Re: [PATCH] audit: add task history record

[PATCH] audit: add task history record · Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> · 2023-08-11
Re: [PATCH] audit: add task history record · Richard Guy Briggs <hidden> · 2023-08-11
Re: [PATCH] audit: add task history record · Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> · 2023-08-12
Re: [PATCH] audit: add task history record · Paul Moore <paul@paul-moore.com> · 2023-08-15
Re: [PATCH] audit: add task history record · Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> · 2023-08-16
Re: [PATCH] audit: add task history record · Paul Moore <paul@paul-moore.com> · 2023-08-16
Re: [PATCH] audit: add task history record · Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> · 2023-08-18
Re: [PATCH] audit: add task history record · Paul Moore <paul@paul-moore.com> · 2023-08-18
Re: [PATCH] audit: add task history record · Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> · 2023-08-19
Re: [PATCH] audit: add task history record · "Serge E. Hallyn" <serge@hallyn.com> · 2023-08-21
Re: [PATCH] audit: add task history record · Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> · 2023-08-21
Re: [PATCH] audit: add task history record · Paul Moore <paul@paul-moore.com> · 2023-08-21
Re: [PATCH] audit: add task history record · Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> · 2023-08-23
Re: [PATCH] audit: add task history record · Paul Moore <paul@paul-moore.com> · 2023-08-23
Re: [PATCH] audit: add task history record · Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> · 2023-08-24
Re: [PATCH] audit: add task history record · Paul Moore <paul@paul-moore.com> · 2023-08-24
Re: [PATCH] audit: add task history record · Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> · 2023-08-24
Re: [PATCH] audit: add task history record · Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> · 2023-08-24
Re: [PATCH] audit: add task history record · Paul Moore <paul@paul-moore.com> · 2023-08-24
Re: [PATCH] audit: add task history record · Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> · 2023-08-24
Re: [PATCH] audit: add task history record · Paul Moore <paul@paul-moore.com> · 2023-08-25
Re: [PATCH] audit: add task history record · Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> · 2023-08-26
Re: [PATCH] audit: add task history record · Paul Moore <paul@paul-moore.com> · 2023-08-26
Re: [PATCH] audit: add task history record · Paul Moore <paul@paul-moore.com> · 2023-08-24
Re: [PATCH] audit: add task history record · Steve Grubb <hidden> · 2023-08-24
Re: [PATCH] audit: add task history record · Paul Moore <paul@paul-moore.com> · 2023-08-24
Re: [PATCH] audit: add task history record · Steve Grubb <hidden> · 2023-08-22
Re: [PATCH] audit: add task history record · Paul Moore <paul@paul-moore.com> · 2023-08-22
Re: [PATCH] audit: add task history record · Serge Hallyn <serge@hallyn.com> · 2023-08-21

From: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Date: 2023-08-24 13:48:06

On 2023/08/24 22:39, Tetsuo Handa wrote:

quoted

  (1) Catch _all_ process creations (both via fork()/clone() system calls and
      kthread_create() from the kernel), and duplicate the history upon process
      creation.

Create an audit filter rule to record the syscalls you are interested
in logging.

I can't interpret what you are talking about. Please show me using command line.

I'm not interested in logging the syscalls just for maintaining process history
information. I want you to explain using command line how we can trace process
creation/termination (both via syscalls and via kernel internal reasons).
How can auditd generate logs that are not triggered via syscalls?

`h`	back out one level
`j`	next message in thread
`k`	previous message in thread
`l`	drill in
`Esc`	close help / fold thread tree
`?`	toggle this help