On 10/7/20 7:27 PM, Paul Moore wrote:
Almost everywhere in the kernel we record the TGID for the "pid=" values and not the actual task/thread ID. That decision was made before my heavy involvement with audit, but my guess is that most audit users are focused more on security relevant events at the process level, not the thread level. After all, there isn't really much in the way of significant boundaries between threads.
That's right, Paul. The process (exe/comm) is the discriminator from a security perspective.
LCB -- Lenny Bruzenak MagitekLTD -- Linux-audit mailing list Linux-audit@redhat.com https://www.redhat.com/mailman/listinfo/linux-audit
