On Tue, 2014-08-05 at 12:48 -0400, Steve Grubb wrote: > On Tuesday, August 05, 2014 10:36:17 AM Gisela Cheng wrote: > > Would this trigger the creation of the audit record? > > I don't think anything in the config file would affect this. The requirements > are > to record all starts and stops. I don't think it can record a segfault kind > of > stop. That would, however, generate an ANOM_ABEND event.
All stops of a non-forking daemon will be properly tracked with a stop event (including segfault). systemd doesn't just start processes and forget about them. It isn't sysv. We don't live in the stone ages any more :) For forking services (like yours) it gets it right most of the time, especially since you told it the pid file, but I understand it isn't perfect. sendmail is a forking service if you kill -SIGV $SENDMAIL_PID you will get something like: type=ANOM_ABEND msg=audit(1407329684.562:419): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=system_u:system_r:sendmail_t:s0 pid=1114 comm="sendmail" exe="/usr/sbin/sendmail.sendmail" sig=11 type=SERVICE_STOP msg=audit(1407329684.570:420): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg=' comm="sendmail" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=failed' Aka, Steve is right and you are right. -- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
