RHEL kernel 2.6.18-8.el5xen Audit 1.5.6-1.i386
Audit.rules entry: -a entry,always -S kill Attempt to kill a process which is not owned by that user. $ kill -9 nnnn bash: kill: (nnnn) - Operation not permitted $ Get log entry of the failed attempt # ausearch -i -sv no type=SYSCALL msg=audit(08/21/2007 09:40:36.832:1458) : arch=i386 syscall=kill success=no exit=-1(Operation not permitted) a0=f8c a1=9 a2=f8c a3=f8c items=0 ppid=3391 pid=3402 auid=art uid=art gid=art euid=art suid=art fsuid=art egid=art sgid=art fsgid=art tty=pts2 comm=bash exe=/bin/bash subj=user_u:system_r:unconfined_t:s0 key=(null) Is there a way to indentify the process which the user attempted to kill? Or by whom the process is owned? The ppid and pid reported are those of the user attempting to kill a process. Art Henning (CSL) Enterprise IT Solutions Northrop Grumman Corp [EMAIL PROTECTED] -- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
