Auditing failed kill events
Henning, Arthur C. (CSL)
art.henning at ngc.com
Tue Aug 21 15:13:35 UTC 2007
RHEL kernel 2.6.18-8.el5xen
Audit 1.5.6-1.i386
Audit.rules entry:
-a entry,always -S kill
Attempt to kill a process which is not owned by that user.
$ kill -9 nnnn
bash: kill: (nnnn) - Operation not permitted
$
Get log entry of the failed attempt
# ausearch -i -sv no
type=SYSCALL msg=audit(08/21/2007 09:40:36.832:1458) : arch=i386
syscall=kill success=no exit=-1(Operation not permitted) a0=f8c a1=9
a2=f8c a3=f8c items=0 ppid=3391 pid=3402 auid=art uid=art gid=art
euid=art suid=art fsuid=art egid=art sgid=art fsgid=art tty=pts2
comm=bash exe=/bin/bash subj=user_u:system_r:unconfined_t:s0 key=(null)
Is there a way to indentify the process which the user attempted to
kill? Or by whom the process is owned? The ppid and pid reported are
those of the user attempting to kill a process.
Art Henning (CSL)
Enterprise IT Solutions
Northrop Grumman Corp
art.henning at ngc.com
More information about the Linux-audit
mailing list