From mboxrd@z Thu Jan 1 00:00:00 1970 From: Steve Grubb Subject: Re: How to audit socket close system call? Date: Fri, 19 Dec 2014 09:37:15 -0500 Message-ID: <1466007.JfWioEVIc5@x2> References: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Return-path: In-Reply-To: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com To: linux-audit@redhat.com List-Id: linux-audit@redhat.com On Friday, December 19, 2014 02:06:52 PM Jie Cui wrote: > How to audit socket close system call? There's not a good answer on that one. > I can audit the socket connection by 'connect' system call. > I can also audit the socket termination by 'shutdown' system call. > But I can't figure out how to audit when the socket is closed. In the past, the kernel developers said that is an exercise left to post processing in user space. Meaning that we'd have to collect everything and then sort it out after the fact. You have the FD returned from socket(2). So, you can audit closes and then match the FD. Unfortunately, you'll get all closes for all programs unless you had some way to restrict it to the process in question. There is a patch under development for audit by process name. That would at least have allowed restricting closes to a particular program which would be more manageable. > Does the 'close' system call works? Yes. > However all the file close events will also be auditing. That's not what I > want. I can understand. But, there is nothing in the present kernel except pid, auid, and subj_type to restrict the auditing in a logical way. If you can think of another way, please propose it. But all the kernel has to work with is an fd number and what's in the process struct. Audit by process name holds the most hope for limiting what gets collected. -Steve