On Friday 24 October 2008 18:43:34 Bruno Gustavo Wallauer wrote: > I'm working on a system that needs a realtime process creation tool > (using C programming), getting the pid ppid and path of the process.
Should be possible, but it requires a kernel patch to really be right. I think the patch is landing in the RHEL5.3 kernel and 2.6.28. What it does is gives 2 event records on fork/clone. > I've been trying to use the audit subsystem to do this, but no matter > which way I tried, so far I hadn't been successful. > > I've tried these for task creation: > > - auditctl -a entry,always -S fork -S vfork -S clone > This way I can't know the pid of the new process, just the > caller; This rule should do it. That is what the kernel patch fixes. You would get 2 records now. This was fixed under, bz#461831 > And this for task destruction: > > - auditctl -a entry,always -S exit -S exit_group > Works most of the time, but doesn't catch "killall sshd" > (doesn't get the "sshd is dying" part). Some tasks exit in a strange way. Have you tried stracing sshd to see how it exits? -Steve -- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
