Re: [PATCH] audit: add task history record
On 2023/08/24 22:39, Tetsuo Handa wrote:
>> (1) Catch _all_ process creations (both via fork()/clone()
system calls and
>> kthread_create() from the kernel), and duplicate the history upon process
>> creation.
>
> Create an audit filter rule to record the syscalls you are interested
> in logging.
I can't interpret what you are talking about. Please show me using command line.
I'm not interested in logging the syscalls just for maintaining process history
information. I want you to explain using command line how we can trace process
creation/termination (both via syscalls and via kernel internal reasons).
How can auditd generate logs that are not triggered via syscalls?