Channels
doorman
infrastructure
random
zercurity
community-feeds
fleet-dev
code-review
queryhub
apple-silicon
carving
tls
fim
goquery
zentral
aws
querycon
golang
zeek
file-carving
fuzzing
auditing-warroom
linen-dev
fleetosquery
plugins
jobs
arm-architecture
darkbytes
process-auditing
uptycs
android_tests
selfgroup
vendor-feeds
fleet
eclecticiq-polylogyx-extension
ebpf
website
core
general
macos
kolide
osctrl
extensions
foundation
sql
officehours
linux
windows
Title
p
packetzero
05/08/2020, 6:42 PMhey, I'm taking a closer look at audit-events (process_events). Looking at the raw data from audit for execve syscall, I can see multiple record-sets with the same pid and ppid. So if 'pid' is for the process doing the execve action, what is the pid of the resulting new process?
Nope, the pid is for the new process as we would expect. I just didn't expect Linux (Ubuntu 20) to be re-using the same pid on the very next execve.
arch=c000003e syscall=59 success=yes exit=0 a0=7fd965c54d70 a1=7fd940100040 a2=55a3a2321b70 a3=8 items=2 ppid=49114 pid=68744 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=(none) ses=4 comm=\"cargo\" exe=\"/home/develop/.cargo/bin/cargo\" key=(null)arch=c000003e syscall=59 success=yes exit=0 a0=5611d8623640 a1=5611d8613fb0 a2=5611d86740b0 a3=8 items=2 ppid=49114 pid=68744 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=(none) ses=4 comm=\"cargo\" exe=\"/home/develop/.rustup/toolchains/stable-x86_64-unknown-linux-gnu/bin/cargo\" key=(null)