From: Steve Grubb <sgrubb@redhat.com>
To: Hassan Sultan <hsultan@thefroid.net>
Cc: linux-audit@redhat.com
Subject: Re: How to audit socket close system call?
Date: Sun, 21 Dec 2014 11:04:11 -0500 [thread overview]
Message-ID: <1930294.5t5XqVLX2d@x2> (raw)
In-Reply-To: <op.xq6l8lgs1jp0b1@content.bigsnout.com>
On Saturday, December 20, 2014 11:39:47 AM Hassan Sultan wrote:
> Are you interested in the syscalls on sockets specifically, or are you
> interested in the network connections underlying these calls instead ?
>
> You could use netfilter/conntrack instead of auditd if your interest
> really is the network connections rather than sockets.
There is also an AUDIT target for netfilter rules so that events you are
interested in are recorded in the audit log.
-Steve
> You'll get notified of the various TCP states, so even if a socket is closed
> rather than shutdown (say when a process dies), you should be able to know
> about it that way.
>
> Thanks,
>
> Hassan
>
> On Fri, 19 Dec 2014 06:37:15 -0800, Steve Grubb <sgrubb@redhat.com> wrote:
> > On Friday, December 19, 2014 02:06:52 PM Jie Cui wrote:
> >> How to audit socket close system call?
> >
> > There's not a good answer on that one.
> >
> >> I can audit the socket connection by 'connect' system call.
> >> I can also audit the socket termination by 'shutdown' system call.
> >> But I can't figure out how to audit when the socket is closed.
> >
> > In the past, the kernel developers said that is an exercise left to post
> > processing in user space. Meaning that we'd have to collect everything
> > and
> > then sort it out after the fact. You have the FD returned from
> > socket(2). So,
> > you can audit closes and then match the FD.
> >
> > Unfortunately, you'll get all closes for all programs unless you had
> > some way
> > to restrict it to the process in question. There is a patch under
> > development
> > for audit by process name. That would at least have allowed restricting
> > closes
> > to a particular program which would be more manageable.
> >
> >> Does the 'close' system call works?
> >
> > Yes.
> >
> >> However all the file close events will also be auditing. That's not
> >> what I
> >> want.
> >
> > I can understand. But, there is nothing in the present kernel except pid,
> > auid, and subj_type to restrict the auditing in a logical way. If you can
> > think of another way, please propose it. But all the kernel has to work
> > with
> > is an fd number and what's in the process struct. Audit by process name
> > holds
> > the most hope for limiting what gets collected.
> >
> > -Steve
> >
> > --
> > Linux-audit mailing list
> > Linux-audit@redhat.com
> > https://www.redhat.com/mailman/listinfo/linux-audit
next prev parent reply other threads:[~2014-12-21 16:04 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-12-19 6:06 How to audit socket close system call? Jie Cui
2014-12-19 14:37 ` Steve Grubb
2014-12-20 19:39 ` Hassan Sultan
2014-12-21 16:04 ` Steve Grubb [this message]
2015-01-08 22:55 ` Alexander Viro
2015-01-09 18:22 ` LC Bruzenak
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1930294.5t5XqVLX2d@x2 \
--to=sgrubb@redhat.com \
--cc=hsultan@thefroid.net \
--cc=linux-audit@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.