auditctl: Syscall name unknown: socket

1

I have my original Problem discribed here: https://serverfault.com/questions/958571/what-these-dns-queries-means. It's about UDP packets, the origin of which I can not determine. To solve the problem I have followed the advice of user @A.B and namely here: https://serverfault.com/questions/192893/how-i-can-identify-which-process-is-making-udp-traffic-on-linux/193088#193088. According to this advice I have installed auditd, apparently with success: 

auditctl -l
No rules

But when I run a auditctlcommand, I get an error: 

auditctl -a exit,always -F arch=b32 -F a0=2 -F a1\&=2 -S socket -k SOCKET
Syscall name unknown: socket

Can you help me in my issue?

klpu39

Posted 2019-03-17T08:37:01.510

Reputation: 11

What CPU architecture are you running on? What kernel and auditctl versions do you run? – user1686 – 2019-03-17T09:41:50.527

I run 32-bit OS:. uname -a Linux hp 4.4.0-143-generic #169-Ubuntu SMP Thu Feb 7 07:56:51 UTC 2019 i686 i686 i686 GNU/Linux. dpkg -l | grep auditd: ii auditd 1:2.4.5-1ubuntu2.1 i386 User space tools for security auditing. – klpu39 – 2019-03-17T10:03:43.930

Answers

0

Certain architectures, mainly 32-bit Intel x86, did not use individual syscalls for socket operations – instead they had a single multiplexed socketcall(2) entry point.

So when a program called socket(...), libc would translate it to socketcall(SYS_SOCKET, ...).

Individual socket syscalls, including socket(2), were added in kernel 4.3.0 – but your auditctl is too old to know about that (its own syscall list was only updated in auditd v2.5.0), and likewise, your libc is probably too old to use the individual syscalls anyway (this support was added in glibc v2.23).

To match socket() calls, you'll probably need -S socketcall -F a0=1 -F a1=2 ..., as the 0th argument is actually the called function (SYS_SOCKET=1) and the real arguments start from a1 instead.

user1686

Posted 2019-03-17T08:37:01.510

Reputation: 283 655

unfortunately that is not my level. I have a "Bash-script"-level. I can only be straightforward. For example: auditctl -a exit,always -F arch=b32 -S socketcall -F a0=1 -F a1=2 -k SOCKET: started without errors. Then have I DNS-traffic produced. Then: ausearch -i -ts today -k SOCKET what produces one line: type=CONFIG_CHANGE msg=audit(17.03.2019 11:33:03.919:964) : auid=kol ses=1 op="add_rule" key=SOCKET list=exit res=yes. – klpu39 – 2019-03-17T10:51:09.733

Asked: 2019-03-17T08:37:01.510

Viewed: 186 times

Active: 2019-03-17T10:25:37.830