[PATCH] audit: add task history record
Tetsuo Handa
penguin-kernel at I-love.SAKURA.ne.jp
Thu Aug 24 13:47:09 UTC 2023
On 2023/08/24 22:39, Tetsuo Handa wrote:
>>> (1) Catch _all_ process creations (both via fork()/clone() system calls and
>>> kthread_create() from the kernel), and duplicate the history upon process
>>> creation.
>>
>> Create an audit filter rule to record the syscalls you are interested
>> in logging.
>
> I can't interpret what you are talking about. Please show me using command line.
I'm not interested in logging the syscalls just for maintaining process history
information. I want you to explain using command line how we can trace process
creation/termination (both via syscalls and via kernel internal reasons).
How can auditd generate logs that are not triggered via syscalls?
More information about the Linux-security-module-archive
mailing list