auditd reports port number '0' for connect() system call
by Kangkook Jee
Hi all,
I'm developing custom audit client to monitor Linux system activities.
I'm testing my client from Ubuntu 14.04 (64-bit) system with the following auditctl rules.
sudo auditctl -l
LIST_RULES: exit,always arch=3221225534 (0xc000003e) syscall=open,close,dup,dup2,socket,connect,accept,listen,socketpair,clone,fork,vfork,execve,exit,creat,unlink,exit_group,openat,unlinkat,accept4,dup3
And I captured the raw system messages with the following command.
sudo auditd -f > /tmp/log.txt
While /tmp/log.txt contains a considerable amount of raw audit messages, I grep'ed only connect() system calls with its associated saddr entries.
grep -A1 -e "syscall=42 success=yes" /tmp/log.txt
--
type=SYSCALL msg=audit(1459302277.538:35891018): arch=c000003e syscall=42 success=yes exit=0 a0=61 a1=7f2ec75a1ed0 a2=10 a3=1 items=0 ppid=2779 pid=21581 auid=4294967295 uid=8271 gid=5001 euid=8271 suid=8271 fsuid=8271 egid=5001 sgid=5001 fsgid=5001 tty=(none) ses=4294967295 comm="Chrome_IOThread" exe="/opt/google/chrome/chrome" key=(null)
type=SOCKADDR msg=audit(1459302277.538:35891018): saddr=020000358A0F6C0B0000000000000000
--
type=SYSCALL msg=audit(1459302309.098:35898719): arch=c000003e syscall=42 success=yes exit=0 a0=6 a1=7fffe9a24980 a2=10 a3=7fffe9a246d0 items=0 ppid=20312 pid=2991 auid=4294967295 uid=8271 gid=5001 euid=0 suid=0 fsuid=0 egid=0 sgid=5001 fsgid=0 tty=pts23 ses=4294967295 comm="sudo" exe="/usr/bin/sudo" key=(null)
type=SOCKADDR msg=audit(1459302309.098:35898719): saddr=0200006F8A0FA5090000000000000000
--
type=SYSCALL msg=audit(1459302309.098:35898722): arch=c000003e syscall=42 success=yes exit=0 a0=6 a1=7fffe9a24980 a2=10 a3=7fffe9a246d0 items=0 ppid=20312 pid=2991 auid=4294967295 uid=8271 gid=5001 euid=0 suid=0 fsuid=0 egid=0 sgid=5001 fsgid=0 tty=pts23 ses=4294967295 comm="sudo" exe="/usr/bin/sudo" key=(null)
type=SOCKADDR msg=audit(1459302309.098:35898722): saddr=0200030B8A0FA5090000000000000000
...
For these entries, I decoded saddr entries with the attached program and extracted entries port values '0'.
g++ -o sock_decode sock_decode.cpp
grep -A1 -e "syscall=42 success=yes" /tmp/log.txt |grep saddr | awk 'BEGIN{FS="="} {print “ ./sock_decode " $4}' |sh |grep "sa_family: 2.* port: 0" |more
0200000036447A640000000000000000: sa_family: 2 addr: 1685734454, port: 0 (0)
020000003644ECD00000000000000000: sa_family: 2 addr: 3505144886, port: 0 (0)
02000000369520250000000000000000: sa_family: 2 addr: 622892342, port: 0 (0)
....
If I understood correctly, connect() should return error when sin_port field is set with '0'.
Would anyone explain this to me or help me with fix this problem?
Thanks a lot for your help in advance!
8 years, 7 months
[PATCH] audit: cleanup prune_tree_thread
by Jiri Slaby
We can use kthread_run instead of kthread_create+wake_up_process for
creating the thread.
We do not need to set the task state to TASK_RUNNING after schedule(),
the process is in that state already.
And we do not need to set the state to TASK_INTERRUPTIBLE when not
doing schedule() as we set the state to TASK_RUNNING immediately
afterwards.
Signed-off-by: Jiri Slaby <jslaby(a)suse.cz>
Cc: Paul Moore <paul(a)paul-moore.com>
Cc: Eric Paris <eparis(a)redhat.com>
Cc: <linux-audit(a)redhat.com>
---
kernel/audit_tree.c | 12 +++++-------
1 file changed, 5 insertions(+), 7 deletions(-)
diff --git a/kernel/audit_tree.c b/kernel/audit_tree.c
index 5efe9b299a12..25772476fa4a 100644
--- a/kernel/audit_tree.c
+++ b/kernel/audit_tree.c
@@ -661,10 +661,10 @@ static int tag_mount(struct vfsmount *mnt, void *arg)
static int prune_tree_thread(void *unused)
{
for (;;) {
- set_current_state(TASK_INTERRUPTIBLE);
- if (list_empty(&prune_list))
+ if (list_empty(&prune_list)) {
+ set_current_state(TASK_INTERRUPTIBLE);
schedule();
- __set_current_state(TASK_RUNNING);
+ }
mutex_lock(&audit_cmd_mutex);
mutex_lock(&audit_filter_mutex);
@@ -693,16 +693,14 @@ static int audit_launch_prune(void)
{
if (prune_thread)
return 0;
- prune_thread = kthread_create(prune_tree_thread, NULL,
+ prune_thread = kthread_run(prune_tree_thread, NULL,
"audit_prune_tree");
if (IS_ERR(prune_thread)) {
pr_err("cannot start thread audit_prune_tree");
prune_thread = NULL;
return -ENOMEM;
- } else {
- wake_up_process(prune_thread);
- return 0;
}
+ return 0;
}
/* called with audit_filter_mutex */
--
2.7.4
8 years, 7 months
RE: Linux Auditd app for Splunk
by Maupertuis Philippe
The splunk app seems very promising.
Is there a way to use it when audit records are sent to a central syslog server before feeding Splunk.
For now, the auditd record are prefixed by syslog information when received by Splunk.
Regards
Philippe
-----Message d'origine-----
De : linux-audit-bounces(a)redhat.com [mailto:linux-audit-bounces@redhat.com] De la part de linux-audit-request(a)redhat.com
Envoyé : jeudi 31 mars 2016 18:00
À : linux-audit(a)redhat.com
Objet : Linux-audit Digest, Vol 138, Issue 9
Send Linux-audit mailing list submissions to
linux-audit(a)redhat.com
To subscribe or unsubscribe via the World Wide Web, visit
https://www.redhat.com/mailman/listinfo/linux-audit
or, via email, send a message with subject or body 'help' to
linux-audit-request(a)redhat.com
You can reach the person managing the list at
linux-audit-owner(a)redhat.com
When replying, please edit your Subject line so it is more specific than "Re: Contents of Linux-audit digest..."
Today's Topics:
1. Linux Auditd app for Splunk (Douglas Brown)
2. Re: auditd reports port number '0' for connect() system call
(Steve Grubb)
3. Re: Linux Auditd app for Splunk (Steve Grubb)
4. Re: Linux Auditd app for Splunk (F Rafi)
5. Re: Linux Auditd app for Splunk (Douglas Brown)
6. Re: auditd reports port number '0' for connect() system call
(Kangkook Jee)
7. Re: auditd reports port number '0' for connect() system call
(Kangkook Jee)
8. [PATCH] audit: cleanup prune_tree_thread (Jiri Slaby)
----------------------------------------------------------------------
Message: 1
Date: Wed, 30 Mar 2016 22:34:39 +0000
From: Douglas Brown <doug.brown(a)qut.edu.au>
To: "linux-audit(a)redhat.com" <linux-audit(a)redhat.com>
Subject: Linux Auditd app for Splunk
Message-ID: <64E84EA2-7954-4B57-857C-DD3B1009A0CB(a)qut.edu.au>
Content-Type: text/plain; charset="utf-8"
Hi all,
This week I released version 2 of the Linux Auditd app for Splunk: https://splunkbase.splunk.com/app/2642/
Be sure to let me know if you have any suggestions for improvements.
Cheers,
Doug
8 years, 7 months