From mboxrd@z Thu Jan 1 00:00:00 1970 From: Matthew Booth Subject: Re: AUDIT_SIGNAL_INFO Date: Mon, 23 Mar 2009 18:01:50 +0000 Message-ID: <49C7CE8E.2000602@redhat.com> References: <49C7AAE9.2050004@redhat.com> <1237831179.5667.7.camel@localhost.localdomain> Mime-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Return-path: In-Reply-To: <1237831179.5667.7.camel@localhost.localdomain> List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com To: Eric Paris Cc: linux Audit List-Id: linux-audit@redhat.com Eric Paris wrote: > On Mon, 2009-03-23 at 15:29 +0000, Matthew Booth wrote: >> Under what circumstances will the RHEL 4 kernel generate a message of >> type AUDIT_SIGNAL_INFO? My understanding is that it should be sent when >> a process sends a signal to the audit daemon, however I have not >> observed that. Any ideas? > > AUDIT_SIGNAL_INFO is sent when the kernel gets an AUDIT_SIGNAL_INFO > request from auditd. > > Basically if you send a signal to the audit daemon, the audit daemon > sends a message to the kernel requesting AUDIT_SIGNAL_INFO. The kernel > sends the info back to auditd. Auditd then uses that info to log about > the signal it took. auditd then acts on the signal it took. > > So you wouldn't see it in the normal audit logs. it's really just a > communication medium between the kernel and auditd. That makes sense. Looking in libaudit.h, I assume you end up with one of these: /* data structure for who signaled the audit daemon */ struct audit_sig_info { uid_t uid; pid_t pid; char ctx[0]; }; Does this give any information in addition to what you'd get from siginfo_t, or is it inherently more reliable? Also, is there any way to notice you were sent a KILL or a STOP? Thanks, Matt -- Matthew Booth, RHCA, RHCSS Red Hat, Global Professional Services M: +44 (0)7977 267231 GPG ID: D33C3490 GPG FPR: 3733 612D 2D05 5458 8A8A 1600 3441 EA19 D33C 3490