From: hsultan@thefroid.net
To: linux-audit@redhat.com
Subject: Re: Catching process termination on SIGKILL
Date: Mon, 26 Jan 2015 17:56:59 -0800 [thread overview]
Message-ID: <45a5a4d7425943aa52df4117448cf2ce@thefroid.net> (raw)
In-Reply-To: <4299392.Ypj558huPe@x2>
On 2015-01-26 16:41, Steve Grubb wrote:
> On Monday, January 26, 2015 03:14:20 PM hsultan@thefroid.net wrote:
>> So I'm curious, auditd catches abnormal process termination
>> (SIGSEGV,
>> ...) with a 1701 audit message, can catch 'clean' termination by
>> monitoring syscall (exit, exitgroup), however I don't see anything
>> to
>> catch process termination by a SIGKILL.
>> if I audit the kill() system call then I see the call to send the
>> signal, but I would have expected the system to offer auditing of an
>> actual SIGKILL *reception* (because you can pass -1 as target PID to
>> sigkill, which kills all processes reachable by the caller and will
>> make
>> auditing by syscall very hard to do), am I missing something ?
>
> I don't think so.
>
>> Is there a parameter to set somehow that I'm missing ?
>
> No. This would probably need some kind of kernel patch to enable. Its
> never
> really come up that anyone would want to monitor for this. Typically
> the
> monitoring is on the sending side rather than the receiving side.
>
> We collect anything that leads to a core dump because that is an
> anomally. No
> one should have segfaulting code on a production system. However, the
> kernel
> does not allow a SIGKILL to be delivered to processes the user has no
> rights
> to send it to, so its not really an abnormal event. I could see
> someone maybe
> wanting to monitor this, but its never been a priority to solve this
> problem.
I see. Auditing SIGKILL reception would allow for easy tracking of
process activity by following clone/fork/vfork/exit/exit group/abnormal
termination and then SIGKILL. Without it, it becomes a kludge requiring
to track kill/tkill/tgkill and trying to find which process will accept
the SIGKILL sent and which won't, which then requires keeping track of
process privileges and such.
I'll try to figure out what a patch to audit the KILL reception would
look like, intent would be to provide the sender's PID + the target PID
in the audit msg. Should that be a new AUDIT msg type or do you see it
fit within an existing msg type ?
Thanks,
Hassan
next prev parent reply other threads:[~2015-01-27 1:57 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-01-26 23:14 Catching process termination on SIGKILL hsultan
2015-01-27 0:41 ` Steve Grubb
2015-01-27 1:56 ` hsultan [this message]
2015-01-27 12:11 ` Tetsuo Handa
2015-01-27 19:03 ` hsultan
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=45a5a4d7425943aa52df4117448cf2ce@thefroid.net \
--to=hsultan@thefroid.net \
--cc=linux-audit@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox