Linux-audit Archive mirror
 help / color / mirror / Atom feed
From: Rinat Gadelshin <rgadelsh@gmail.com>
To: linux-audit@redhat.com
Subject: Couldn't get audit messages for 'listen' on kernel 4.19.0-6-686-pae
Date: Sun, 22 Oct 2023 08:27:18 +0300	[thread overview]
Message-ID: <d1d9dd09-3c95-4488-ba05-f2d655895a2c@gmail.com> (raw)
In-Reply-To: <0c22c924-2c1d-4a4f-a4f2-ea477999c8a4@kaspersky.com>

Hello there!

I'm facing a strange problem.
I have not been able to get audit reports for any "network" syscall
on one of the computers from my test bench.
I mean 'connect', 'accept4', 'listen', 'bind', 'socket'.
The following example shows that auditd couldn't get them too ('listen' 
at least).
But I've received a report about 'execve' called by the same process.

Could you tell me what can I do in order to receive audit messages for 
the syscalls.
from this version of the kernel?

Any help will be will be appreciated.


root@deb101-x86-0009:~# netcat -v -l -p 4242 &
[2] 13481
root@deb101-x86-0009:~# listening on [any] 4242 ...
root@deb101-x86-0009:~# echo "Test" | nc -q 0 127.0.0.1 4242
connect to [127.0.0.1] from localhost [127.0.0.1] 36650
Test
root@deb101-x86-0009:~# skill -p 13481
[2]+  Done                    netcat -v -l -p 4242
root@deb101-x86-0009:~# ausearch -p 13481
----
time->Fri Oct 20 22:00:42 2023
type=PROCTITLE msg=audit(1697828442.603:2697): 
proctitle=6E6574636174002D76002D6C002D700034323432
type=PATH msg=audit(1697828442.603:2697): item=1 
name="/lib/ld-linux.so.2" inode=655382 dev=fe:00 mode=0100755 ouid=0 
ogid=0 rdev=00:00 nametype=NORMAL cap_fp=0000000000000000 
cap_fi=0000000000000000 cap_fe=0 cap_fver=0
type=PATH msg=audit(1697828442.603:2697): item=0 name="/usr/bin/netcat" 
inode=664887 dev=fe:00 mode=0100755 ouid=0 ogid=0 rdev=00:00 
nametype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 
cap_fver=0
type=CWD msg=audit(1697828442.603:2697): cwd="/root"
type=EXECVE msg=audit(1697828442.603:2697): argc=5 a0="netcat" a1="-v" 
a2="-l" a3="-p" a4="4242"
type=SYSCALL msg=audit(1697828442.603:2697): arch=40000003 syscall=11 
success=yes exit=0 a0=e36400 a1=d9d9e0 a2=e3a310 a3=584988 items=2 
ppid=12968 pid=13481 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 
sgid=0 fsgid=0 tty=pts1 ses=4 comm="netcat" 
exe="/usr/bin/nc.traditional" subj==unconfined key=(null)
root@deb101-x86-0009:~# auditctl -l
-a always,exit -F arch=b32 -S fork,execve,clone,vfork,execveat
-a always,exit -F arch=b32 -S bind,connect,listen,accept4
root@deb101-x86-0009:~# auditctl -s
enabled 1
failure 1
pid 13393
rate_limit 0
backlog_limit 8192
lost 0
backlog 0
backlog_wait_time 0
loginuid_immutable 0 unlocked
root@deb101-x86-0009:~# uname -a
Linux deb101-x86-0009.avp.ru.local 4.19.0-6-686-pae #1 SMP Debian 
4.19.67-2+deb10u2 (2019-11-11) i686 GNU/Linux
root@deb101-x86-0009:~# cat /etc/debian_version
10.1
root@deb101-x86-0009:~#


Regards
Rinat

--
Linux-audit mailing list
Linux-audit@redhat.com
https://listman.redhat.com/mailman/listinfo/linux-audit

  reply	other threads:[~2023-10-22  5:27 UTC|newest]

Thread overview: 5+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2023-10-20 19:14 Couldn't get audit messages for 'listen' on kernel 4.19.0-6-686-pae Rinat Gadelshin
2023-10-22  5:27 ` Rinat Gadelshin [this message]
2023-10-23 13:06   ` Rinat Gadelshin
2023-10-23 16:19     ` Steve Grubb
2023-10-23 17:37       ` Rinat Gadelshin

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=d1d9dd09-3c95-4488-ba05-f2d655895a2c@gmail.com \
    --to=rgadelsh@gmail.com \
    --cc=linux-audit@redhat.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).