What is the best way to be notified when a process has been launched & exited in an kernel extension?
I know that I can use KAuth to subscribe for a process creation (KAUTH_VNODE_EXECUTE). How about subscribing to a process cleanup?
KAUTH_VNODE_EXECUTE isn't quite sufficient for all processes; this won't catch processes which are fork()ed without exec(). Fairly rare on OSX, but not unheard of. There is a MAC framework policy callback for fork, at least, although MAC (com.apple.kpi.dsep) is marked as unsupported by Apple, and ABI changes between major OS X versions are common.
I'm not aware of anything for shutdown, other than periodically walking through your own list of processes, looking up the proc_t for the PID in question, and checking if it's still live. Of course, if a new process with a recycled PID is detected, that also means that the previous process with the same PID has died. You may be able to infer process death from other events if you have extra information on the process in question.