From mboxrd@z Thu Jan  1 00:00:00 1970
From: Bruno Gustavo Wallauer <brunogw@terra.com.br>
Subject: Using Audit to create a realtime process creation monitor
Date: Fri, 24 Oct 2008 20:43:34 -0200
Message-ID: <49024F96.9060307@terra.com.br>
Mime-Version: 1.0
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
Return-path: <linux-audit-bounces@redhat.com>
Received: from mx3.redhat.com (mx3.redhat.com [172.16.48.32])
	by int-mx1.corp.redhat.com (8.13.1/8.13.1) with ESMTP id m9OMho68022490
	for <linux-audit@redhat.com>; Fri, 24 Oct 2008 18:43:50 -0400
Received: from sr05-10.mta.terra.com.br (sr05-10.mta.terra.com.br
	[200.154.152.69])
	by mx3.redhat.com (8.13.8/8.13.8) with ESMTP id m9OMhmv0004164
	for <linux-audit@redhat.com>; Fri, 24 Oct 2008 18:43:48 -0400
Received: from quebec.hst.terra.com.br (quebec.hst.terra.com.br
	[200.176.10.31])
	by buraja.hst.terra.com.br (Postfix) with ESMTP id 698C9C0001E8
	for <linux-audit@redhat.com>; Fri, 24 Oct 2008 22:43:46 +0000 (UTC)
Received: from [10.0.0.200] (unknown [201.37.81.28])
	(authenticated user brunogw)
	by quebec.hst.terra.com.br (Postfix) with ESMTP id 608AA10000AD
	for <linux-audit@redhat.com>; Fri, 24 Oct 2008 22:43:46 +0000 (UTC)
List-Unsubscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/linux-audit>
List-Post: <mailto:linux-audit@redhat.com>
List-Help: <mailto:linux-audit-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=subscribe>
Sender: linux-audit-bounces@redhat.com
Errors-To: linux-audit-bounces@redhat.com
To: linux-audit@redhat.com
List-Id: linux-audit@redhat.com

Hi All,

I'm working on a system that needs a realtime process creation tool
(using C programming), getting the pid ppid and path of the process.

I've been trying to use the audit subsystem to do this, but no matter
which way I tried, so far I hadn't been successful.

I've tried these for task creation:

    - auditctl -a entry,always -S fork -S vfork -S clone
            This way I can't know the pid of the new process, just the
caller;
    - auditctl -a entry,always -S brk -F 'a0=0'
             This way works most of the time, but creates duplicated
entries;
    - auditctl -a task,always
             With this I get _a lot_ of garbage, and it's too CPU
consuming to process the output;


And this for task destruction:

    - auditctl -a entry,always -S exit -S exit_group
             Works most of the time, but doesn't catch "killall sshd"
(doesn't get the "sshd is dying" part).

    Can anybody help me with these?

    Thanks in advance.

    Cheers,

Bruno Gustavo Wallauer