An autrace that follows forks
John D. Ramsdell
ramsdell at mitre.org
Thu Oct 12 10:51:38 UTC 2006
Steve Grubb <sgrubb at redhat.com> writes:
> On Wednesday 11 October 2006 16:06, John D. Ramsdell wrote:
> > I plan to write a version of autrace that follows forks.
>
> This is a problem that requires a kernel side implementation.
Do you mean this is a problem that requires a kernel side
implementation to do it well? Ptracing the descendants has the down
side of changing the behavior of an application due to all the tracing
signals, but until a kernel side implementation is available, the
ptracing solution seems to me to be the only way to get the audit data
we desire. Or do you mean the idea of using ptrace to follow forks is
flawed for some reason, and will not work?
One quick question, I notice autrace.c invokes /sbin/auditctl to
change audit rules, but shouldn't it being using audit_add_rule and
friends instead? I'll implement this change if you want me to.
John
More information about the Linux-audit
mailing list