From mboxrd@z Thu Jan 1 00:00:00 1970 From: Eric Paris Subject: Re: Fw: How to define rule for SERVICE_START/STOP? Date: Wed, 06 Aug 2014 08:57:20 -0400 Message-ID: <1407329840.13538.49.camel@localhost> References: <2027195.kI1qZKnNKp@x2> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Return-path: In-Reply-To: <2027195.kI1qZKnNKp@x2> List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com To: Steve Grubb Cc: linux-audit@redhat.com List-Id: linux-audit@redhat.com On Tue, 2014-08-05 at 12:48 -0400, Steve Grubb wrote: > On Tuesday, August 05, 2014 10:36:17 AM Gisela Cheng wrote: > > Would this trigger the creation of the audit record? > > I don't think anything in the config file would affect this. The requirements are > to record all starts and stops. I don't think it can record a segfault kind of > stop. That would, however, generate an ANOM_ABEND event. All stops of a non-forking daemon will be properly tracked with a stop event (including segfault). systemd doesn't just start processes and forget about them. It isn't sysv. We don't live in the stone ages any more :) For forking services (like yours) it gets it right most of the time, especially since you told it the pid file, but I understand it isn't perfect. sendmail is a forking service if you kill -SIGV $SENDMAIL_PID you will get something like: type=ANOM_ABEND msg=audit(1407329684.562:419): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=system_u:system_r:sendmail_t:s0 pid=1114 comm="sendmail" exe="/usr/sbin/sendmail.sendmail" sig=11 type=SERVICE_STOP msg=audit(1407329684.570:420): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg=' comm="sendmail" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=failed' Aka, Steve is right and you are right.