public inbox for linux-audit@redhat.com
 help / color / mirror / Atom feed
From: Bruno Gustavo Wallauer <brunogw@terra.com.br>
To: linux-audit@redhat.com
Subject: Using Audit to create a realtime process creation monitor
Date: Fri, 24 Oct 2008 20:43:34 -0200	[thread overview]
Message-ID: <49024F96.9060307@terra.com.br> (raw)

Hi All,

I'm working on a system that needs a realtime process creation tool
(using C programming), getting the pid ppid and path of the process.

I've been trying to use the audit subsystem to do this, but no matter
which way I tried, so far I hadn't been successful.

I've tried these for task creation:

    - auditctl -a entry,always -S fork -S vfork -S clone
            This way I can't know the pid of the new process, just the
caller;
    - auditctl -a entry,always -S brk -F 'a0=0'
             This way works most of the time, but creates duplicated
entries;
    - auditctl -a task,always
             With this I get _a lot_ of garbage, and it's too CPU
consuming to process the output;


And this for task destruction:

    - auditctl -a entry,always -S exit -S exit_group
             Works most of the time, but doesn't catch "killall sshd"
(doesn't get the "sshd is dying" part).

    Can anybody help me with these?

    Thanks in advance.

    Cheers,

Bruno Gustavo Wallauer

             reply	other threads:[~2008-10-24 22:43 UTC|newest]

Thread overview: 2+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2008-10-24 22:43 Bruno Gustavo Wallauer [this message]
2008-10-29 17:01 ` Using Audit to create a realtime process creation monitor Steve Grubb

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=49024F96.9060307@terra.com.br \
    --to=brunogw@terra.com.br \
    --cc=linux-audit@redhat.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox