unknown(8271) suid=unknown(8271) fsuid=unknown(8271) egid=unknown(5001)
sgid=unknown(5001) fsgid=unknown(5001) tty=(none) ses=unset comm=DNS Res~er
#465 exe=/usr/lib/firefox/firefox key=(null)
http://man7.org/linux/man-pages/man2/connect.2.html
If the socket sockfd is of type SOCK_DGRAM, then addr is the address to which
datagrams are sent by default, and the only address from which datagrams are
received.
So, this is just setting up a connectionless socket to a specific server.
Judging by the thread name, this is for DNS resolution for Firefox. So, I
would say that without a doubt, this is normal system operation.
-Steve
> type=SYSCALL msg=audit(1459301607.178:35720095): arch=c000003e syscall=42
> success=yes exit=0 a0=2c a1=7f1fbe8f81f0 a2=10 a3=0 items=0 ppid=2779
> pid=31713 auid=4294967295 uid=8271 gid=5001 euid=8271 suid=8271 fsuid=8271
> egid=5001 sgid=500# type=SOCKADDR msg=audit(1459301607.178:35720095):
> saddr=0200000036447A640000000000000000
>
> If it is bind() it makes but I’m not sure we can still do this with
> connect().
>
> Thanks!
>
> /Kangkook
--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: auditd reports port number '0' for connect() system call
2016-04-01 12:13 ` Steve Grubb
@ 2016-04-04 18:32 ` Kangkook Jee
0 siblings, 0 replies; 8+ messages in thread
From: Kangkook Jee @ 2016-04-04 18:32 UTC (permalink / raw)
To: Steve Grubb; +Cc: linux-audit
Thanks a lot Steve! I really helps.
Regards, Kangkook
> On Apr 1, 2016, at 8:13 AM, Steve Grubb <sgrubb@redhat.com> wrote:
>
> On Thursday, March 31, 2016 06:11:26 PM Kangkook Jee wrote:
>> Here an event directly from auditd for connect() system call (syscall=42)
>> with port number 0. Do you think connect() system call still can be called
>> with port number 0?
>
>
> Hello,
>
> I got the full events. Below is the explanation...
>
> type=SYSCALL msg=audit(03/29/2016 21:33:27.178:35720094) : arch=x86_64
> syscall=socket success=yes exit=44 a0=inet a1=SOCK_DGRAM a2=ip a3=0x0 items=0
> ppid=2779 pid=31713 auid=unset uid=unknown(8271) gid=unknown(5001)
> euid=unknown(8271) suid=unknown(8271) fsuid=unknown(8271) egid=unknown(5001)
> sgid=unknown(5001) fsgid=unknown(5001) tty=(none) ses=unset comm=DNS Res~er
> #465 exe=/usr/lib/firefox/firefox key=(null)
>
> So, here ^^^ we are creating a DGRAM socket. This is important because they
> follow slightly different rules than tcp.
>
>
> type=SOCKADDR msg=audit(03/29/2016 21:33:27.178:35720095) : saddr=inet
> host:54.68.122.100 serv:0
> type=SYSCALL msg=audit(03/29/2016 21:33:27.178:35720095) : arch=x86_64
> syscall=connect success=yes exit=0 a0=0x2c a1=0x7f1fbe8f81f0 a2=0x10 a3=0x0
> items=0 ppid=2779 pid=31713 auid=unset uid=unknown(8271) gid=unknown(5001)
> euid=unknown(8271) suid=unknown(8271) fsuid=unknown(8271) egid=unknown(5001)
> sgid=unknown(5001) fsgid=unknown(5001) tty=(none) ses=unset comm=DNS Res~er
> #465 exe=/usr/lib/firefox/firefox key=(null)
>
>
> http://man7.org/linux/man-pages/man2/connect.2.html
> If the socket sockfd is of type SOCK_DGRAM, then addr is the address to which
> datagrams are sent by default, and the only address from which datagrams are
> received.
>
> So, this is just setting up a connectionless socket to a specific server.
> Judging by the thread name, this is for DNS resolution for Firefox. So, I
> would say that without a doubt, this is normal system operation.
>
> -Steve
>
>
>> type=SYSCALL msg=audit(1459301607.178:35720095): arch=c000003e syscall=42
>> success=yes exit=0 a0=2c a1=7f1fbe8f81f0 a2=10 a3=0 items=0 ppid=2779
>> pid=31713 auid=4294967295 uid=8271 gid=5001 euid=8271 suid=8271 fsuid=8271
>> egid=5001 sgid=500# type=SOCKADDR msg=audit(1459301607.178:35720095):
>> saddr=0200000036447A640000000000000000
>>
>> If it is bind() it makes but I’m not sure we can still do this with
>> connect().
>>
>> Thanks!
>>
>> /Kangkook
>
--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit
^ permalink raw reply [flat|nested] 8+ messages in thread
end of thread, other threads:[~2016-04-04 18:32 UTC | newest]
Thread overview: 8+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2016-03-30 3:19 auditd reports port number '0' for connect() system call Kangkook Jee
2016-03-30 23:29 ` Steve Grubb
2016-03-31 11:33 ` Kangkook Jee
2016-03-31 12:54 ` Kangkook Jee
2016-03-31 21:50 ` Steve Grubb
2016-03-31 22:11 ` Kangkook Jee
2016-04-01 12:13 ` Steve Grubb
2016-04-04 18:32 ` Kangkook Jee
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).