Re: auditd and hidden ports

unhide reports that there are ports that are not being seeing by ss. i also used lsof and netstat and they don't show up. [~] % sudo unhide-tcp Unhide-tcp 20130526 Copyright © 2013 Yago Jesus & Patrick Gouin License GPLv3+ : GNU GPL version 3 or later http://www.unhide-forensics.info Used options: [*]Starting TCP checking Found Hidden port that not appears in ss: 840 Found Hidden port that not appears in ss: 851 [*]Starting UDP checking [~] % i created auditd rules to monitor socket related system calls % sudo auditctl -l -a always,exit -F arch=b64 -S connect -F key=CONNECT -a always,exit -F arch=b64 -S bind -F key=BIND -a always,exit -F arch=b64 -S socket -F key=SOCKET -a always,exit -F arch=b64 -S listen -F key=LISTEN -a always,exit -F arch=b64 -S shutdown -F key=SHUTDOWN -a always,exit -F arch=b64 -S close -F key=CLOSE the problem is that when i search the log files, i don't see any references to hidden ports 840 or 851. below is one entry where unhide-tcp is trying to bind to port 39781, so i know auditd is logging entries type=SOCKADDR msg=audit(12/15/2017 16:17:32.935:11040116) : saddr=inet host:0.0.0.0 serv:39781 type=SYSCALL msg=audit(12/15/2017 16:17:32.935:11040116) : arch=x86_64 syscall=bind success=yes exit=0 a0=0x3 a1=0x7ffc212a92f0 a2=0x10 a3=0x0 items=0 ppid=21752 pid=21753 auid=*** uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts1 ses=225 comm=unhide-tcp exe=/usr/sbin/unhide-tcp subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=BIND do any of you have any suggestions?