Identifying thread/process termination
Steve Grubb
sgrubb at redhat.com
Tue Oct 6 20:20:32 UTC 2020
Hello,
On Monday, October 5, 2020 3:07:12 PM EDT Natan Yellin wrote:
> I've been tracking all process terminations using a rule for the exit and
> exit_group syscalls. However, by looking at the audit events for exit it is
> impossible to differentiate between the death of different threads in the
> same thread group. Is there an alternative way to track this?
I don't think the audit system was ever designed to distinguish between
threads. But there is a general need to determine the exit of a process
rather than a thread.
Paul, Richard, Do you have any thoughts?
-Steve
> For my use case, I would like to know when either processes or individual
> threads execute and terminate. (I'm fine tracking at either granularity.)
> Right now I can track the creation properly using fork/clone/etc but for
> termination I receive multiple exit events with identical information that
> doesn't let me know which thread died.
More information about the Linux-audit
mailing list