Catching process termination on SIGKILL
hsultan at thefroid.net
hsultan at thefroid.net
Mon Jan 26 23:14:20 UTC 2015
Hi,
So I'm curious, auditd catches abnormal process termination (SIGSEGV,
...) with a 1701 audit message, can catch 'clean' termination by
monitoring syscall (exit, exitgroup), however I don't see anything to
catch process termination by a SIGKILL.
if I audit the kill() system call then I see the call to send the
signal, but I would have expected the system to offer auditing of an
actual SIGKILL *reception* (because you can pass -1 as target PID to
sigkill, which kills all processes reachable by the caller and will make
auditing by syscall very hard to do), am I missing something ? Is there
a parameter to set somehow that I'm missing ?
Thanks,
Hassan
More information about the Linux-audit
mailing list