Re: [PATCH] audit: add task history record

On Wed, Aug 16, 2023 at 6:10 AM Tetsuo Handa <penguin-kernel(a)i-love.sakura.ne.jp&gt; wrote: > On 2023/08/16 3:44, Paul Moore wrote: > > On Fri, Aug 11, 2023 at 6:58 AM Tetsuo Handa > > <penguin-kernel(a)i-love.sakura.ne.jp&gt; wrote: > >> When an unexpected system event occurs, the administrator may want to > >> identify which application triggered the event. For example, > >> unexpected process termination is still a real concern enough to write > >> articles like https://access.redhat.com/solutions/165993 . > >> > >> This patch adds a record which emits TOMOYO-like task history > >> information into the audit logs for better understanding of unexpected > >> system events. > >> > >> type=UNKNOWN[1340] msg=audit(1691750738.271:108): > >> history="name=swapper/0;pid=1;start=20230811194329=>name=init;pid=1;s > >> tart=20230811194343=>name=systemd;pid=1;start=20230811194439=>name=ssh > >> d;pid=3660;start=20230811104504=>name=sshd;pid=3767;start=202308111045 > >> 35" > > > > While I respect your persistence, we've talked about this quite a bit > > already in other threads. What you are trying to do is already > > possible with audit > > How? If you configure audit to record exec() and friends you should have a proper history of the processes started on the system.