Suggestions based on my experiences so far

Valdis.Kletnieks at vt.edu Valdis.Kletnieks at vt.edu
Fri Jan 28 06:59:13 UTC 2005


On Thu, 27 Jan 2005 19:04:26 EST, Avishay Traeger said:

> 2. The name of the process (or command) which invoked the system call is
> not logged (tsk->comm).  I think it would not only be good to know
> exactly what invoked it, but to know if the process associated with a
> particular PID changes (if process P1 has PID N, invokes some system
> calls, exits, and then process P2 gets PID N, invokes other system
> calls, then P1 and P2 will be indistinguishable).

You need to keep track of process exit()s.  Logging tsk->comm doesn't buy
you anything - if I'm having a hard time getting a clean compile of a self-patched
kernel (and thus end up doing rm -r/untar/patch/make oldconfig/make several times),
there's actually a *good* chance that if process 23948 was 'cc1' last time,
that after the 5th or 6th build I'll hit 23948 again and it will be 'cc1' again.
(I'm showing a kernel build as doing a *lot* of 'gcc -c' calls, and those seem
to only generate 3 processes - a 'gcc', a 'cc1', and an 'as' - so you're really
looking at close to 1-in-3 odds)...
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 226 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/linux-audit/attachments/20050128/8e855dc7/attachment.sig>


More information about the Linux-audit mailing list