On 12/18/17, Steve Grubb <[email protected]> wrote: > Hello, > .......... > > If you got rooted, then you may not be able to trust anything. Typically > they hide > processes seen by ps and files seen by ls. It might be that they use an > unknown > syscall number or its in the kernel itself. I also don't know if they jump > into a > network namespace if the audit daemon will see it. It might be an innocent > explanation like that. > > -Steve >
hi, thanks for the reply. i'm trying to narrow down the scenarios. i ran a simple program that i found on the web and i modified to check on all ports #include <stdio.h> #include <stdlib.h> #include <unistd.h> #include <string.h> #include <sys/types.h> #include <sys/socket.h> #include <netinet/in.h> #include <netdb.h> /* * * from https://theredblacktree.wordpress.com/2013/09/30/how-to-check-if-a-port-is-open-or-not-in-c-unixlinux/ * */ int main(int argc, char *argv[]) { int portno = 22; char *hostname = "localhost"; int sockfd,i; struct sockaddr_in serv_addr; struct hostent *server; for (i =1; i <= 65535; i++) { sockfd = socket(AF_INET, SOCK_STREAM, 0); if (sockfd < 0) { error("ERROR opening socket"); } server = gethostbyname(hostname); if (server == NULL) { fprintf(stderr,"ERROR, no such host\n"); exit(0); } bzero((char *) &serv_addr, sizeof(serv_addr)); serv_addr.sin_family = AF_INET; bcopy((char *)server->h_addr, (char *)&serv_addr.sin_addr.s_addr, server->h_length); //serv_addr.sin_port = htons(portno); serv_addr.sin_port = htons(i); if (connect(sockfd,(struct sockaddr *) &serv_addr,sizeof(serv_addr)) < 0) { //printf("Port is closed, %d\n",i); } else { printf("Port is active, %d\n", i); } close(sockfd); } return 0; } } } } } } when i run it, it tells me which ports are used b/c the program can't bind to a port [/tmp] % sudo autrace ./a.out Waiting to execute: ./a.out Port is active, 22 Port is active, 111 .... when i analyze the output [/tmp] % sudo ausearch -i -p 5502 &> ~/tcp-bind-auditd.log i see that a.out was able to connect to very high ports, but not lower ports that were reported to be in use [ ~] $ grep serv tcp-bind-auditd.log | awk {'print $NF'} | sort | head -n 5 serv:62653 serv:62654 serv:62655 serv:62656 serv:62657 [ ~] $ grep serv tcp-bind-auditd.log | awk {'print $NF'} | sort | tail -n 5 serv:65531 serv:65532 serv:65533 serv:65534 serv:65535 [ ~] $ grep serv:22 tcp-bind-auditd.log [ ~] $ grep serv:111 tcp-bind-auditd.log [ ~] $ grep serv:23 tcp-bind-auditd.log [ ~] $ [~] $ grep 65535 tcp-bind-auditd.log type=SOCKADDR msg=audit(12/19/2017 13:27:52.377:33949631) : saddr=inet host:127.0.0.1 serv:65535 is something hiding the lower ports from auditd? is there a way to log all syscalls to trace what binds to the ports after a reboot. i can reboot the server and then attempt to trace each network socket . these rules don't seem to be enough to track network sockets. [/tmp] % sudo auditctl -l -a always,exit -F arch=b64 -S connect -F key=CONNECT -a always,exit -F arch=b64 -S bind -F key=BIND -a always,exit -F arch=b64 -S socket -F key=SOCKET -a always,exit -F arch=b64 -S listen -F key=LISTEN -a always,exit -F arch=b64 -S shutdown -F key=SHUTDOWN -a always,exit -F arch=b64 -S close -F key=CLOSE the ports that appeared to be hidden, are no longer showing up so i'm trying to figure out what is going on. thanks yah -- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
