Re: [PATCH v2] TaskTracker : Simplified thread information tracker.
On 2023/08/08 3:54, Steve Grubb wrote:
>> What I would suggest is to make a separate record:
AUDIT_PROC_TREE that
>> describes process tree from the one killed up to the last known parent.
>> This way you can define your own format and SYSCALL can stay as everyone
>> expects it to look. In the EXECVE audit record, there is a precedent of
>> using agv[0]=xx argv[1]=xx argv[2]=yy and so on. If you want to make
>> these generally parsable without special knowledge of the record format,
>> I'd suggest something like it.
>
> Yes,
> https://lkml.kernel.org/r/201501202220.DJJ34834.OLJOHFMQOFtSVF@I-love.SAKU
> RA.ne.jp used AUDIT_PROCHISTORY instead of LSM hooks, but that thread died
> there.
I do not read that mail list. AUDIT_PROC_HIST or AUDIT_PROC_CHAIN or some
thing like that would be the better way to go. If someone wanted to see if
they have process history for a segfault, how would they do it with the
proposed record?
Avoid bloating of audit log files could be done when saving into audit log
files, but avoiding overhead of tracking/recording this history information
would need to be done using kernel command line options.
Is there a kernel command line option that can configure whether to include
(and what to be included into) this history information or not?
If an LSM is used, a kernel command line option like lsm=tt can be used for
telling the kernel to include this history information and kernel command
line options like tt.size=512 tt.fields=name,stamp for telling the kernel
max history length and fields to include.