Trace System Calls And Signals

当我们启动了一个第三方程序，该程序莫名其妙的退出了，也没有任何日志，如何找到其退出的原因呢？

strace#

strace 可以用来监控一个进程的系统调用和收到的信号，还可以打印进程的退出码。

https://man7.org/linux/man-pages/man1/strace.1.html

用法示例：

strace -e 'trace=all' cmd

auditctl#

下面的示例演示了如何通过 auditctl 来记录 kill 信号：

root # auditctl -a exit,always -F arch=b64 -S kill -F a1=9
root # auditctl -l
LIST_RULES: exit,always arch=3221225534 (0xc000003e) a1=9 (0x9) syscall=kill

root # sleep 99999 &
[2] 11688
root # kill -9 11688

root # ausearch -sc kill
time->Tue Oct 14 00:38:44 2014
type=OBJ_PID msg=audit(1413272324.413:441376): opid=11688 oauid=52872 ouid=0 oses=20 ocomm="sleep"
type=SYSCALL msg=audit(1413272324.413:441376): arch=c000003e syscall=62 success=yes exit=0 a0=2da8 a1=9 a2=0 a3=0 items=0 ppid=6107 pid=6108 auid=52872 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsg
id=0 tty=pts2 ses=20 comm="bash" exe="/bin/bash" key=(null)

示例是从这个答案中拷贝的：https://stackoverflow.com/a/26355362/775640

参考资料：#

http://web.archive.org/web/20160320223052/https://www.ibm.com/developerworks/community/blogs/aimsupport/entry/Finding_the_source_of_signals_on_Linux_with_strace_auditd_or_Systemtap?lang=en https://unix.stackexchange.com/questions/186200/whats-the-easiest-way-to-detect-what-signals-are-being-sent-to-a-process