Identifying thread/process termination
Lenny Bruzenak
lenny at magitekltd.com
Thu Oct 8 15:33:08 UTC 2020
On 10/7/20 7:27 PM, Paul Moore wrote:
> Almost everywhere in the kernel we record the TGID for the "pid="
> values and not the actual task/thread ID. That decision was made
> before my heavy involvement with audit, but my guess is that most
> audit users are focused more on security relevant events at the
> process level, not the thread level. After all, there isn't really
> much in the way of significant boundaries between threads.
That's right, Paul. The process (exe/comm) is the discriminator from a
security perspective.
LCB
--
Lenny Bruzenak
MagitekLTD
More information about the Linux-audit
mailing list