Hi,
So I'm curious, auditd catches abnormal process termination (SIGSEGV,
...) with a 1701 audit message, can catch 'clean' termination by
monitoring syscall (exit, exitgroup), however I don't see anything to
catch process termination by a SIGKILL.
if I audit the kill() system call then I see the call to send the
signal, but I would have expected the system to offer auditing of an
actual SIGKILL *reception* (because you can pass -1 as target PID to
sigkill, which kills all processes reachable by the caller and will make
auditing by syscall very hard to do), am I missing something ? Is there
a parameter to set somehow that I'm missing ?
Thanks,
Hassan
--
Linux-audit mailing list
[email protected]
https://www.redhat.com/mailman/listinfo/linux-audit
