Auditing failed kill events
Steve Grubb
sgrubb at redhat.com
Tue Aug 21 15:50:45 UTC 2007
On Tuesday 21 August 2007 11:13:35 Henning, Arthur C. (CSL) wrote:
> RHEL kernel 2.6.18-8.el5xen
This was the GA kernel which had an omission in several things for audit.
> Audit 1.5.6-1.i386
That's on RHEL?
> Get log entry of the failed attempt
> # ausearch -i -sv no
> type=SYSCALL msg=audit(08/21/2007 09:40:36.832:1458) : arch=i386
> syscall=kill success=no exit=-1(Operation not permitted) a0=f8c a1=9
> a2=f8c a3=f8c items=0 ppid=3391 pid=3402 auid=art uid=art gid=art
> euid=art suid=art fsuid=art egid=art sgid=art fsgid=art tty=pts2
> comm=bash exe=/bin/bash subj=user_u:system_r:unconfined_t:s0 key=(null)
You should have a OBJ_PID record, too.
> Is there a way to indentify the process which the user attempted to
> kill?
Yes, the OBJ_PID record looks like this:
type=OBJ_PID msg=audit(08/21/2007 11:42:36.556:490) : opid=1709
obj=system_u:system_r:auditd_t:s0
> Or by whom the process is owned?
What is logged is the object ID that kill is acting upon. Which I suppose does
not help in CAPP situations (and I don't think it was required by CAPP).
-Steve
More information about the Linux-audit
mailing list