On 10/7/20 7:27 PM, Paul Moore wrote:
Almost everywhere in the kernel we record the TGID for the
"pid="
values and not the actual task/thread ID. That decision was made
before my heavy involvement with audit, but my guess is that most
audit users are focused more on security relevant events at the
process level, not the thread level. After all, there isn't really
much in the way of significant boundaries between threads.
That's right, Paul. The process (exe/comm) is the discriminator from a
security perspective.
LCB
--
Lenny Bruzenak
MagitekLTD