Using Audit to create a realtime process creation monitor
Steve Grubb
sgrubb at redhat.com
Wed Oct 29 17:01:57 UTC 2008
On Friday 24 October 2008 18:43:34 Bruno Gustavo Wallauer wrote:
> I'm working on a system that needs a realtime process creation tool
> (using C programming), getting the pid ppid and path of the process.
Should be possible, but it requires a kernel patch to really be right. I think
the patch is landing in the RHEL5.3 kernel and 2.6.28. What it does is gives
2 event records on fork/clone.
> I've been trying to use the audit subsystem to do this, but no matter
> which way I tried, so far I hadn't been successful.
>
> I've tried these for task creation:
>
> - auditctl -a entry,always -S fork -S vfork -S clone
> This way I can't know the pid of the new process, just the
> caller;
This rule should do it. That is what the kernel patch fixes. You would get 2
records now. This was fixed under, bz#461831
> And this for task destruction:
>
> - auditctl -a entry,always -S exit -S exit_group
> Works most of the time, but doesn't catch "killall sshd"
> (doesn't get the "sshd is dying" part).
Some tasks exit in a strange way. Have you tried stracing sshd to see how it
exits?
-Steve
More information about the Linux-audit
mailing list