From: Steve Grubb <sgrubb@redhat.com>
To: Hassan Sultan <hsultan@thefroid.net>
Cc: linux-audit@redhat.com
Subject: Re: How to audit socket close system call?
Date: Sun, 21 Dec 2014 11:04:11 -0500 [thread overview]
Message-ID: <1930294.5t5XqVLX2d@x2> (raw)
In-Reply-To: <op.xq6l8lgs1jp0b1@content.bigsnout.com>
On Saturday, December 20, 2014 11:39:47 AM Hassan Sultan wrote:
> Are you interested in the syscalls on sockets specifically, or are you
> interested in the network connections underlying these calls instead ?
>
> You could use netfilter/conntrack instead of auditd if your interest
> really is the network connections rather than sockets.
There is also an AUDIT target for netfilter rules so that events you are
interested in are recorded in the audit log.
-Steve
> You'll get notified of the various TCP states, so even if a socket is closed
> rather than shutdown (say when a process dies), you should be able to know
> about it that way.
>
> Thanks,
>
> Hassan
>
> On Fri, 19 Dec 2014 06:37:15 -0800, Steve Grubb <sgrubb@redhat.com> wrote:
> > On Friday, December 19, 2014 02:06:52 PM Jie Cui wrote:
> >> How to audit socket close system call?
> >
> > There's not a good answer on that one.
> >
> >> I can audit the socket connection by 'connect' system call.
> >> I can also audit the socket termination by 'shutdown' system call.
> >> But I can't figure out how to audit when the socket is closed.
> >
> > In the past, the kernel developers said that is an exercise left to post
> > processing in user space. Meaning that we'd have to collect everything
> > and
> > then sort it out after the fact. You have the FD returned from
> > socket(2). So,
> > you can audit closes and then match the FD.
> >
> > Unfortunately, you'll get all closes for all programs unless you had
> > some way
> > to restrict it to the process in question. There is a patch under
> > development
> > for audit by process name. That would at least have allowed restricting
> > closes
> > to a particular program which would be more manageable.
> >
> >> Does the 'close' system call works?
> >
> > Yes.
> >
> >> However all the file close events will also be auditing. That's not
> >> what I
> >> want.
> >
> > I can understand. But, there is nothing in the present kernel except pid,
> > auid, and subj_type to restrict the auditing in a logical way. If you can
> > think of another way, please propose it. But all the kernel has to work
> > with
> > is an fd number and what's in the process struct. Audit by process name
> > holds
> > the most hope for limiting what gets collected.
> >
> > -Steve
> >
> > --
> > Linux-audit mailing list
> > Linux-audit@redhat.com
> > https://www.redhat.com/mailman/listinfo/linux-audit
next prev parent reply other threads:[~2014-12-21 16:04 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-12-19 6:06 How to audit socket close system call? Jie Cui
2014-12-19 14:37 ` Steve Grubb
2014-12-20 19:39 ` Hassan Sultan
2014-12-21 16:04 ` Steve Grubb [this message]
2015-01-08 22:55 ` Alexander Viro
2015-01-09 18:22 ` LC Bruzenak
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1930294.5t5XqVLX2d@x2 \
--to=sgrubb@redhat.com \
--cc=hsultan@thefroid.net \
--cc=linux-audit@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).