1

I have my original Problem discribed here: https://serverfault.com/questions/958571/what-these-dns-queries-means. It's about UDP packets, the origin of which I can not determine. To solve the problem I have followed the advice of user @A.B and namely here: https://serverfault.com/questions/192893/how-i-can-identify-which-process-is-making-udp-traffic-on-linux/193088#193088. According to this advice I have installed auditd, apparently with success: 

auditctl -l
No rules

But when I run a auditctlcommand, I get an error: 

auditctl -a exit,always -F arch=b32 -F a0=2 -F a1\&=2 -S socket -k SOCKET
Syscall name unknown: socket

Can you help me in my issue?

klpu39
  • 23

1 Answers1

1

Certain architectures, mainly 32-bit Intel x86, did not use individual syscalls for socket operations – instead they had a single multiplexed socketcall(2) entry point.

So when a program called socket(...), libc would translate it to socketcall(SYS_SOCKET, ...).

Individual socket syscalls, including socket(2), were added in kernel 4.3.0 – but your auditctl is too old to know about that (its own syscall list was only updated in auditd v2.5.0), and likewise, your libc is probably too old to use the individual syscalls anyway (this support was added in glibc v2.23).

To match socket() calls, you'll probably need -S socketcall -F a0=1 -F a1=2 ..., as the 0th argument is actually the called function (SYS_SOCKET=1) and the real arguments start from a1 instead.

grawity
  • 501,077