[PATCH] audit: add task history record

Tetsuo Handa penguin-kernel at I-love.SAKURA.ne.jp
Thu Aug 24 13:47:09 UTC 2023


On 2023/08/24 22:39, Tetsuo Handa wrote:
>>>   (1) Catch _all_ process creations (both via fork()/clone() system calls and
>>>       kthread_create() from the kernel), and duplicate the history upon process
>>>       creation.
>>
>> Create an audit filter rule to record the syscalls you are interested
>> in logging.
> 
> I can't interpret what you are talking about. Please show me using command line.

I'm not interested in logging the syscalls just for maintaining process history
information. I want you to explain using command line how we can trace process
creation/termination (both via syscalls and via kernel internal reasons).
How can auditd generate logs that are not triggered via syscalls?



More information about the Linux-security-module-archive mailing list