Re: Abnormal End of Processes

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Steve Grubb <sgrubb@redhat.com>
To: James Antill <jantill@redhat.com>
Cc: Linux Audit <linux-audit@redhat.com>
Subject: Re: Abnormal End of Processes
Date: Wed, 18 Apr 2007 13:27:51 -0400	[thread overview]
Message-ID: <200704181327.51970.sgrubb@redhat.com> (raw)
In-Reply-To: <1176914844.19144.34.camel@code.and.org>

On Wednesday 18 April 2007 12:47, James Antill wrote:
>  Does this deal with the case where the application catches SIGSEGV, and
> then calls abort() (or just raises SIGABRT).

>From this hook, no. It just doesn't have the visibility for that.

>  Also in a more general way, I'm pretty sure you'd also want to know
> whenever abort()/raise(SIGABORT) is done, at least all the times I've
> seen those calls it's the same thing as a SIGSEGV situation from the
> applications POV.

Not really, there are a surprising number of apps that consider abort() to be 
a normal way of exiting when there's a minor problem. I've never seen any app 
catch SIGSEGV and then raise(sigabort).

>  The only thing I can think against this is that _very rarely_ a
> sysadmin will do a "kill -ABRT" to stop a problem application ... which
> I assume is why you've filtered it?

No, its because you get a lot of programs ending with abort - hald-addon-acpi 
and dhcdbd to name a couple.

> But even then is a "spurious" audit event that bad?

It was frequent enough I didn't want that noise in the logs at this point. If 
those applications get cleaned up, I think we could allow abort() to go 
through.

-Steve

next prev parent reply	other threads:[~2007-04-18 17:27 UTC|newest]

Thread overview: 4+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2007-04-18 16:09 Abnormal End of Processes Steve Grubb
2007-04-18 16:47 ` James Antill
2007-04-18 17:27   ` Steve Grubb [this message]
2007-04-18 20:06 ` Alexander Viro

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=200704181327.51970.sgrubb@redhat.com \
    --to=sgrubb@redhat.com \
    --cc=jantill@redhat.com \
    --cc=linux-audit@redhat.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.