Skip to main content
Unix & Linux

Timeline for How to log all system calls made by a process and all its descendants with auditd

Current License: CC BY-SA 3.0

18 events
when toggle format what by license comment
Jul 9, 2018 at 19:37 history bumped CommunityBot This question has answers that may be good or bad; the system has marked it active so that they can be reviewed.
Jun 9, 2018 at 5:19 history bumped CommunityBot This question has answers that may be good or bad; the system has marked it active so that they can be reviewed.
May 1, 2018 at 6:46 history bumped CommunityBot This question has answers that may be good or bad; the system has marked it active so that they can be reviewed.
Mar 31, 2018 at 23:59 history bumped CommunityBot This question has answers that may be good or bad; the system has marked it active so that they can be reviewed.
Feb 28, 2018 at 18:31 history bumped CommunityBot This question has answers that may be good or bad; the system has marked it active so that they can be reviewed.
Jan 27, 2018 at 9:35 history bumped CommunityBot This question has answers that may be good or bad; the system has marked it active so that they can be reviewed.
Oct 31, 2014 at 10:39 comment added Stéphane Chazelas @Gilles, sounds promising, a POC would be welcome.
Oct 31, 2014 at 0:31 comment added Gilles 'SO- stop being evil' I thought maybe run your program in a specific container, if that's an option for you. If I understand this bug thread correctly, that should work with a kernel ≥3.13. Other than that, I don't see any method other than SELinux and the audit UID. Would the AUID be applicable to your use case?
Oct 30, 2014 at 23:06 history tweeted twitter.com/#!/StackUnix/status/527959673178046464
Oct 30, 2014 at 16:06 comment added Olivier Dulac oops ^^ sorry. But seems to me you are trying to do what strace does, without using strace ? What is your exact need? Why do you need all system calls of all childs? (maybe you are just trying to find out what calls something specific?) And why can't you use strace or a variant thereof? (apart from the sheer slowdown it induces on the processes)
Oct 30, 2014 at 16:01 comment added Stéphane Chazelas @OlivierDulac, as I said, it doesn't seem you can match on pgid (or sid).
Oct 30, 2014 at 15:55 comment added Olivier Dulac maybe the topmost parent can be in its own process group ? ( en.wikipedia.org/wiki/Process_group )
Oct 30, 2014 at 15:25 comment added Stéphane Chazelas @OlivierDulac, marking the process in some way (that is inherited by children) is one thing I have in mind. But the list of things audit rules can match on is quite thin (not even sid, pgid...). Maybe the SELinux ones, but I don't know the first thing about SELinux. Maybe process name spaces?
Oct 30, 2014 at 15:20 answer added Olivier Dulac timeline score: 1
Oct 30, 2014 at 15:12 comment added Olivier Dulac a trick you could maybe use (once again, I don't know specifics of auditd, nor can I try at the moment) : specify a specific environnement variable when launching the topmost parent, and auditctl all processes having this variable set?
Oct 30, 2014 at 15:09 history edited Stéphane Chazelas CC BY-SA 3.0
added 21 characters in body
Oct 30, 2014 at 15:00 comment added Olivier Dulac omg, omg, omg, Stephane asking a question... (I came here just from the title, thinking strace -s ^^ but then I saw who was asking and immediately knew "he knows that already!" )... Stephane, can you maybe: 1) build the list of pids using the "tree" option of ps, 2) launch auditctl(s) on all the pids listed in the tree ? (ie, can you have multiple "pid=...." ? or multiple auditctl, each on one?) or the "dumb" way: auditctl everything, and some kind of egrep on the "pid|pid|pid" if they appear on each line?) (caveat: I don't have access to linux atm, so I have no idea how infos appear)
Oct 30, 2014 at 12:35 history asked Stéphane Chazelas CC BY-SA 3.0
toggle format