Title
#linux
packetzero

packetzero

05/08/2020, 6:42 PM
hey, I'm taking a closer look at audit-events (process_events). Looking at the raw data from audit for execve syscall, I can see multiple record-sets with the same pid and ppid. So if 'pid' is for the process doing the execve action, what is the pid of the resulting new process?
7:03 PM
Nope, the pid is for the new process as we would expect. I just didn't expect Linux (Ubuntu 20) to be re-using the same pid on the very next execve.
7:06 PM
arch=c000003e syscall=59 success=yes exit=0 a0=7fd965c54d70 a1=7fd940100040 a2=55a3a2321b70 a3=8 items=2 ppid=49114 pid=68744 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=(none) ses=4 comm=\"cargo\" exe=\"/home/develop/.cargo/bin/cargo\" key=(null)
arch=c000003e syscall=59 success=yes exit=0 a0=5611d8623640 a1=5611d8613fb0 a2=5611d86740b0 a3=8 items=2 ppid=49114 pid=68744 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=(none) ses=4 comm=\"cargo\" exe=\"/home/develop/.rustup/toolchains/stable-x86_64-unknown-linux-gnu/bin/cargo\" key=(null)