Auditing failed kill events
Henning, Arthur C. (CSL)
art.henning at ngc.com
Tue Aug 21 17:50:24 UTC 2007
On Tuesday 21 August 2007 11:13:35 Henning, Arthur C. (CSL) wrote:
> RHEL kernel 2.6.18-8.el5xen
This was the GA kernel which had an omission in several things for
audit.
> Audit 1.5.6-1.i386
That's on RHEL?
Art >> RHEL 5
> Get log entry of the failed attempt
> # ausearch -i -sv no
> type=SYSCALL msg=audit(08/21/2007 09:40:36.832:1458) : arch=i386
> syscall=kill success=no exit=-1(Operation not permitted) a0=f8c a1=9
> a2=f8c a3=f8c items=0 ppid=3391 pid=3402 auid=art uid=art gid=art
> euid=art suid=art fsuid=art egid=art sgid=art fsgid=art tty=pts2
> comm=bash exe=/bin/bash subj=user_u:system_r:unconfined_t:s0
key=(null)
You should have a OBJ_PID record, too.
Art >> Don't find it. I use ausearch -sv no > [filename]. Open the file
and find no OBJ_PID. Perhaps my rule isn't configured to allow this to
be captured.
> Is there a way to indentify the process which the user attempted to
> kill?
Yes, the OBJ_PID record looks like this:
type=OBJ_PID msg=audit(08/21/2007 11:42:36.556:490) : opid=1709
obj=system_u:system_r:auditd_t:s0
> Or by whom the process is owned?
What is logged is the object ID that kill is acting upon. Which I
suppose does
not help in CAPP situations (and I don't think it was required by CAPP).
Art >> This will be a NISPOM compliant machine. Perhaps not specifically
DSS required but supplemental as internal req's.
Art
-Steve
More information about the Linux-audit
mailing list