event for exited process
Giang Nguyen
cauthu at gmail.com
Tue Jun 26 15:46:33 UTC 2012
Oh actually if the process is allowed to exit gracefully (e.g., via a
"return;"), even without explicitly calling exit(), I can see the
"syscall=231" event (for exit_group()). So I guess it is just the
being killed with a signal that I am trying to catch.
Thanks.
On Tue, Jun 26, 2012 at 11:28 AM, Giang Nguyen <cauthu at gmail.com> wrote:
> Hi,
> I would like to know when a process terminates. So far I can see the
> exit() syscall generates an audit event, but if the process does not
> call exit() or is killed by a signal, then it seems currently there is
> no audit event generated?
> I am using 1.7.18 on Ubuntu 12.04, but I looked at the change logs
> between that and 2.2.1 and did not see anything regarding process
> exit.
> Thanks.
>
> I am using the following test program:
>
> #include <sys/types.h>
> #include <sys/socket.h>
> #include <stdlib.h>
> void main()
> {
> int count = 0;
> while (1) {
> if (!count) {
> // trigger syscall events for sanity check
> close(socket(AF_INET, SOCK_STREAM, 0));
> }
> ++count;
> }
> }
>
> The following rule
>
> auditctl -a task,always -F pid=`pidof a.out`
>
> will periodically generate in the log events for socket() and close(),
> but nothing is logged when I terminate the process.
More information about the Linux-audit
mailing list