audit dtrace provider does not always provide file information on close

cadets / freebsd-old

FreeBSD src tree http://www.FreeBSD.org/

Other

12 stars 7 forks source link

audit dtrace provider does not always provide file information on close #64

Open amstrnad opened 7 years ago

amstrnad commented 7 years ago

When auditing close syscalls, occasionally the only file information included is the file descriptor.

{"event": "audit:event:aue_close:", "time": 1486423747980216166, "pid": 1305, "ppid": 1032, "tid": 100723, "uid": 1001, "exec": "bash", "subjprocuuid": "0e586fc4-ecc4-11e6-8f0d-ecb1d75f7007", "subjthruuid": "621ecdf2-ecc1-11e6-8f0d-ecb1d75f7007",  "fd": 3, "retval": 0}

rwatson commented 7 years ago

I wonder if this is because we are auditing full information on last close (i.e., when the file-descriptor layer notifies the underlying object of close()) and not on other closes. Close is, of course, a poor indicator of whether I/O might continue on some objects -- e.g., due to mmap(). But we can do better than we are doing without too much trouble. I'll take a pass at improving that and we can see how comfortable we are with the results.

arunthomas commented 7 years ago

@alsz, Is this still an issue?