socket_events improvements - non-blocking sockets, accept() syscalls #5084
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Introduction
This PR adds support for the following two things:
Why
When audit emits a syscall record, the
success
parameter is set according to the exit code of the function. The issue with this is that when operating on non-blocking sockets, certain syscalls (connect, bind) will immediately return -1 with an errno value of EINPROGRESS. This causes potentially valid events to be dropped.You can see how common non-blocking sockets are by using strace on tools like curl, wget or netcat.
Note that the bind() syscall is not enough to look for incoming connections, as you can easily fool event collection by setting a socket in listen() without binding. You can then get the port using getsockname().
Changes
socket_events
table is accepting these events.socket_events
table is now able to monitor for accept() and accept4() syscalls.audit_disable_accept_syscalls
has been added, to optionally let the user disable accept() and accept4() syscall handling. By default, it is set to false.Schema
The
success
column is now deprecated, and has been replaced by thestatus
column. Here's how it works:accept(), accept4() events
This event is not affected by the blocking or non-blocking attribute of the sockets. It is only emitted if the syscall has succeeded (the
status
field will always containsucceeded
).bind(), connect() events
This event is affected by the non-blocking attribute of the socket. When the success field in the Audit record is set to yes, then this operation has definitely succeeded, and the socket is blocking. In this case, the
status
field will containsucceeded
.When the success field in the Audit record is set to "
no
" however, we don't know for sure what happened:Since there is no way (without tracking socket states) to determine the outcome, the
status
field will containunknown
.Related issues
By implementing the new tests, this should also address the following issue: #4930 - Create tests for the table socket_events.