Oh actually if the process is allowed to exit gracefully (e.g., via a "return;"), even without explicitly calling exit(), I can see the "syscall=231" event (for exit_group()). So I guess it is just the being killed with a signal that I am trying to catch. Thanks.
On Tue, Jun 26, 2012 at 11:28 AM, Giang Nguyen <[email protected]> wrote: > Hi, > I would like to know when a process terminates. So far I can see the > exit() syscall generates an audit event, but if the process does not > call exit() or is killed by a signal, then it seems currently there is > no audit event generated? > I am using 1.7.18 on Ubuntu 12.04, but I looked at the change logs > between that and 2.2.1 and did not see anything regarding process > exit. > Thanks. > > I am using the following test program: > > #include <sys/types.h> > #include <sys/socket.h> > #include <stdlib.h> > void main() > { > int count = 0; > while (1) { > if (!count) { > // trigger syscall events for sanity check > close(socket(AF_INET, SOCK_STREAM, 0)); > } > ++count; > } > } > > The following rule > > auditctl -a task,always -F pid=`pidof a.out` > > will periodically generate in the log events for socket() and close(), > but nothing is logged when I terminate the process. -- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
