On Tuesday 21 August 2007 11:13:35 Henning, Arthur C. (CSL) wrote: > RHEL kernel 2.6.18-8.el5xen
This was the GA kernel which had an omission in several things for audit. > Audit 1.5.6-1.i386 That's on RHEL? Art >> RHEL 5 > Get log entry of the failed attempt > # ausearch -i -sv no > type=SYSCALL msg=audit(08/21/2007 09:40:36.832:1458) : arch=i386 > syscall=kill success=no exit=-1(Operation not permitted) a0=f8c a1=9 > a2=f8c a3=f8c items=0 ppid=3391 pid=3402 auid=art uid=art gid=art > euid=art suid=art fsuid=art egid=art sgid=art fsgid=art tty=pts2 > comm=bash exe=/bin/bash subj=user_u:system_r:unconfined_t:s0 key=(null) You should have a OBJ_PID record, too. Art >> Don't find it. I use ausearch -sv no > [filename]. Open the file and find no OBJ_PID. Perhaps my rule isn't configured to allow this to be captured. > Is there a way to indentify the process which the user attempted to > kill? Yes, the OBJ_PID record looks like this: type=OBJ_PID msg=audit(08/21/2007 11:42:36.556:490) : opid=1709 obj=system_u:system_r:auditd_t:s0 > Or by whom the process is owned? What is logged is the object ID that kill is acting upon. Which I suppose does not help in CAPP situations (and I don't think it was required by CAPP). Art >> This will be a NISPOM compliant machine. Perhaps not specifically DSS required but supplemental as internal req's. Art -Steve -- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
