All of lore.kernel.org
 help / color / mirror / Atom feed
From: Steve Grubb <sgrubb@redhat.com>
To: linux-audit@redhat.com
Subject: Re: Using Audit to create a realtime process creation monitor
Date: Wed, 29 Oct 2008 13:01:57 -0400	[thread overview]
Message-ID: <200810291301.57623.sgrubb@redhat.com> (raw)
In-Reply-To: <49024F96.9060307@terra.com.br>

On Friday 24 October 2008 18:43:34 Bruno Gustavo Wallauer wrote:
> I'm working on a system that needs a realtime process creation tool
> (using C programming), getting the pid ppid and path of the process.

Should be possible, but it requires a kernel patch to really be right. I think 
the patch is landing in the RHEL5.3 kernel and 2.6.28. What it does is gives 
2 event records on fork/clone.


> I've been trying to use the audit subsystem to do this, but no matter
> which way I tried, so far I hadn't been successful.
>
> I've tried these for task creation:
>
>     - auditctl -a entry,always -S fork -S vfork -S clone
>             This way I can't know the pid of the new process, just the
> caller;

This rule should do it. That is what the kernel patch fixes. You would get 2 
records now. This was fixed under, bz#461831


> And this for task destruction:
>
>     - auditctl -a entry,always -S exit -S exit_group
>              Works most of the time, but doesn't catch "killall sshd"
> (doesn't get the "sshd is dying" part).

Some tasks exit in a strange way. Have you tried stracing sshd to see how it 
exits?

-Steve

      reply	other threads:[~2008-10-29 17:01 UTC|newest]

Thread overview: 2+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2008-10-24 22:43 Using Audit to create a realtime process creation monitor Bruno Gustavo Wallauer
2008-10-29 17:01 ` Steve Grubb [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=200810291301.57623.sgrubb@redhat.com \
    --to=sgrubb@redhat.com \
    --cc=linux-audit@redhat.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.