On Wed, Jun 18, 2008 at 02:14:49PM +0300, Dan Shimshoni wrote: > Hello, > > Is there a way to write an application/a kernel module which will > notice when a process named "xyz" starts ? > > For example, I want to be able to notice when a user statrs a process > named "calc" (by running calc, or whatever other unspecified command) > and print this notification to a file (or to kernel log). > > My assumption is that I know **nothing** about that process besides it > name, "xyz"; I don't know anything about which ports it uses, (if at all), > I don't know the files it uses, (if at all), etc. All I know is ***just*** > the process name. > > And a very important point - I don't know for how long this process > will run before > exiting. It can be less than a second, and I **MUST** take this in account > and handle such a case. > > Can this be done at all?
You might be able to do something with Proess Accounting (apt-get acct on debian). Also by other, "newer" means, such as syscalltrack, perhaps also selinux/audit/whatever. Note that a user can link to a binary and run the link, in which case you won't notice. This might or might not matter, depending on what you try to do. -- Didi ================================================================= To unsubscribe, send mail to [EMAIL PROTECTED] with the word "unsubscribe" in the message body, e.g., run the command echo unsubscribe | mail [EMAIL PROTECTED]
