How to audit socket close system call?

[Alexander Viro]

On Fri, Dec 19, 2014 at 02:06:52PM +0800, Jie Cui wrote:
> Hi all~
> How to audit socket close system call?
> I can audit the socket connection by 'connect' system call.
> I can also audit the socket termination by 'shutdown' system call.
> But I can't figure out how to audit when the socket is closed.
> Does the 'close' system call works? However all the file close events will
> also be auditing. That's not what I want.

_Which_ system call?  It may be close().  It may be dup2().  It may be
execve().  It may be exit().  It may be anything that kills a process
(signal delivery from somebody else, segfault, etc.).  It may be anything
that triggers AF_UNIX garbage collection.

And conversely, any of those might very well be _not_ the final close;
e.g. dup() + close() will leave the socket open - under a new file
descriptor number.  fork() + close() will do the same.  So will sticking
that descriptor into SCM_RIGHTS datagram and passing it over AF_UNIX
socket, to be received by somebody at later time - you can do close()
after having sent that and it won't do a damn thing to the reference that
went into the datagram.

Incidentally, that's a fine example of the reasons why syscall audit is useless
for almost anything other than CYA.  It's not that syscall tracing is useless -
strace can be quite useful, actually.  It's the bogus impression of coverage
in case of watching what live system does - a whole lot of events simply do
not map on "somebody had done a syscall with such and such arguments".