audit a process that disappears
ESGLinux
esggrupos at gmail.com
Wed Nov 10 12:10:07 UTC 2010
Thanks Steve,
I´m going to try it,
Greetings,
ESG
2010/11/9 Steve Grubb <sgrubb at redhat.com>
> On Tuesday, November 09, 2010 08:25:07 am ESGLinux wrote:
> > it´s like anybody outside the process gives a kill to it.
>
> There are 2 other possibilities and that is that it terminates abnormally
> or that it
> "ends".
>
>
> > My question is with audit rules I can get any information about what is
> > happening with this process.
> >
> > something like this:
> >
> > -a entry,always -F pid=32179 -S all -k TOMCAT_JAVA
> >
> > (pid=32179 is the pid of the process)
>
> You should be able to get something. You would probably just need the
> "kill", "exit",
> and "exit_group" syscalls.
>
> -Steve
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/linux-audit/attachments/20101110/9188d828/attachment.htm>
More information about the Linux-audit
mailing list