Re: Catching process termination on SIGKILL

public inbox for linux-audit@redhat.com
 help / color / mirror / Atom feed

From: hsultan@thefroid.net
To: Tetsuo Handa <penguin-kernel@i-love.sakura.ne.jp>
Cc: linux-audit@redhat.com
Subject: Re: Catching process termination on SIGKILL
Date: Tue, 27 Jan 2015 11:03:28 -0800	[thread overview]
Message-ID: <1c232ac7a8339b89d276040eb85e42a0@thefroid.net> (raw)
In-Reply-To: <201501272111.HED17151.FOQOLFOFMSHJVt@I-love.SAKURA.ne.jp>

On 2015-01-27 04:11, Tetsuo Handa wrote:
...
> Do you have to implement it using audit subsystem? If you want to 
> track
> process activity for temporary (or debug) purpose, SystemTap would do 
> it.
>
> ---------- program start ----------
> # stap -e '
> probe kernel.function("do_exit") {
>   if ($code & 0x7F)
>     printf("%s %s(%u) exiting with signal %u\n",
>            ctime(gettimeofday_s()), execname(), pid(), $code & 0x7F);
> }'
> ---------- program end ----------
>
> ---------- output example start ----------
> Sat May 3 06:00:39 2014 a.out(2101) exiting with signal 11
> Sat May 3 06:00:48 2014 sleep(2102) exiting with signal 2
> Sat May 3 06:01:17 2014 sleep(2105) exiting with signal 9
> Sat May 3 06:01:21 2014 a.out(2131) exiting with signal 11
> ---------- output example end ----------
>
>>
>> I'll try to figure out what a patch to audit the KILL reception 
>> would
>> look like, intent would be to provide the sender's PID + the target 
>> PID
>> in the audit msg. Should that be a new AUDIT msg type or do you see 
>> it
>> fit within an existing msg type ?
>
> SystemTap would do it, if you can accept SystemTap.

Sadly I can't use SystemTap as I do not control the systems where my 
code will be running so can't be sure that debug information will be 
available :/

Thanks,

Hassan

     prev parent reply	other threads:[~2015-01-27 19:03 UTC|newest]

Thread overview: 5+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2015-01-26 23:14 Catching process termination on SIGKILL hsultan
2015-01-27  0:41 ` Steve Grubb
2015-01-27  1:56   ` hsultan
2015-01-27 12:11     ` Tetsuo Handa
2015-01-27 19:03       ` hsultan [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=1c232ac7a8339b89d276040eb85e42a0@thefroid.net \
    --to=hsultan@thefroid.net \
    --cc=linux-audit@redhat.com \
    --cc=penguin-kernel@i-love.sakura.ne.jp \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox