Re: auditd reports port number '0' for connect() system call
Here an event directly from auditd for connect() system call (syscall=42) with port number
0.
Do you think connect() system call still can be called with port number 0?
type=SYSCALL msg=audit(1459301607.178:35720095): arch=c000003e syscall=42 success=yes
exit=0 a0=2c a1=7f1fbe8f81f0 a2=10 a3=0 items=0 ppid=2779 pid=31713 auid=4294967295
uid=8271 gid=5001 euid=8271 suid=8271 fsuid=8271 egid=5001 sgid=500#
type=SOCKADDR msg=audit(1459301607.178:35720095): saddr=0200000036447A640000000000000000
If it is bind() it makes but I’m not sure we can still do this with connect().
Thanks!
/Kangkook
type=SYSCALL msg=audit(1459301607.178:35720095): arch=c000003e syscall=42 success=yes
exit=0 a0=2c a1=7f1fbe8f81f0 a2=10 a3=0 items=0 ppid=2779 pid=31713 auid=4294967295
uid=8271 gid=5001 euid=8271 suid=8271 fsuid=8271 egid=5001 sgid=500#
type=SOCKADDR msg=audit(1459301607.178:35720095): saddr=0200000036447A640000000000000000
On Mar 31, 2016, at 5:50 PM, Steve Grubb <sgrubb(a)redhat.com>
wrote:
On Thursday, March 31, 2016 08:54:30 AM Kangkook Jee wrote:
> but, last three one didn’t
>
> $ ~/bin/sock_decode 0200000036447A640000000000000000
> 0200000036447A640000000000000000: sa_family: 2 addr: 1685734454, port: 0 (0)
> $ ~/bin/sock_decode 020000003644ECD00000000000000000
> 020000003644ECD00000000000000000: sa_family: 2 addr: 3505144886, port: 0 (0)
> $ ~/bin/sock_decode 02000000369520250000000000000000
> 02000000369520250000000000000000: sa_family: 2 addr: 622892342, port: 0 (0)
>
> Would you check this out?
You didn't give the events, but rather the sockaddr field alone. Port 0 is
valid in some uses. It mean give me an ephemeral port.
http://lxr.free-electrons.com/source/net/ipv4/inet_connection_sock.c#L90
90 /* Obtain a reference to a local port for the given sock,
91 * if snum is zero it means select any available local port.
-Steve