Steve Grubb <[EMAIL PROTECTED]> writes: > On Wednesday 11 October 2006 16:06, John D. Ramsdell wrote: > > I plan to write a version of autrace that follows forks. > > This is a problem that requires a kernel side implementation.
Do you mean this is a problem that requires a kernel side implementation to do it well? Ptracing the descendants has the down side of changing the behavior of an application due to all the tracing signals, but until a kernel side implementation is available, the ptracing solution seems to me to be the only way to get the audit data we desire. Or do you mean the idea of using ptrace to follow forks is flawed for some reason, and will not work? One quick question, I notice autrace.c invokes /sbin/auditctl to change audit rules, but shouldn't it being using audit_add_rule and friends instead? I'll implement this change if you want me to. John -- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
