Peter
08/05/2021, 2:57 PMsocket_events
may be disappearing to. On a low load development machine I've been finding that I don't appear to be entries in the socket_events
table for some connections, whereas others are just fine.
I was wondering if someone could point me in the right direction of how to debug this a bit further? ๐งตsocket_events
, and not eBPF and There's no auditd installed on the machine.audit_allow_sockets
, and audit_allow_config
set to true. disable_events
and disable_audit
are set to false . I've used auditctl -l
to get the installed rules when osquery is running and I'm able to see the osquery installed rule(s) for connect,bind,execve,execveat
at syscall exit.events_max
temporarily on this machine to 500000
as a "just in case".curl <https://www.google.com>
I correctly see an entry in the socket_events
a few moments later:
osquery> select path,remote_address from socket_events where remote_port = '443';
+---------------+----------------+
| path | remote_address |
+---------------+----------------+
| /usr/bin/curl | 142.250.69.206 |
+---------------+----------------+
socket_events
table.strace
osquery and look for all recvfrom
events, I can see an audit event for the associated connect
syscall being sent over the audit socket to osquery. Apologies for the screen grab but it's a bit easier to visualise.curl
to Google shows up in the socket_events
table shortly before, but the outbound connection for TCP/1234 doesn't appear to ever appear in the socket_events
table.--verbose
- which might assist here or am I in "attach a debugger" territory? ๐Stefano Bonicatti
08/05/2021, 3:35 PM--audit_debug=true
Peter
08/05/2021, 3:48 PMsocket_events
table:
I0805 15:45:11.034433 9994 auditdnetlink.cpp:778] 1300, audit(1628178308.957:370181): arch=c000003e syscall=42 success=no exit=-115 a0=3 a1=c00008402c a2=10 a3=0 items=0 ppid=10035 pid=10064 auid=4294967295 uid=998 gid=1002 euid=998 suid=998 fsuid=998 egid=1002 sgid=10
02 fsgid=1002 tty=pts6 ses=4294967295 comm="shell" exe="/home/ssm-user/shell/shell" key=(null)
Stefano Bonicatti
08/05/2021, 3:52 PMPeter
08/05/2021, 4:32 PMconnect
.
Looking at the fields in the audit message it appears that it may be non-blocking as result seems to indicate the exit code as -115
. Looking at errno.h
for Kernel 5.4 it appears this is EINPROGRESS
?Stefano Bonicatti
08/05/2021, 4:42 PMPeter
08/05/2021, 4:44 PMconnect
calls are "invisible" to osquery due to the issue mentioned above, at least for the time being? ๐Stefano Bonicatti
08/05/2021, 5:25 PMPeter
08/05/2021, 5:26 PMStefano Bonicatti
08/05/2021, 6:30 PMalessandrogario
08/19/2021, 3:53 PMPeter
08/20/2021, 9:28 AM