Bug 175856

Summary: kernel - audit child processes
Product: Red Hat Enterprise Linux 4 Reporter: Steve Grubb <sgrubb>
Component: kernelAssignee: Red Hat Kernel Manager <kernel-mgr>
Status: CLOSED WONTFIX QA Contact: Brian Brock <bbrock>
Severity: medium Docs Contact:
Priority: medium    
Version: 4.0CC: jbaron
Target Milestone: ---Keywords: FutureFeature
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Enhancement
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2012-06-20 13:33:18 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 176155    

Description Steve Grubb 2005-12-15 19:42:31 UTC 
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.12) Gecko/20050922 Fedora/1.0.7-1.1.fc4 Firefox/1.0.7

Description of problem:
Ability to track child processes. There is a need to be able to audit the actions of a child process. For example, maybe we add a rule to audit a specific pid like apache's. We may need to collect all syscall data for any child it spawns. This can be done by matching on session id, process group, and/or another mechanism. I leave this as an "and" since all 3 things may need to be implemented. Process group and session ID are not fool proof, but work for any non-malicious program. If we want to consider tracking possibly untrusted apps - we need to implement another mechanism.

Version-Release number of selected component (if applicable):
kernel-2.6.9-25

How reproducible:
Didn't try

Steps to Reproduce:
1. New Feature Request

Additional info:
Comment 1 Jiri Pallich 2012-06-20 13:33:18 UTC 
Thank you for submitting this issue for consideration in Red Hat Enterprise Linux. The release for which you requested us to review is now End of Life. 
Please See https://access.redhat.com/support/policy/updates/errata/

If you would like Red Hat to re-consider your feature request for an active release, please re-open the request via appropriate support channels and provide additional supporting details about the importance of this issue.