Re: How to audit socket close system call?
On Fri, Dec 19, 2014 at 02:06:52PM +0800, Jie Cui wrote:
Hi all~
How to audit socket close system call?
I can audit the socket connection by 'connect' system call.
I can also audit the socket termination by 'shutdown' system call.
But I can't figure out how to audit when the socket is closed.
Does the 'close' system call works? However all the file close events will
also be auditing. That's not what I want.
_Which_ system call? It may be close(). It may be dup2(). It may be
execve(). It may be exit(). It may be anything that kills a process
(signal delivery from somebody else, segfault, etc.). It may be anything
that triggers AF_UNIX garbage collection.
And conversely, any of those might very well be _not_ the final close;
e.g. dup() + close() will leave the socket open - under a new file
descriptor number. fork() + close() will do the same. So will sticking
that descriptor into SCM_RIGHTS datagram and passing it over AF_UNIX
socket, to be received by somebody at later time - you can do close()
after having sent that and it won't do a damn thing to the reference that
went into the datagram.
Incidentally, that's a fine example of the reasons why syscall audit is useless
for almost anything other than CYA. It's not that syscall tracing is useless -
strace can be quite useful, actually. It's the bogus impression of coverage
in case of watching what live system does - a whole lot of events simply do
not map on "somebody had done a syscall with such and such arguments".