From: Rinat Gadelshin <rgadelsh@gmail.com>
To: linux-audit@redhat.com
Subject: Couldn't get audit messages for 'listen' on kernel 4.19.0-6-686-pae
Date: Sun, 22 Oct 2023 08:27:18 +0300 [thread overview]
Message-ID: <d1d9dd09-3c95-4488-ba05-f2d655895a2c@gmail.com> (raw)
In-Reply-To: <0c22c924-2c1d-4a4f-a4f2-ea477999c8a4@kaspersky.com>
Hello there!
I'm facing a strange problem.
I have not been able to get audit reports for any "network" syscall
on one of the computers from my test bench.
I mean 'connect', 'accept4', 'listen', 'bind', 'socket'.
The following example shows that auditd couldn't get them too ('listen'
at least).
But I've received a report about 'execve' called by the same process.
Could you tell me what can I do in order to receive audit messages for
the syscalls.
from this version of the kernel?
Any help will be will be appreciated.
root@deb101-x86-0009:~# netcat -v -l -p 4242 &
[2] 13481
root@deb101-x86-0009:~# listening on [any] 4242 ...
root@deb101-x86-0009:~# echo "Test" | nc -q 0 127.0.0.1 4242
connect to [127.0.0.1] from localhost [127.0.0.1] 36650
Test
root@deb101-x86-0009:~# skill -p 13481
[2]+ Done netcat -v -l -p 4242
root@deb101-x86-0009:~# ausearch -p 13481
----
time->Fri Oct 20 22:00:42 2023
type=PROCTITLE msg=audit(1697828442.603:2697):
proctitle=6E6574636174002D76002D6C002D700034323432
type=PATH msg=audit(1697828442.603:2697): item=1
name="/lib/ld-linux.so.2" inode=655382 dev=fe:00 mode=0100755 ouid=0
ogid=0 rdev=00:00 nametype=NORMAL cap_fp=0000000000000000
cap_fi=0000000000000000 cap_fe=0 cap_fver=0
type=PATH msg=audit(1697828442.603:2697): item=0 name="/usr/bin/netcat"
inode=664887 dev=fe:00 mode=0100755 ouid=0 ogid=0 rdev=00:00
nametype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0
cap_fver=0
type=CWD msg=audit(1697828442.603:2697): cwd="/root"
type=EXECVE msg=audit(1697828442.603:2697): argc=5 a0="netcat" a1="-v"
a2="-l" a3="-p" a4="4242"
type=SYSCALL msg=audit(1697828442.603:2697): arch=40000003 syscall=11
success=yes exit=0 a0=e36400 a1=d9d9e0 a2=e3a310 a3=584988 items=2
ppid=12968 pid=13481 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0
sgid=0 fsgid=0 tty=pts1 ses=4 comm="netcat"
exe="/usr/bin/nc.traditional" subj==unconfined key=(null)
root@deb101-x86-0009:~# auditctl -l
-a always,exit -F arch=b32 -S fork,execve,clone,vfork,execveat
-a always,exit -F arch=b32 -S bind,connect,listen,accept4
root@deb101-x86-0009:~# auditctl -s
enabled 1
failure 1
pid 13393
rate_limit 0
backlog_limit 8192
lost 0
backlog 0
backlog_wait_time 0
loginuid_immutable 0 unlocked
root@deb101-x86-0009:~# uname -a
Linux deb101-x86-0009.avp.ru.local 4.19.0-6-686-pae #1 SMP Debian
4.19.67-2+deb10u2 (2019-11-11) i686 GNU/Linux
root@deb101-x86-0009:~# cat /etc/debian_version
10.1
root@deb101-x86-0009:~#
Regards
Rinat
--
Linux-audit mailing list
Linux-audit@redhat.com
https://listman.redhat.com/mailman/listinfo/linux-audit
next prev parent reply other threads:[~2023-10-22 5:27 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-10-20 19:14 Couldn't get audit messages for 'listen' on kernel 4.19.0-6-686-pae Rinat Gadelshin
2023-10-22 5:27 ` Rinat Gadelshin [this message]
2023-10-23 13:06 ` Rinat Gadelshin
2023-10-23 16:19 ` Steve Grubb
2023-10-23 17:37 ` Rinat Gadelshin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=d1d9dd09-3c95-4488-ba05-f2d655895a2c@gmail.com \
--to=rgadelsh@gmail.com \
--cc=linux-audit@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).