Suggestions based on my experiences so far
Stephen Smalley
sds at epoch.ncsc.mil
Fri Jan 28 12:20:55 UTC 2005
On Thu, 2005-01-27 at 19:04, Avishay Traeger wrote:
> 2. The name of the process (or command) which invoked the system call is
> not logged (tsk->comm).
tsk->comm isn't reliable, but they could include the executable
information, as SELinux does in its audit messages (when possible). See
security/selinux/avc.c:avc_audit, which in turn derived this particular
code from fs/proc/base.c:proc_exe_link (i.e. it shows the same
information you get from ls -l /proc/<pid>/exe).
--
Stephen Smalley <sds at epoch.ncsc.mil>
National Security Agency
More information about the Linux-audit
mailing list