Re: [Announce] Non Invasive Kernel Monitor for threads/processes

From: Rusty Lynch (rusty_at_linux.jf.intel.com)
Date: 06/16/04

  • Next message: Dona J. Barnett: "Powerful weightloss now available where you are." 
    Date:	Tue, 15 Jun 2004 18:01:32 -0700
To: faith@redhat.com

    > Andrew Morton wrote:
    > >Atul Sabharwal <atul_sabharwal@linux.jf.intel.com> wrote:
    > >>We have been working with a solution for non-intrusively trapping on
    > >>lifetime
    > >>of processes/threads.
    > >>
    > >>
    > >
    > >I expect this functionality can be provided without kernel changes via
    > >auditing of the relevant system calls. See
    > >http://people.redhat.com/faith/audit/.

    If a process segfaults is there currently a message sent from the auditing
    code?

    > >Maybe there are shortcomings in the current auditing/filtering framework.
    > >If so, perhaps they could be addressed.

    I have worries about both the complexity required from the client for just
    monitoring the life time of a process/thread, and the overhead of doing
    this with the auditing/netlink implementation, but do not have any proof.

    We can take a crack at implementing a couple of hello world monitors for
    process/thread creation and exec'ing, and come back with any limitations
    in the existing auditing code that would make this particular type of
    monitoring painful.

        --rustyl
    -
    To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
    the body of a message to majordomo@vger.kernel.org
    More majordomo info at http://vger.kernel.org/majordomo-info.html
    Please read the FAQ at http://www.tux.org/lkml/

  • Next message: Dona J. Barnett: "Powerful weightloss now available where you are."

    Relevant Pages

    • Re: [Announce] Non Invasive Kernel Monitor for threads/processes
      ... If a process segfaults is there currently a message sent from the auditing ... monitoring the life time of a process/thread, ... process/thread creation and exec'ing, and come back with any limitations ... send the line "unsubscribe linux-kernel" in ...
      (Linux-Kernel)
    • Re: [Announce] Non Invasive Kernel Monitor for threads/processes
      ... I would spend some time developing sample code to confirm ... > Kmonitor in that it didn't track fork/exec) way for a process to get ... Auditing: Working on some very simple examples to understand how to use ... send the line "unsubscribe linux-kernel" in ...
      (Linux-Kernel)
    • Re: Re : Re: Intercepting system calls in Linux kernel 2.6.x
      ... On Thu, 2004-12-23 at 22:09 -0800, selvakumar nagendran wrote: ... if you do this for auditing purposes... ... send the line "unsubscribe linux-kernel" in ... More majordomo info at http://vger.kernel.org/majordomo-info.html ...
      (Linux-Kernel)
    • Re: [RFC] Bug zapper? :)
      ... > auditing the code on a regular basis, ... I'm suggesting things to make code auditing simpler, more accurate, more ... send the line "unsubscribe linux-kernel" in ...
      (Linux-Kernel)
    • Re: Thoughts on the "No Linux Security Modules framework" old claims
      ... > Many auditing policies require an audit event to be generated if the operation ... > even called if the DAC check fails. ... > and get -EPERM due to the file permissions, the LSM exit isn't called and ... send the line "unsubscribe linux-kernel" in ...
      (Linux-Kernel)
    Loading