On Mon, 2009-03-23 at 15:29 +0000, Matthew Booth wrote: > Under what circumstances will the RHEL 4 kernel generate a message of > type AUDIT_SIGNAL_INFO? My understanding is that it should be sent when > a process sends a signal to the audit daemon, however I have not > observed that. Any ideas?
AUDIT_SIGNAL_INFO is sent when the kernel gets an AUDIT_SIGNAL_INFO request from auditd. Basically if you send a signal to the audit daemon, the audit daemon sends a message to the kernel requesting AUDIT_SIGNAL_INFO. The kernel sends the info back to auditd. Auditd then uses that info to log about the signal it took. auditd then acts on the signal it took. So you wouldn't see it in the normal audit logs. it's really just a communication medium between the kernel and auditd. -Eric -- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
