Re: event for exited process
Oh actually if the process is allowed to exit gracefully (e.g., via a
"return;"), even without explicitly calling exit(), I can see the
"syscall=231" event (for exit_group()). So I guess it is just the
being killed with a signal that I am trying to catch.
Thanks.
On Tue, Jun 26, 2012 at 11:28 AM, Giang Nguyen <cauthu(a)gmail.com> wrote:
Hi,
I would like to know when a process terminates. So far I can see the
exit() syscall generates an audit event, but if the process does not
call exit() or is killed by a signal, then it seems currently there is
no audit event generated?
I am using 1.7.18 on Ubuntu 12.04, but I looked at the change logs
between that and 2.2.1 and did not see anything regarding process
exit.
Thanks.
I am using the following test program:
#include <sys/types.h>
#include <sys/socket.h>
#include <stdlib.h>
void main()
{
int count = 0;
while (1) {
if (!count) {
// trigger syscall events for sanity check
close(socket(AF_INET, SOCK_STREAM, 0));
}
++count;
}
}
The following rule
auditctl -a task,always -F pid=`pidof a.out`
will periodically generate in the log events for socket() and close(),
but nothing is logged when I terminate the process.