All geek questions in one place

Any possible solution to capture the entry / exit process?

I would like to capture the entry , exit process and keep a log for the whole system (possibly a daemon process).

One approach was to periodically read the /proc file system and maintain a list, since I see no way to register inotify for /proc . Also, for desktop applications, I could get dbus help, and whenever a client logs on to the desktop, I can capture.

But for non-desktop applications, I don’t know how to go further than reading /proc periodically.

Please provide suggestions.

+6
source share
4 answers

You mentioned / proc, so I'm going to assume that you have a Linux system.

Install the acct package. The lastcomm command shows all the processes that are running and how long they started, as you ask. Your program has a tail / var / log / account / pacct (you will find its structure described in acct (5)) and voila. However, this is simply a notice of termination. To detect startups, you need to periodically break through the table of system processes, if you really need it.

+3
source

Perhaps a safer way to move around is to create a super process that acts as the parent and fork of the children. Each time the child's process stops, the father can find him. It is just a thought if the architecture meets your needs.

Of course, if the parent process is not feasible, you must go to the kernel.

+2
source

If you want to really register all records and the completion of the process, you need to connect to the kernel. This means modifying the kernel, or at least writing a kernel module. Linux Security Modules will certainly allow you to connect to an input, but I'm not sure if you can connect to an output.

If you can live with a random pass back (if the binary is linked statically or somehow avoids setting up your environment), there is a simple option, preloading the library.

The Linux dynamic linker has a function that, if the environment variable LD_PRELOAD (see this question) names a shared library, it will force the library to be loaded into the initial process. In this way, you can create a library in which static initialization will tell the daemon that the process has started, and have the process detect when the process terminates.

Static initialization is easiest to do by creating a global object with a constructor in C ++. The dynamic linker ensures that the static constructor is launched when the library loads.

It will also try to start the corresponding destructor when the process ends, so you can simply register this process in the constructor and destructor. But this will not work if the process freezes from signal 9 (KILL), and I'm not sure what other signals will do.

So, instead, you should have a daemon and in the constructor tell the daemon about the start of the process and make sure that it will notice when the process exits on its own. One option that comes to mind is opening the unix domain daemon to the daemon and leaving it open. The core will close it when the process dies and the demon will notice. You must take some precautions to use the high descriptor number for the socket, as some processes may assume that the low descriptor numbers (3, 4, 5) are free and dup2 for them. And don't forget to allow more filedescriptors for the daemon and for the system as a whole.

Note that simply by polling the / proc file system you will probably miss a large number of processes that only live for a second. There are really a lot of them on unix.

+1
source

Here is the outline of the solution we are faced with.

We created a program that reads the configuration file of all possible applications that the system can control. This program reads the configuration file and through the command line interface you can start or stop programs. The program itself stored a table in shared memory, in which applications are marked as running or not. An interface that anyone can access can get the status of these programs. This program also had an alarm system that could either send via email / page or turn off the alarm.

This solution does not require any changes in the kernel and, therefore, is a less painful solution.

Hope this helps.

0
source

Source: https://habr.com/ru/post/905710/

More articles:


All Articles