Timeline for How to log all system calls made by a process and all its descendants with auditd
Current License: CC BY-SA 3.0
4 events
| when toggle format | what | by | license | comment | |
|---|---|---|---|---|---|
| Oct 30, 2014 at 15:29 | comment | added | Olivier Dulac | (my last comment doesn't solve the pb for very short lived processes... this may need something at the kernel level itself, and I don't know enough to tell you if something exists for that. May be worth a question on the kernel mailing lists) | |
| Oct 30, 2014 at 15:28 | comment | added | Olivier Dulac | all valid points... Then I believe that what you want is probably a "most wanted" feature, and therefore could already be present at the auditctl level (but it certainly doesn't appear right now in the manpage): it may have to be proposed (or... written) for a future version. I don't recall some way to "follow a tree" of processes... but you could maybe implement one by 1) having some script do regular "ps -T" equivalents, 2) another script kills the 1st one as soon as the pid dies 3) each time the list of pid from 1) changes, add/remove the auditctl for those pids ? (not too hard to do) | |
| Oct 30, 2014 at 15:22 | comment | added | Stéphane Chazelas | Thanks, but that doesn't cover "future" children, and running that in a loop frequently won't cover short-lived processes. And pid re-use would cause a problem as well. | |
| Oct 30, 2014 at 15:20 | history | answered | Olivier Dulac | CC BY-SA 3.0 |