From mboxrd@z Thu Jan  1 00:00:00 1970
From: hsultan@thefroid.net
Subject: Re: Catching process termination on SIGKILL
Date: Tue, 27 Jan 2015 11:03:28 -0800
Message-ID: <1c232ac7a8339b89d276040eb85e42a0@thefroid.net>
References: <5601880178188ab58cf241b359ebf97d@thefroid.net>
	<4299392.Ypj558huPe@x2> <45a5a4d7425943aa52df4117448cf2ce@thefroid.net>
	<201501272111.HED17151.FOQOLFOFMSHJVt@I-love.SAKURA.ne.jp>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"; Format="flowed"
Content-Transfer-Encoding: 7bit
Return-path: <linux-audit-bounces@redhat.com>
Received: from mx1.redhat.com (ext-mx16.extmail.prod.ext.phx2.redhat.com
	[10.5.110.21])
	by int-mx09.intmail.prod.int.phx2.redhat.com (8.14.4/8.14.4) with ESMTP
	id t0RJ3UUS003783
	for <linux-audit@redhat.com>; Tue, 27 Jan 2015 14:03:30 -0500
Received: from homiemail-a58.g.dreamhost.com (sub5.mail.dreamhost.com
	[208.113.200.129])
	by mx1.redhat.com (8.14.4/8.14.4) with ESMTP id t0RJ3TEw022909
	for <linux-audit@redhat.com>; Tue, 27 Jan 2015 14:03:29 -0500
In-Reply-To: <201501272111.HED17151.FOQOLFOFMSHJVt@I-love.SAKURA.ne.jp>
List-Unsubscribe: <https://www.redhat.com/mailman/options/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/linux-audit>
List-Post: <mailto:linux-audit@redhat.com>
List-Help: <mailto:linux-audit-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=subscribe>
Sender: linux-audit-bounces@redhat.com
Errors-To: linux-audit-bounces@redhat.com
To: Tetsuo Handa <penguin-kernel@i-love.sakura.ne.jp>
Cc: linux-audit@redhat.com
List-Id: linux-audit@redhat.com

On 2015-01-27 04:11, Tetsuo Handa wrote:
...
> Do you have to implement it using audit subsystem? If you want to 
> track
> process activity for temporary (or debug) purpose, SystemTap would do 
> it.
>
> ---------- program start ----------
> # stap -e '
> probe kernel.function("do_exit") {
>   if ($code & 0x7F)
>     printf("%s %s(%u) exiting with signal %u\n",
>            ctime(gettimeofday_s()), execname(), pid(), $code & 0x7F);
> }'
> ---------- program end ----------
>
> ---------- output example start ----------
> Sat May 3 06:00:39 2014 a.out(2101) exiting with signal 11
> Sat May 3 06:00:48 2014 sleep(2102) exiting with signal 2
> Sat May 3 06:01:17 2014 sleep(2105) exiting with signal 9
> Sat May 3 06:01:21 2014 a.out(2131) exiting with signal 11
> ---------- output example end ----------
>
>>
>> I'll try to figure out what a patch to audit the KILL reception 
>> would
>> look like, intent would be to provide the sender's PID + the target 
>> PID
>> in the audit msg. Should that be a new AUDIT msg type or do you see 
>> it
>> fit within an existing msg type ?
>
> SystemTap would do it, if you can accept SystemTap.

Sadly I can't use SystemTap as I do not control the systems where my 
code will be running so can't be sure that debug information will be 
available :/

Thanks,

Hassan