On Sun, Aug 6, 2023 at 9:05 AM Tetsuo Handa
<penguin-kernel(a)i-love.sakura.ne.jp> wrote:
When an unexpected system event occurs, the administrator may want to
identify which application triggered the event. For example, unexpected
process termination is still a real concern enough to write articles
like
https://access.redhat.com/solutions/165993 . TaskTracker is a
trivial LSM module which emits TOMOYO-like information into the audit
logs for better understanding of unexpected system events.
Help me understand why all of this information isn't already available
via some combination of Audit and TOMOYO, or simply audit itself?
In the case of an audit-only design you would likely need to do some
processing of the audit log to determine the full historical process
tree of the process being killed, but all of the information should be
there if you configure audit properly. I'm less familiar with TOMOYO,
but your comment about this LSM recording "TOMOYO-like" information
makes me believe that TOMOYO already records this information.
--
paul-moore.com