From mboxrd@z Thu Jan 1 00:00:00 1970 From: Steve Grubb Subject: Re: Using Audit to create a realtime process creation monitor Date: Wed, 29 Oct 2008 13:01:57 -0400 Message-ID: <200810291301.57623.sgrubb@redhat.com> References: <49024F96.9060307@terra.com.br> Mime-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit Return-path: In-Reply-To: <49024F96.9060307@terra.com.br> Content-Disposition: inline List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com To: linux-audit@redhat.com List-Id: linux-audit@redhat.com On Friday 24 October 2008 18:43:34 Bruno Gustavo Wallauer wrote: > I'm working on a system that needs a realtime process creation tool > (using C programming), getting the pid ppid and path of the process. Should be possible, but it requires a kernel patch to really be right. I think the patch is landing in the RHEL5.3 kernel and 2.6.28. What it does is gives 2 event records on fork/clone. > I've been trying to use the audit subsystem to do this, but no matter > which way I tried, so far I hadn't been successful. > > I've tried these for task creation: > > - auditctl -a entry,always -S fork -S vfork -S clone > This way I can't know the pid of the new process, just the > caller; This rule should do it. That is what the kernel patch fixes. You would get 2 records now. This was fixed under, bz#461831 > And this for task destruction: > > - auditctl -a entry,always -S exit -S exit_group > Works most of the time, but doesn't catch "killall sshd" > (doesn't get the "sshd is dying" part). Some tasks exit in a strange way. Have you tried stracing sshd to see how it exits? -Steve