How to track process invocation history using audit
Kohei KaiGai
kaigai at kaigai.gr.jp
Mon Jun 20 15:51:10 UTC 2011
Hi,
I tried to track what process launches what other programs using audit
mechanism.
Then, I want to write up a tree diagram using audit logs eventually.
However, the auditctl does not work as I expected.
I tried to track all the fork(2) system call to record relationship
between ppid and pid
on processes with a particular loginuid.
[root at ls3029v0 ~]# auditctl -a task,always -F arch=b64 -S fork -F auid=1234
Error: syscall auditing being added to task list
But, it does not works.
I also tried to use 'exit' list, but it seems to me the following rule
is ignored.
(tail -f /var/log/audit/audit.log does not report anything)
[root at ls3029v0 ~]# auditctl -a exit,always -F arch=b64 -S fork
What is the best way to track process invocation history using audit mechanism?
Thanks,
--
KaiGai Kohei <kaigai at kaigai.gr.jp>
More information about the Linux-audit
mailing list