Hi,
I would like to know when a process terminates. So far I can see the
exit() syscall generates an audit event, but if the process does not
call exit() or is killed by a signal, then it seems currently there is
no audit event generated?
I am using 1.7.18 on Ubuntu 12.04, but I looked at the change logs
between that and 2.2.1 and did not see anything regarding process
exit.
Thanks.
I am using the following test program:
#include <sys/types.h>
#include <sys/socket.h>
#include <stdlib.h>
void main()
{
    int count = 0;
    while (1) {
        if (!count) {
            // trigger syscall events for sanity check
            close(socket(AF_INET, SOCK_STREAM, 0));
        }
        ++count;
    }
}
The following rule
auditctl -a task,always -F pid=`pidof a.out`
will periodically generate in the log events for socket() and close(),
but nothing is logged when I terminate the process.