From: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
To: hsultan@thefroid.net
Cc: linux-audit@redhat.com
Subject: Re: Catching process termination on SIGKILL
Date: Tue, 27 Jan 2015 21:11:37 +0900 [thread overview]
Message-ID: <201501272111.HED17151.FOQOLFOFMSHJVt@I-love.SAKURA.ne.jp> (raw)
In-Reply-To: <45a5a4d7425943aa52df4117448cf2ce@thefroid.net>
Hassan wrote:
> On 2015-01-26 16:41, Steve Grubb wrote:
> > We collect anything that leads to a core dump because that is an
> > anomally. No
> > one should have segfaulting code on a production system. However, the
> > kernel
> > does not allow a SIGKILL to be delivered to processes the user has no
> > rights
> > to send it to, so its not really an abnormal event. I could see
> > someone maybe
> > wanting to monitor this, but its never been a priority to solve this
> > problem.
Well, the OOM killer can deliver SIGKILL to processes the user has no rights
to send it to. ;-)
> I see. Auditing SIGKILL reception would allow for easy tracking of
> process activity by following clone/fork/vfork/exit/exit group/abnormal
> termination and then SIGKILL. Without it, it becomes a kludge requiring
> to track kill/tkill/tgkill and trying to find which process will accept
> the SIGKILL sent and which won't, which then requires keeping track of
> process privileges and such.
Do you have to implement it using audit subsystem? If you want to track
process activity for temporary (or debug) purpose, SystemTap would do it.
---------- program start ----------
# stap -e '
probe kernel.function("do_exit") {
if ($code & 0x7F)
printf("%s %s(%u) exiting with signal %u\n",
ctime(gettimeofday_s()), execname(), pid(), $code & 0x7F);
}'
---------- program end ----------
---------- output example start ----------
Sat May 3 06:00:39 2014 a.out(2101) exiting with signal 11
Sat May 3 06:00:48 2014 sleep(2102) exiting with signal 2
Sat May 3 06:01:17 2014 sleep(2105) exiting with signal 9
Sat May 3 06:01:21 2014 a.out(2131) exiting with signal 11
---------- output example end ----------
>
> I'll try to figure out what a patch to audit the KILL reception would
> look like, intent would be to provide the sender's PID + the target PID
> in the audit msg. Should that be a new AUDIT msg type or do you see it
> fit within an existing msg type ?
SystemTap would do it, if you can accept SystemTap.
next prev parent reply other threads:[~2015-01-27 12:11 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-01-26 23:14 Catching process termination on SIGKILL hsultan
2015-01-27 0:41 ` Steve Grubb
2015-01-27 1:56 ` hsultan
2015-01-27 12:11 ` Tetsuo Handa [this message]
2015-01-27 19:03 ` hsultan
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=201501272111.HED17151.FOQOLFOFMSHJVt@I-love.SAKURA.ne.jp \
--to=penguin-kernel@i-love.sakura.ne.jp \
--cc=hsultan@thefroid.net \
--cc=linux-audit@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.