I'm looking for a way to get the PID of a short child process in Linux. The process is instant from a human perspective. I know the parent process which will spawn the child process.
Is there a way to log information about all the processes that are created by a specific parent process?
I'm not looking for a way to retroactively figure out the PID of the child but a way to log it once it happens.
You could use the audit system:
sudo auditctl -a exit,always -S execve -F ppid="$pid"
would cause audit entries to be generated each time a child of $pid
executes a command. audit.log
would have things like:
type=SYSCALL msg=audit(1373986729.977:377): arch=c000003e syscall=59 success=yes exit=0 a0=7ff000e4b188 a1=7ff000e4b1b0 a2=7fff928d47e8 a3=7fff928caac0 items=2 ppid=7502 pid=691 auid=10031 uid=10031 gid=10031 euid=10031 suid=10031 fsuid=10031 egid=10031 sgid=10031 fsgid=10031 ses=1 tty=pts5 comm="echo" exe="/bin/echo" key=(null)
type=EXECVE msg=audit(1373986729.977:377): argc=2 a0="/bin/echo" a1="test"
type=CWD msg=audit(1373986729.977:377): cwd="/tmp"
type=PATH msg=audit(1373986729.977:377): item=0 name="/bin/echo" inode=131750 dev=fe:00 mode=0100755 ouid=0 ogid=0 rdev=00:00
Where you can find the pid
amongst other things.
If you're interested in processes that don't necessarily execute something, you can add audit rules for the fork
and clone
system calls.
Collected from the Internet
Please contact [email protected] to delete if infringement.
Comments