Inherit container id from parent if cgroup info can't be read

threathunters-io / laurel

Transform Linux Audit logs for SIEM usage

GNU General Public License v3.0

707 stars 56 forks source link

Inherit container id from parent if cgroup info can't be read #192

Closed hillu closed 9 months ago

hillu commented 9 months ago

Short-lived programs such as /bin/true are usually cleaned up before Laurel can read data from their /proc/. In this case, we assume that the process has inherited the container ID from its parent.

Close: #191