From mboxrd@z Thu Jan  1 00:00:00 1970
From: Steve Grubb <sgrubb@redhat.com>
Subject: Re: SIGXCPU and Auditd
Date: Tue, 05 Nov 2013 08:27:28 -0500
Message-ID: <7362085.zRoRGRkC6K@x2>
References: <5278EDF0.3050804@gmail.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Return-path: <linux-audit-bounces@redhat.com>
In-Reply-To: <5278EDF0.3050804@gmail.com>
List-Unsubscribe: <https://www.redhat.com/mailman/options/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/linux-audit>
List-Post: <mailto:linux-audit@redhat.com>
List-Help: <mailto:linux-audit-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=subscribe>
Sender: linux-audit-bounces@redhat.com
Errors-To: linux-audit-bounces@redhat.com
To: linux-audit@redhat.com
List-Id: linux-audit@redhat.com

On Tuesday, November 05, 2013 06:39:04 PM Paul Davies C wrote:
> Hi,
> 
> Is there any way to make the *auditd system to log the SIGXCPU signal*?
> As of now , without writing any specific rules, SIGSEGV is getting
> logged. In my log I found lines as below :
> /
> type=ANOM_ABEND msg=audit(1383644379.989:88): auid=1000 uid=1000
> gid=1000 ses=5 pid=2688 comm="chrome" reason="memory violation" sig=11/

The ABnormal END event is triggered by any event that would be terminated by 
the kernel with a core dump. Looking at the signal(7) man page, SIGXCPU by 
default would core. So, it should trigger an event. I don't have a test case 
to prove it, though.

Steve