Catching process termination on SIGKILL
hsultan at thefroid.net
hsultan at thefroid.net
Tue Jan 27 19:03:28 UTC 2015
On 2015-01-27 04:11, Tetsuo Handa wrote:
...
> Do you have to implement it using audit subsystem? If you want to
> track
> process activity for temporary (or debug) purpose, SystemTap would do
> it.
>
> ---------- program start ----------
> # stap -e '
> probe kernel.function("do_exit") {
> if ($code & 0x7F)
> printf("%s %s(%u) exiting with signal %u\n",
> ctime(gettimeofday_s()), execname(), pid(), $code & 0x7F);
> }'
> ---------- program end ----------
>
> ---------- output example start ----------
> Sat May 3 06:00:39 2014 a.out(2101) exiting with signal 11
> Sat May 3 06:00:48 2014 sleep(2102) exiting with signal 2
> Sat May 3 06:01:17 2014 sleep(2105) exiting with signal 9
> Sat May 3 06:01:21 2014 a.out(2131) exiting with signal 11
> ---------- output example end ----------
>
>>
>> I'll try to figure out what a patch to audit the KILL reception
>> would
>> look like, intent would be to provide the sender's PID + the target
>> PID
>> in the audit msg. Should that be a new AUDIT msg type or do you see
>> it
>> fit within an existing msg type ?
>
> SystemTap would do it, if you can accept SystemTap.
Sadly I can't use SystemTap as I do not control the systems where my
code will be running so can't be sure that debug information will be
available :/
Thanks,
Hassan
More information about the Linux-audit
mailing list