AUDIT_SIGNAL_INFO
Eric Paris
eparis at redhat.com
Mon Mar 23 17:59:39 UTC 2009
On Mon, 2009-03-23 at 15:29 +0000, Matthew Booth wrote:
> Under what circumstances will the RHEL 4 kernel generate a message of
> type AUDIT_SIGNAL_INFO? My understanding is that it should be sent when
> a process sends a signal to the audit daemon, however I have not
> observed that. Any ideas?
AUDIT_SIGNAL_INFO is sent when the kernel gets an AUDIT_SIGNAL_INFO
request from auditd.
Basically if you send a signal to the audit daemon, the audit daemon
sends a message to the kernel requesting AUDIT_SIGNAL_INFO. The kernel
sends the info back to auditd. Auditd then uses that info to log about
the signal it took. auditd then acts on the signal it took.
So you wouldn't see it in the normal audit logs. it's really just a
communication medium between the kernel and auditd.
-Eric
More information about the Linux-audit
mailing list