Re: Suggestions based on my experiences so far
On Thu, 2005-01-27 at 19:04, Avishay Traeger wrote:
2. The name of the process (or command) which invoked the system call
is
not logged (tsk->comm).
tsk->comm isn't reliable, but they could include the executable
information, as SELinux does in its audit messages (when possible). See
security/selinux/avc.c:avc_audit, which in turn derived this particular
code from fs/proc/base.c:proc_exe_link (i.e. it shows the same
information you get from ls -l /proc/<pid>/exe).
--
Stephen Smalley <sds(a)epoch.ncsc.mil>
National Security Agency