From mboxrd@z Thu Jan 1 00:00:00 1970 From: hsultan@thefroid.net Subject: Catching process termination on SIGKILL Date: Mon, 26 Jan 2015 15:14:20 -0800 Message-ID: <5601880178188ab58cf241b359ebf97d@thefroid.net> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; Format="flowed" Content-Transfer-Encoding: 7bit Return-path: Received: from mx1.redhat.com (ext-mx13.extmail.prod.ext.phx2.redhat.com [10.5.110.18]) by int-mx10.intmail.prod.int.phx2.redhat.com (8.14.4/8.14.4) with ESMTP id t0QNEMmM011725 for ; Mon, 26 Jan 2015 18:14:22 -0500 Received: from homiemail-a50.g.dreamhost.com (sub5.mail.dreamhost.com [208.113.200.129]) by mx1.redhat.com (8.14.4/8.14.4) with ESMTP id t0QNELn5021852 for ; Mon, 26 Jan 2015 18:14:21 -0500 Received: from homiemail-a50.g.dreamhost.com (localhost [127.0.0.1]) by homiemail-a50.g.dreamhost.com (Postfix) with ESMTP id 49E042019 for ; Mon, 26 Jan 2015 15:14:21 -0800 (PST) Received: from webmail.thefroid.net (caiajhbihbdd.dreamhost.com [208.97.187.133]) (Authenticated sender: hsultan@thefroid.net) by homiemail-a50.g.dreamhost.com (Postfix) with ESMTPA id 087A02009 for ; Mon, 26 Jan 2015 15:14:21 -0800 (PST) List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com To: linux-audit@redhat.com List-Id: linux-audit@redhat.com Hi, So I'm curious, auditd catches abnormal process termination (SIGSEGV, ...) with a 1701 audit message, can catch 'clean' termination by monitoring syscall (exit, exitgroup), however I don't see anything to catch process termination by a SIGKILL. if I audit the kill() system call then I see the call to send the signal, but I would have expected the system to offer auditing of an actual SIGKILL *reception* (because you can pass -1 as target PID to sigkill, which kills all processes reachable by the caller and will make auditing by syscall very hard to do), am I missing something ? Is there a parameter to set somehow that I'm missing ? Thanks, Hassan