Here an event directly from auditd for connect() system call (syscall=42) with port number 0. Do you think connect() system call still can be called with port number 0?
type=SYSCALL msg=audit(1459301607.178:35720095): arch=c000003e syscall=42 success=yes exit=0 a0=2c a1=7f1fbe8f81f0 a2=10 a3=0 items=0 ppid=2779 pid=31713 auid=4294967295 uid=8271 gid=5001 euid=8271 suid=8271 fsuid=8271 egid=5001 sgid=500# type=SOCKADDR msg=audit(1459301607.178:35720095): saddr=0200000036447A640000000000000000 If it is bind() it makes but I’m not sure we can still do this with connect(). Thanks! /Kangkook type=SYSCALL msg=audit(1459301607.178:35720095): arch=c000003e syscall=42 success=yes exit=0 a0=2c a1=7f1fbe8f81f0 a2=10 a3=0 items=0 ppid=2779 pid=31713 auid=4294967295 uid=8271 gid=5001 euid=8271 suid=8271 fsuid=8271 egid=5001 sgid=500# type=SOCKADDR msg=audit(1459301607.178:35720095): saddr=0200000036447A640000000000000000 > On Mar 31, 2016, at 5:50 PM, Steve Grubb <[email protected]> wrote: > > On Thursday, March 31, 2016 08:54:30 AM Kangkook Jee wrote: >> but, last three one didn’t >> >> $ ~/bin/sock_decode 0200000036447A640000000000000000 >> 0200000036447A640000000000000000: sa_family: 2 addr: 1685734454, port: 0 (0) >> $ ~/bin/sock_decode 020000003644ECD00000000000000000 >> 020000003644ECD00000000000000000: sa_family: 2 addr: 3505144886, port: 0 (0) >> $ ~/bin/sock_decode 02000000369520250000000000000000 >> 02000000369520250000000000000000: sa_family: 2 addr: 622892342, port: 0 (0) >> >> Would you check this out? > > You didn't give the events, but rather the sockaddr field alone. Port 0 is > valid in some uses. It mean give me an ephemeral port. > > http://lxr.free-electrons.com/source/net/ipv4/inet_connection_sock.c#L90 > > 90 /* Obtain a reference to a local port for the given sock, > 91 * if snum is zero it means select any available local port. > > -Steve -- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
