How to track process invocation history using audit

How to track process invocation history using audit

[Kohei KaiGai]

Hi,

I tried to track what process launches what other programs using audit
mechanism.
Then, I want to write up a tree diagram using audit logs eventually.

However, the auditctl does not work as I expected.

I tried to track all the fork(2) system call to record relationship
between ppid and pid
on processes with a particular loginuid.

  [root@ls3029v0 ~]# auditctl -a task,always -F arch=b64 -S fork -F auid=1234
  Error: syscall auditing being added to task list

But, it does not works.
I also tried to use 'exit' list, but it seems to me the following rule
is ignored.
(tail -f /var/log/audit/audit.log does not report anything)

  [root@ls3029v0 ~]# auditctl -a exit,always -F arch=b64 -S fork

What is the best way to track process invocation history using audit mechanism?

Thanks,
-- 
KaiGai Kohei <kaigai@kaigai.gr.jp>

Re: How to track process invocation history using audit

[Steve Grubb]

On Monday, June 20, 2011 11:51:10 AM Kohei KaiGai wrote:
> I tried to track all the fork(2) system call to record relationship
> between ppid and pid
> on processes with a particular loginuid.
> 
>   [root@ls3029v0 ~]# auditctl -a task,always -F arch=b64 -S fork -F
> auid=1234 Error: syscall auditing being added to task list

Maybe you need to use the clone syscall? You can probably strace a program just to 
make sure what its using.

-Steve