On Tuesday 21 August 2007 11:13:35 Henning, Arthur C. (CSL) wrote:
RHEL kernel 2.6.18-8.el5xen
This was the GA kernel which had an omission in several things for audit.
Audit 1.5.6-1.i386
That's on RHEL?
Get log entry of the failed attempt
# ausearch -i -sv no
type=SYSCALL msg=audit(08/21/2007 09:40:36.832:1458) : arch=i386
syscall=kill success=no exit=-1(Operation not permitted) a0=f8c a1=9
a2=f8c a3=f8c items=0 ppid=3391 pid=3402 auid=art uid=art gid=art
euid=art suid=art fsuid=art egid=art sgid=art fsgid=art tty=pts2
comm=bash exe=/bin/bash subj=user_u:system_r:unconfined_t:s0 key=(null)
You should have a OBJ_PID record, too.
Is there a way to indentify the process which the user attempted to
kill?
Yes, the OBJ_PID record looks like this:
type=OBJ_PID msg=audit(08/21/2007 11:42:36.556:490) : opid=1709
obj=system_u:system_r:auditd_t:s0
Or by whom the process is owned?
What is logged is the object ID that kill is acting upon. Which I suppose does
not help in CAPP situations (and I don't think it was required by CAPP).
-Steve