Catching process termination on SIGKILL

Tetsuo Handa penguin-kernel at I-love.SAKURA.ne.jp
Tue Jan 27 12:11:37 UTC 2015 

Hassan wrote:
> On 2015-01-26 16:41, Steve Grubb wrote:
> > We collect anything that leads to a core dump because that is an 
> > anomally. No
> > one should have segfaulting code on a production system. However, the 
> > kernel
> > does not allow a SIGKILL to be delivered to processes the user has no 
> > rights
> > to send it to, so its not really an abnormal event. I could see 
> > someone maybe
> > wanting to monitor this, but its never been a priority to solve this 
> > problem.

Well, the OOM killer can deliver SIGKILL to processes the user has no rights
to send it to. ;-)

> I see. Auditing SIGKILL reception would allow for easy tracking of 
> process activity by following clone/fork/vfork/exit/exit group/abnormal 
> termination and then SIGKILL. Without it, it becomes a kludge requiring 
> to track kill/tkill/tgkill and trying to find which process will accept 
> the SIGKILL sent and which won't, which then requires keeping track of 
> process privileges and such.

Do you have to implement it using audit subsystem? If you want to track
process activity for temporary (or debug) purpose, SystemTap would do it.

---------- program start ----------
# stap -e '
probe kernel.function("do_exit") {
  if ($code & 0x7F)
    printf("%s %s(%u) exiting with signal %u\n",
           ctime(gettimeofday_s()), execname(), pid(), $code & 0x7F);
}'
---------- program end ----------

---------- output example start ----------
Sat May 3 06:00:39 2014 a.out(2101) exiting with signal 11
Sat May 3 06:00:48 2014 sleep(2102) exiting with signal 2
Sat May 3 06:01:17 2014 sleep(2105) exiting with signal 9
Sat May 3 06:01:21 2014 a.out(2131) exiting with signal 11
---------- output example end ----------

> 
> I'll try to figure out what a patch to audit the KILL reception would 
> look like, intent would be to provide the sender's PID + the target PID 
> in the audit msg. Should that be a new AUDIT msg type or do you see it 
> fit within an existing msg type ?

SystemTap would do it, if you can accept SystemTap.

More information about the Linux-audit mailing list