From mboxrd@z Thu Jan  1 00:00:00 1970
From: lists_todd@mac.com
Subject: saddr value in connect()
Date: Mon, 05 May 2014 15:11:56 -0700
Message-ID: <7ACE1895-F74D-45C6-B60F-0A72D90EEDE1@mac.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="windows-1252"
Content-Transfer-Encoding: quoted-printable
Return-path: <linux-audit-bounces@redhat.com>
Received: from mx1.redhat.com (ext-mx14.extmail.prod.ext.phx2.redhat.com
	[10.5.110.19])
	by int-mx14.intmail.prod.int.phx2.redhat.com (8.14.4/8.14.4) with ESMTP
	id s45MCHfr018915
	for <linux-audit@redhat.com>; Mon, 5 May 2014 18:12:17 -0400
Received: from nk11p08mm-asmtp002.mac.com (nk11p08mm-asmtp002.mac.com
	[17.158.58.247])
	by mx1.redhat.com (8.14.4/8.14.4) with ESMTP id s45MCF1w009218
	for <linux-audit@redhat.com>; Mon, 5 May 2014 18:12:15 -0400
Received: from [192.168.10.68] (unknown [168.150.221.2])
	by nk11p08mm-asmtp002.mac.com
	(Oracle Communications Messaging Server 7u4-27.08(7.0.4.27.7) 64bit
	(built Aug
	22 2013)) with ESMTPSA id <0N5400J32GBWGIB0@nk11p08mm-asmtp002.mac.com>
	for linux-audit@redhat.com; Mon, 05 May 2014 22:11:57 +0000 (GMT)
List-Unsubscribe: <https://www.redhat.com/mailman/options/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/linux-audit>
List-Post: <mailto:linux-audit@redhat.com>
List-Help: <mailto:linux-audit-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=subscribe>
Sender: linux-audit-bounces@redhat.com
Errors-To: linux-audit-bounces@redhat.com
To: linux-audit@redhat.com
List-Id: linux-audit@redhat.com

I have a question about the SOCKADDR token in a SYSCALL record (syscall 42 =
-- connect())

Most of my records begin with one of the two values:
	saddr=3D0200
	saddr=3D0100

Followed by the port & IPv4 address or the file path.

QUESTION 1: The file path appears to be NULL terminated. Is this correct?

QUESTION 2: There is often additional characters after the 00 termination (=
and IP address). Is this just garbage that should be ignored?

QUESTION 3: Sometimes the first byte in a file path is 00 termination (e.g.=
, saddr=3D0100002F=85). Does this mean the string is empty and the content =
following it is garbage? Or is there a bug that accidentally prepends the 0=
0 to the front of the saddr sequence?

Here is an example:

=97=97=97=97=97=97=97=97
type=3DSYSCALL msg=3Daudit(1397089029.264:7407): arch=3Dc000003e syscall=3D=
42 success=3Dyes exit=3D0 a0=3D3 a1=3D7fff3a7fdf70 a2=3D16 a3=3D7fff3a7fdd2=
0 items=3D0 ppid=3D805 pid=3D1064 auid=3D4294967295 uid=3D0 gid=3D0 euid=3D=
0 suid=3D0 fsuid=3D0 egid=3D0 sgid=3D0 fsgid=3D0 ses=3D4294967295 tty=3D(no=
ne) comm=3D"initctl" exe=3D"/sbin/initctl" key=3D(null)

type=3DSOCKADDR msg=3Daudit(1397089029.264:7407): saddr=3D0100002F636F6D2F7=
562756E74752F75707374617274
=97=97=97=97=97=97=97=97

If I assume the first 00 is a bug, the string decodes to

	/com/ubuntu/upstart

Thanks,

Todd

PS. uname -r gives 3.13.0-24-generic (though, I think I collected these log=
s before the last software update)