Re: Couldn't get audit messages for 'listen' on kernel 4.19.0-6-686-pae

From: Steve Grubb <sgrubb@redhat.com>
To: linux-audit@redhat.com
Cc: Rinat Gadelshin <rgadelsh@gmail.com>
Subject: Re: Couldn't get audit messages for 'listen' on kernel 4.19.0-6-686-pae
Date: Mon, 23 Oct 2023 12:19:46 -0400	[thread overview]
Message-ID: <4527815.LvFx2qVVIh@x2> (raw)
In-Reply-To: <adc9e0a6-80fe-4e81-bd10-8bfe323645bc@gmail.com>

On Monday, October 23, 2023 9:06:16 AM EDT Rinat Gadelshin wrote:
> Hello there!
> 
> First of all, I have to apologize for two identical emails as the
> beginning of the stream.
> The first one was sent (by occasional) from my work email.
> I've received notification, from the mail bot, that I should subscribe
> to the mail list (for the work email).
> After that I've resent the second one.
> 
> Let's return to the problem.
> 
> I've done a following experiment:
> 
> `auditctl -D`
> `auditctl -a always,exit -S all`
> `strace netcat -v -l -p 4242 | tee strace.log` # the pid of the netcat
> was 536
> Ctrl+c
> `ausearch -p 536 > auditd.pid.536.log`
> `grep "syscall=.*traditional" auditd.pid.536.log | awk '{print $4}' |
> sort | uniq -c'
> 
> The last command prints the following result:
> 
>       11 syscall=102
>        1 syscall=11
>        6 syscall=125
>        6 syscall=140
>        6 syscall=174
>        1 syscall=175
>       14 syscall=192
>       33 syscall=195
>        9 syscall=197
>        2 syscall=20
>        1 syscall=243
>        1 syscall=27
>       41 syscall=295
>       14 syscall=3
>        5 syscall=33
>        2 syscall=4
>        5 syscall=45
>       11 syscall=6
>        3 syscall=91
> 
> So the following syscalls are reported (there are no `socket`, `bind`,
> `connect`, `listen`):
> 
>      3 (read)
>      4 (write)
>      6 (close)
>      11 (execve)
>      20 (getpid)
>      27 (alarm)
>      33 (access)
>      45 (brk)
>      91 (munmap)
>    102 (socketcall)

On old 386 kernels, they use socketcall as the networking API. Glibc under 
the hood sets arg0 to a number which represents the actual functionality to 
call and calls socketcall. You could say it multiplexes the network API. 
Somewhere along the way, they decided to modernize and make actual calls for 
each network function. So, if you have an audit library that is much newer 
than the kernel, it will assume you are using the updated API rather than the 
socketcall based API. In this case, you have an old glibc which still uses 
socketcall.

So, if you wanted to audit socket, bind, connect, and listen you would use:

 -a always,exit -F arch=b32 -S socketcall -F arg0=1 -F key=socket
 -a always,exit -F arch=b32 -S socketcall -F arg0=2 -F key=bind
 -a always,exit -F arch=b32 -S socketcall -F arg0=3 -F key=connect
 -a always,exit -F arch=b32 -S socketcall -F arg0=4 -F key=listen

A listing of the numbers to use can be found at:
/usr/include/linux/net.h

Hope this helps...

