On Fri, Dec 19, 2014 at 02:06:52PM +0800, Jie Cui wrote: > Hi all~ > How to audit socket close system call? > I can audit the socket connection by 'connect' system call. > I can also audit the socket termination by 'shutdown' system call. > But I can't figure out how to audit when the socket is closed. > Does the 'close' system call works? However all the file close events will > also be auditing. That's not what I want.
_Which_ system call? It may be close(). It may be dup2(). It may be execve(). It may be exit(). It may be anything that kills a process (signal delivery from somebody else, segfault, etc.). It may be anything that triggers AF_UNIX garbage collection. And conversely, any of those might very well be _not_ the final close; e.g. dup() + close() will leave the socket open - under a new file descriptor number. fork() + close() will do the same. So will sticking that descriptor into SCM_RIGHTS datagram and passing it over AF_UNIX socket, to be received by somebody at later time - you can do close() after having sent that and it won't do a damn thing to the reference that went into the datagram. Incidentally, that's a fine example of the reasons why syscall audit is useless for almost anything other than CYA. It's not that syscall tracing is useless - strace can be quite useful, actually. It's the bogus impression of coverage in case of watching what live system does - a whole lot of events simply do not map on "somebody had done a syscall with such and such arguments". -- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
