Hi, I tried to track what process launches what other programs using audit mechanism. Then, I want to write up a tree diagram using audit logs eventually.
However, the auditctl does not work as I expected. I tried to track all the fork(2) system call to record relationship between ppid and pid on processes with a particular loginuid. [root@ls3029v0 ~]# auditctl -a task,always -F arch=b64 -S fork -F auid=1234 Error: syscall auditing being added to task list But, it does not works. I also tried to use 'exit' list, but it seems to me the following rule is ignored. (tail -f /var/log/audit/audit.log does not report anything) [root@ls3029v0 ~]# auditctl -a exit,always -F arch=b64 -S fork What is the best way to track process invocation history using audit mechanism? Thanks, -- KaiGai Kohei <[email protected]> -- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
