Catching process termination on SIGKILL

Monday, 26 January 2015

Hi,

So I'm curious, auditd catches abnormal process termination (SIGSEGV, 
...) with a 1701 audit message, can catch 'clean' termination by 
monitoring syscall (exit, exitgroup), however I don't see anything to 
catch process termination by a SIGKILL.
if I audit the kill() system call then I see the call to send the 
signal, but I would have expected the system to offer auditing of an 
actual SIGKILL *reception* (because you can pass -1 as target PID to 
sigkill, which kills all processes reachable by the caller and will make 
auditing by syscall very hard to do), am I missing something ? Is there 
a parameter to set somehow that I'm missing ?

Thanks,

Hassan

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

2004

Catching process termination on SIGKILL