public inbox for linux-audit@redhat.com
 help / color / mirror / Atom feed
* Using Audit to create a realtime process creation monitor
@ 2008-10-24 22:43 Bruno Gustavo Wallauer
  2008-10-29 17:01 ` Steve Grubb
  0 siblings, 1 reply; 2+ messages in thread
From: Bruno Gustavo Wallauer @ 2008-10-24 22:43 UTC (permalink / raw)
  To: linux-audit

Hi All,

I'm working on a system that needs a realtime process creation tool
(using C programming), getting the pid ppid and path of the process.

I've been trying to use the audit subsystem to do this, but no matter
which way I tried, so far I hadn't been successful.

I've tried these for task creation:

    - auditctl -a entry,always -S fork -S vfork -S clone
            This way I can't know the pid of the new process, just the
caller;
    - auditctl -a entry,always -S brk -F 'a0=0'
             This way works most of the time, but creates duplicated
entries;
    - auditctl -a task,always
             With this I get _a lot_ of garbage, and it's too CPU
consuming to process the output;


And this for task destruction:

    - auditctl -a entry,always -S exit -S exit_group
             Works most of the time, but doesn't catch "killall sshd"
(doesn't get the "sshd is dying" part).

    Can anybody help me with these?

    Thanks in advance.

    Cheers,

Bruno Gustavo Wallauer

^ permalink raw reply	[flat|nested] 2+ messages in thread
end of thread, other threads:[~2008-10-29 17:01 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2008-10-24 22:43 Using Audit to create a realtime process creation monitor Bruno Gustavo Wallauer
2008-10-29 17:01 ` Steve Grubb

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox