On 2023/08/24 22:39, Tetsuo Handa wrote: >>> (1) Catch _all_ process creations (both via fork()/clone() system calls >>> and >>> kthread_create() from the kernel), and duplicate the history upon >>> process >>> creation. >> >> Create an audit filter rule to record the syscalls you are interested >> in logging. > > I can't interpret what you are talking about. Please show me using command > line.
I'm not interested in logging the syscalls just for maintaining process history information. I want you to explain using command line how we can trace process creation/termination (both via syscalls and via kernel internal reasons). How can auditd generate logs that are not triggered via syscalls? -- Linux-audit mailing list Linux-audit@redhat.com https://listman.redhat.com/mailman/listinfo/linux-audit