Re: Identifying thread/process termination
Hello,
On Monday, October 5, 2020 3:07:12 PM EDT Natan Yellin wrote:
I've been tracking all process terminations using a rule for the
exit and
exit_group syscalls. However, by looking at the audit events for exit it is
impossible to differentiate between the death of different threads in the
same thread group. Is there an alternative way to track this?
I don't think the audit system was ever designed to distinguish between
threads. But there is a general need to determine the exit of a process
rather than a thread.
Paul, Richard, Do you have any thoughts?
-Steve
For my use case, I would like to know when either processes or
individual
threads execute and terminate. (I'm fine tracking at either granularity.)
Right now I can track the creation properly using fork/clone/etc but for
termination I receive multiple exit events with identical information that
doesn't let me know which thread died.