Known-exploit detection for the kernel

Posted Dec 29, 2013 8:06 UTC (Sun) by lamawithonel (subscriber, #86149)
In reply to: Known-exploit detection for the kernel by tshow
Parent article: Known-exploit detection for the kernel

this patch set uses the audit framework without any rate limiting, and in the somewhat more structured audit format. that sounds like what you want.

+ audit_log_format(ab, "exploit id=%s pid=%u uid=%u auid=%u ses=%u comm=",
+                  id, pid, uid,
+                  from_kuid(&init_user_ns, audit_get_loginuid(task)),
+                  audit_get_sessionid(task));