Hello, On Monday, October 5, 2020 3:07:12 PM EDT Natan Yellin wrote: > I've been tracking all process terminations using a rule for the exit and > exit_group syscalls. However, by looking at the audit events for exit it is > impossible to differentiate between the death of different threads in the > same thread group. Is there an alternative way to track this?
I don't think the audit system was ever designed to distinguish between threads. But there is a general need to determine the exit of a process rather than a thread. Paul, Richard, Do you have any thoughts? -Steve > For my use case, I would like to know when either processes or individual > threads execute and terminate. (I'm fine tracking at either granularity.) > Right now I can track the creation properly using fork/clone/etc but for > termination I receive multiple exit events with identical information that > doesn't let me know which thread died. -- Linux-audit mailing list Linux-audit@redhat.com https://www.redhat.com/mailman/listinfo/linux-audit