-Steve

>    125 (mprotect)
>    140 (_llseek)
>    174 (rt_sigaction)
>    175 (rt_sigprocmask)
>    192 (mmap2)
>    195 (stat64)
>    197 (fstat64)
>    243 (set_thread_area)
>    295 (openat)
> 
> But strace's log shows that `socket`, `bind`, `connect` and `listen`
> were called:
> 
>      execve("/usr/bin/netcat", ["netcat", "-v", "-l", "-p", "4242"],
> 0xbf9f8f00 /* 22 vars */) = 0
>      -- line skipped --
>      socket(AF_UNIX, SOCK_STREAM|SOCK_CLOEXEC|SOCK_NONBLOCK, 0) = 3
>      connect(3, {sa_family=AF_UNIX, sun_path="/var/run/nscd/socket"},
> 110) = -1 ENOENT (No such file or directory)
>      close(3)                                = 0
>      -- line skipped --
>      socket(AF_UNIX, SOCK_STREAM|SOCK_CLOEXEC|SOCK_NONBLOCK, 0) = 3
>      connect(3, {sa_family=AF_UNIX, sun_path="/var/run/nscd/socket"},
> 110) = -1 ENOENT (No such file or directory)
>      close(3)                                = 0
>      -- line skipped --
>      socket(AF_INET, SOCK_STREAM, IPPROTO_TCP) = 3
>      setsockopt(3, SOL_SOCKET, SO_REUSEADDR, [1], 4) = 0
>      setsockopt(3, SOL_SOCKET, SO_REUSEPORT, [1], 4) = 0
>      bind(3, {sa_family=AF_INET, sin_port=htons(4242),
> sin_addr=inet_addr("0.0.0.0")}, 16) = 0
>      listen(3, 1)                            = 0
>      getsockname(3, {sa_family=AF_INET, sin_port=htons(4242),
> sin_addr=inet_addr("0.0.0.0")}, [16]) = 0
>      -- line skipped --
> 
> Please, give me a clue! How could it be?
> 
> Best regards
> Rinat
> 
> On 22.10.2023 08:27, Rinat Gadelshin wrote:
> > Hello there!
> > 
> > I'm facing a strange problem.
> > I have not been able to get audit reports for any "network" syscall
> > on one of the computers from my test bench.
> > I mean 'connect', 'accept4', 'listen', 'bind', 'socket'.
> > The following example shows that auditd couldn't get them too
> > ('listen' at least).
> > But I've received a report about 'execve' called by the same process.
> > 
> > Could you tell me what can I do in order to receive audit messages for
> > the syscalls.
> > from this version of the kernel?
> > 
> > Any help will be will be appreciated.
> > 
> > 
> > root@deb101-x86-0009:~# netcat -v -l -p 4242 &
> > [2] 13481
> > root@deb101-x86-0009:~# listening on [any] 4242 ...
> > root@deb101-x86-0009:~# echo "Test" | nc -q 0 127.0.0.1 4242
> > connect to [127.0.0.1] from localhost [127.0.0.1] 36650
> > Test
> > root@deb101-x86-0009:~# skill -p 13481
> > [2]+  Done                    netcat -v -l -p 4242
> > root@deb101-x86-0009:~# ausearch -p 13481
> > ----
> > time->Fri Oct 20 22:00:42 2023
> > type=PROCTITLE msg=audit(1697828442.603:2697):
> > proctitle=6E6574636174002D76002D6C002D700034323432
> > type=PATH msg=audit(1697828442.603:2697): item=1
> > name="/lib/ld-linux.so.2" inode=655382 dev=fe:00 mode=0100755 ouid=0
> > ogid=0 rdev=00:00 nametype=NORMAL cap_fp=0000000000000000
> > cap_fi=0000000000000000 cap_fe=0 cap_fver=0
> > type=PATH msg=audit(1697828442.603:2697): item=0
> > name="/usr/bin/netcat" inode=664887 dev=fe:00 mode=0100755 ouid=0
> > ogid=0 rdev=00:00 nametype=NORMAL cap_fp=0000000000000000
> > cap_fi=0000000000000000 cap_fe=0 cap_fver=0
> > type=CWD msg=audit(1697828442.603:2697): cwd="/root"
> > type=EXECVE msg=audit(1697828442.603:2697): argc=5 a0="netcat" a1="-v"
> > a2="-l" a3="-p" a4="4242"
> > type=SYSCALL msg=audit(1697828442.603:2697): arch=40000003 syscall=11
> > success=yes exit=0 a0=e36400 a1=d9d9e0 a2=e3a310 a3=584988 items=2
> > ppid=12968 pid=13481 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0
> > sgid=0 fsgid=0 tty=pts1 ses=4 comm="netcat"
> > exe="/usr/bin/nc.traditional" subj==unconfined key=(null)
> > root@deb101-x86-0009:~# auditctl -l
> > -a always,exit -F arch=b32 -S fork,execve,clone,vfork,execveat
> > -a always,exit -F arch=b32 -S bind,connect,listen,accept4
> > root@deb101-x86-0009:~# auditctl -s
> > enabled 1
> > failure 1
> > pid 13393
> > rate_limit 0
> > backlog_limit 8192
> > lost 0
> > backlog 0
> > backlog_wait_time 0
> > loginuid_immutable 0 unlocked
> > root@deb101-x86-0009:~# uname -a
> > Linux deb101-x86-0009.avp.ru.local 4.19.0-6-686-pae #1 SMP Debian
> > 4.19.67-2+deb10u2 (2019-11-11) i686 GNU/Linux
> > root@deb101-x86-0009:~# cat /etc/debian_version
> > 10.1
> > root@deb101-x86-0009:~#
> > 
> > 
> > Regards
> > Rinat
> 
> --
> Linux-audit mailing list
> Linux-audit@redhat.com
> https://listman.redhat.com/mailman/listinfo/linux-audit

--
Linux-audit mailing list
Linux-audit@redhat.com
https://listman.redhat.com/mailman/listinfo/linux-audit