Re: Fw: How to define rule for SERVICE_START/STOP?

[Eric Paris <eparis@redhat.com>]

On Tue, 2014-08-05 at 12:48 -0400, Steve Grubb wrote:
> On Tuesday, August 05, 2014 10:36:17 AM Gisela Cheng wrote:
> > Would this trigger the creation of the audit record? 
> 
> I don't think anything in the config file would affect this. The requirements are 
> to record all starts and stops. I don't think it can record a segfault kind of 
> stop. That would, however, generate an ANOM_ABEND event.

All stops of a non-forking daemon will be properly tracked with a stop
event (including segfault).  systemd doesn't just start processes and
forget about them.  It isn't sysv.  We don't live in the stone ages any
more   :)

For forking services (like yours) it gets it right most of the time,
especially since you told it the pid file, but I understand it isn't
perfect.  sendmail is a forking service if you kill -SIGV $SENDMAIL_PID
you will get something like:

type=ANOM_ABEND msg=audit(1407329684.562:419): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=system_u:system_r:sendmail_t:s0 pid=1114 comm="sendmail" exe="/usr/sbin/sendmail.sendmail" sig=11
type=SERVICE_STOP msg=audit(1407329684.570:420): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg=' comm="sendmail" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=failed'

Aka, Steve is right and you are right.