[PATCH v2] TaskTracker : Simplified thread information tracker.
Paul Moore
paul at paul-moore.com
Mon Aug 7 20:13:16 UTC 2023
On Mon, Aug 7, 2023 at 3:03 PM Steve Grubb <sgrubb at redhat.com> wrote:
> On Monday, August 7, 2023 2:53:40 PM EDT Paul Moore wrote:
> > On Sun, Aug 6, 2023 at 9:05 AM Tetsuo Handa
> >
> > <penguin-kernel at i-love.sakura.ne.jp> wrote:
> > > When an unexpected system event occurs, the administrator may want to
> > > identify which application triggered the event. For example, unexpected
> > > process termination is still a real concern enough to write articles
> > > like https://access.redhat.com/solutions/165993 . TaskTracker is a
> > > trivial LSM module which emits TOMOYO-like information into the audit
> > > logs for better understanding of unexpected system events.
> >
> > Help me understand why all of this information isn't already available
> > via some combination of Audit and TOMOYO, or simply audit itself?
>
> Usually when you want this kind of information, you are investigating an
> incident. You wouldn't place a syscall audit for every execve and then
> reconstruct the call chain from that. In the case of long running daemons,
> the information could have been rotated away. But typically you want to see
> what the entry point is. A sudden shell from bind would be suspicious while a
> shell from sshd is not.
Once again, why not use the existing audit and/or TOMOYO capabilities.
--
paul-moore.com
More information about the Linux-audit
mailing list