event for exited process
Giang Nguyen
cauthu at gmail.com
Tue Jun 26 15:28:49 UTC 2012
Hi,
I would like to know when a process terminates. So far I can see the
exit() syscall generates an audit event, but if the process does not
call exit() or is killed by a signal, then it seems currently there is
no audit event generated?
I am using 1.7.18 on Ubuntu 12.04, but I looked at the change logs
between that and 2.2.1 and did not see anything regarding process
exit.
Thanks.
I am using the following test program:
#include <sys/types.h>
#include <sys/socket.h>
#include <stdlib.h>
void main()
{
int count = 0;
while (1) {
if (!count) {
// trigger syscall events for sanity check
close(socket(AF_INET, SOCK_STREAM, 0));
}
++count;
}
}
The following rule
auditctl -a task,always -F pid=`pidof a.out`
will periodically generate in the log events for socket() and close(),
but nothing is logged when I terminate the process.
More information about the Linux-audit
mailing list