[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Using Audit to create a realtime process creation monitor



Hi All,

I'm working on a system that needs a realtime process creation tool
(using C programming), getting the pid ppid and path of the process.

I've been trying to use the audit subsystem to do this, but no matter
which way I tried, so far I hadn't been successful.

I've tried these for task creation:

    - auditctl -a entry,always -S fork -S vfork -S clone
            This way I can't know the pid of the new process, just the
caller;
    - auditctl -a entry,always -S brk -F 'a0=0'
             This way works most of the time, but creates duplicated
entries;
    - auditctl -a task,always
             With this I get _a lot_ of garbage, and it's too CPU
consuming to process the output;


And this for task destruction:

    - auditctl -a entry,always -S exit -S exit_group
             Works most of the time, but doesn't catch "killall sshd"
(doesn't get the "sshd is dying" part).

    Can anybody help me with these?

    Thanks in advance.

    Cheers,

Bruno Gustavo Wallauer



[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]