From mboxrd@z Thu Jan 1 00:00:00 1970 From: Paul Davies C Subject: SIGXCPU and Auditd Date: Tue, 05 Nov 2013 18:39:04 +0530 Message-ID: <5278EDF0.3050804@gmail.com> Mime-Version: 1.0 Content-Type: multipart/mixed; boundary="===============3692079714377912487==" Return-path: Received: from mx1.redhat.com (ext-mx12.extmail.prod.ext.phx2.redhat.com [10.5.110.17]) by int-mx11.intmail.prod.int.phx2.redhat.com (8.14.4/8.14.4) with ESMTP id rA5D9ANi020331 for ; Tue, 5 Nov 2013 08:09:10 -0500 Received: from mail-pd0-f177.google.com (mail-pd0-f177.google.com [209.85.192.177]) by mx1.redhat.com (8.14.4/8.14.4) with ESMTP id rA5D99YE013813 for ; Tue, 5 Nov 2013 08:09:09 -0500 Received: by mail-pd0-f177.google.com with SMTP id p10so8351140pdj.36 for ; Tue, 05 Nov 2013 05:09:08 -0800 (PST) Received: from [192.168.2.2] ([117.204.117.211]) by mx.google.com with ESMTPSA id y9sm40385104pas.10.2013.11.05.05.09.06 for (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Tue, 05 Nov 2013 05:09:07 -0800 (PST) List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com To: linux-audit@redhat.com List-Id: linux-audit@redhat.com This is a multi-part message in MIME format. --===============3692079714377912487== Content-Type: multipart/alternative; boundary="------------090705020109080802010701" This is a multi-part message in MIME format. --------------090705020109080802010701 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Hi, Is there any way to make the *auditd system to log the SIGXCPU signal*? As of now , without writing any specific rules, SIGSEGV is getting logged. In my log I found lines as below : / type=ANOM_ABEND msg=audit(1383644379.989:88): auid=1000 uid=1000 gid=1000 ses=5 pid=2688 comm="chrome" reason="memory violation" sig=11/ --------------090705020109080802010701 Content-Type: text/html; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Hi,

Is there any way to make the auditd system to log the SIGXCPU signal?
As of now , without writing any specific rules, SIGSEGV is getting logged. In my log I found lines as below :

type=ANOM_ABEND msg=audit(1383644379.989:88): auid=1000 uid=1000 gid=1000 ses=5 pid=2688 comm="chrome" reason="memory violation" sig=11

--------------090705020109080802010701-- --===============3692079714377912487== Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline --===============3692079714377912487==-- From mboxrd@z Thu Jan 1 00:00:00 1970 From: Steve Grubb Subject: Re: SIGXCPU and Auditd Date: Tue, 05 Nov 2013 08:27:28 -0500 Message-ID: <7362085.zRoRGRkC6K@x2> References: <5278EDF0.3050804@gmail.com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Return-path: In-Reply-To: <5278EDF0.3050804@gmail.com> List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com To: linux-audit@redhat.com List-Id: linux-audit@redhat.com On Tuesday, November 05, 2013 06:39:04 PM Paul Davies C wrote: > Hi, > > Is there any way to make the *auditd system to log the SIGXCPU signal*? > As of now , without writing any specific rules, SIGSEGV is getting > logged. In my log I found lines as below : > / > type=ANOM_ABEND msg=audit(1383644379.989:88): auid=1000 uid=1000 > gid=1000 ses=5 pid=2688 comm="chrome" reason="memory violation" sig=11/ The ABnormal END event is triggered by any event that would be terminated by the kernel with a core dump. Looking at the signal(7) man page, SIGXCPU by default would core. So, it should trigger an event. I don't have a test case to prove it, though. Steve From mboxrd@z Thu Jan 1 00:00:00 1970 From: Paul Davies C Subject: Re: SIGXCPU and Auditd Date: Tue, 05 Nov 2013 19:16:21 +0530 Message-ID: <5278F6AD.4080009@gmail.com> References: <5278EDF0.3050804@gmail.com> <7362085.zRoRGRkC6K@x2> Mime-Version: 1.0 Content-Type: multipart/mixed; boundary="===============8125000949960022531==" Return-path: In-Reply-To: <7362085.zRoRGRkC6K@x2> List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com To: Steve Grubb , linux-audit@redhat.com List-Id: linux-audit@redhat.com This is a multi-part message in MIME format. --===============8125000949960022531== Content-Type: multipart/alternative; boundary="------------080800000101090205020402" This is a multi-part message in MIME format. --------------080800000101090205020402 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit In the man page it is written that *core dump on SIGXCPU **can fail* . That is probably the reason why it is not logged. --------------080800000101090205020402 Content-Type: text/html; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit In the man page it is written that core dump on SIGXCPU can fail . That is probably the reason why it is not logged.
--------------080800000101090205020402-- --===============8125000949960022531== Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline --===============8125000949960022531==-- From mboxrd@z Thu Jan 1 00:00:00 1970 From: Steve Grubb Subject: Re: SIGXCPU and Auditd Date: Tue, 05 Nov 2013 09:02:56 -0500 Message-ID: <1419886.XC4YMUIcDL@x2> References: <5278EDF0.3050804@gmail.com> <7362085.zRoRGRkC6K@x2> <5278F6AD.4080009@gmail.com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Return-path: In-Reply-To: <5278F6AD.4080009@gmail.com> List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com To: Paul Davies C Cc: linux-audit@redhat.com List-Id: linux-audit@redhat.com On Tuesday, November 05, 2013 07:16:21 PM Paul Davies C wrote: > In the man page it is written that *core dump on SIGXCPU **can fail* . > That is probably the reason why it is not logged. I think we would want the event even if the core dump failed. Maybe the hook placement needs review? Its probably been 5 years since it was put in the kernel...that's a lot of time for things to change. -Steve From mboxrd@z Thu Jan 1 00:00:00 1970 From: Paul Davies C Subject: Re: SIGXCPU and Auditd Date: Mon, 11 Nov 2013 16:24:19 +0530 Message-ID: <5280B75B.10304@gmail.com> References: <5278EDF0.3050804@gmail.com> <7362085.zRoRGRkC6K@x2> <5278F6AD.4080009@gmail.com> <1419886.XC4YMUIcDL@x2> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; Format="flowed" Content-Transfer-Encoding: 7bit Return-path: In-Reply-To: <1419886.XC4YMUIcDL@x2> List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com To: Steve Grubb Cc: linux-audit@redhat.com List-Id: linux-audit@redhat.com Audit system do logs the core dump signals. It was a misunderstanding from my part that lead me to believe that audit does not log SIGXCPU. Sorry for the confusion.