Using auditd to trace every boot process
by Wallboy from LinuxQuestions.org on (#5A16B)
Hey all,
I'm trying to figure out how to view every single process that gets ran since boot, everything from PID 1 and onwards; even short lived transient processes. After googling around, I discovered auditd would be the tool for the job.
I have the following line in my auditd rules file:
Code:-a exit,always -S execveI've also added the Code:audit=1 kernel parameter to get early audit support before the auditd daemon has started.
However, after looking at the audit.log file, I can only see all processes that have launched AFTER the auditd daemon has started. I was under the impression the point of the Code:audit=1 kernel parameter was to be able to capture the SYSCALLs before the userspace daemon is ran.
Anyone have any ideas what I'm doing wrong, or if there is another way to go about seeing every single process (and arguments passed to it) that was ran during the entire boot sequence?
I'm trying to figure out how to view every single process that gets ran since boot, everything from PID 1 and onwards; even short lived transient processes. After googling around, I discovered auditd would be the tool for the job.
I have the following line in my auditd rules file:
Code:-a exit,always -S execveI've also added the Code:audit=1 kernel parameter to get early audit support before the auditd daemon has started.
However, after looking at the audit.log file, I can only see all processes that have launched AFTER the auditd daemon has started. I was under the impression the point of the Code:audit=1 kernel parameter was to be able to capture the SYSCALLs before the userspace daemon is ran.
Anyone have any ideas what I'm doing wrong, or if there is another way to go about seeing every single process (and arguments passed to it) that was ran during the entire boot sequence?