From mboxrd@z Thu Jan  1 00:00:00 1970
From: "Hassan Sultan" <hsultan@thefroid.net>
Subject: Re: How to audit socket close system call?
Date: Sat, 20 Dec 2014 11:39:47 -0800
Message-ID: <op.xq6l8lgs1jp0b1@content.bigsnout.com>
References: <CAC6KHBem2dx1ep+Xo_zPHuBe_w0pD6z76KndAv7kfbMttyeGDQ@mail.gmail.com>
	<1466007.JfWioEVIc5@x2>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"; Format="flowed"; DelSp="yes"
Content-Transfer-Encoding: 7bit
Return-path: <linux-audit-bounces@redhat.com>
In-Reply-To: <1466007.JfWioEVIc5@x2>
List-Unsubscribe: <https://www.redhat.com/mailman/options/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/linux-audit>
List-Post: <mailto:linux-audit@redhat.com>
List-Help: <mailto:linux-audit-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=subscribe>
Sender: linux-audit-bounces@redhat.com
Errors-To: linux-audit-bounces@redhat.com
To: linux-audit@redhat.com, Steve Grubb <sgrubb@redhat.com>
List-Id: linux-audit@redhat.com

Are you interested in the syscalls on sockets specifically, or are you  
interested in the network connections underlying these calls instead ?

You could use netfilter/conntrack instead of auditd if your interest  
really is the network connections rather than sockets. You'll get notified  
of the various TCP states, so even if a socket is closed rather than  
shutdown (say when a process dies), you should be able to know about it  
that way.

Thanks,

Hassan

On Fri, 19 Dec 2014 06:37:15 -0800, Steve Grubb <sgrubb@redhat.com> wrote:

> On Friday, December 19, 2014 02:06:52 PM Jie Cui wrote:
>> How to audit socket close system call?
>
> There's not a good answer on that one.
>
>> I can audit the socket connection by 'connect' system call.
>> I can also audit the socket termination by 'shutdown' system call.
>> But I can't figure out how to audit when the socket is closed.
>
> In the past, the kernel developers said that is an exercise left to post
> processing in user space. Meaning that we'd have to collect everything  
> and
> then sort it out after the fact. You have the FD returned from  
> socket(2). So,
> you can audit closes and then match the FD.
>
> Unfortunately, you'll get all closes for all programs unless you had  
> some way
> to restrict it to the process in question. There is a patch under  
> development
> for audit by process name. That would at least have allowed restricting  
> closes
> to a particular program which would be more manageable.
>
>
>> Does the 'close' system call works?
>
> Yes.
>
>> However all the file close events will also be auditing. That's not  
>> what I
>> want.
>
> I can understand. But, there is nothing in the present kernel except pid,
> auid, and subj_type to restrict the auditing in a logical way. If you can
> think of another way, please propose it. But all the kernel has to work  
> with
> is an fd number and what's in the process struct. Audit by process name  
> holds
> the most hope for limiting what gets collected.
>
> -Steve
>
> --
> Linux-audit mailing list
> Linux-audit@redhat.com
> https://www.redhat.com/mailman/listinfo/linux-audit