hey I m taking a closer look at audit events process events

Question

hey I m taking a closer look at audit events process events Looking at the raw data from audit for execve syscall I can see multiple record sets with the same pid and ppid So if pid is for the process doing the execve action what is the pid of the resulting new process

packetzero · Answer

Nope the pid is for the new process as we would expect I just didn t expect Linux Ubuntu 20 to be re using the same pid on the very next execve

packetzero · Answer

`arch=c000003e syscall=59 success=yes exit=0 a0=7fd965c54d70 a1=7fd940100040 a2=55a3a2321b70 a3=8 items=2 ppid=49114 pid=68744 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty= none ses=4 comm= cargo exe= home develop cargo bin cargo key= null ` `arch=c000003e syscall=59 success=yes exit=0 a0=5611d8623640 a1=5611d8613fb0 a2=5611d86740b0 a3=8 items=2 ppid=49114 pid=68744 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty= none ses=4 comm= cargo exe= home develop rustup toolchains stable x86 64 unknown linux gnu bin cargo key= null `