Re: AUDIT_SIGNAL_INFO
On Mon, 2009-03-23 at 15:29 +0000, Matthew Booth wrote:
Under what circumstances will the RHEL 4 kernel generate a message
of
type AUDIT_SIGNAL_INFO? My understanding is that it should be sent when
a process sends a signal to the audit daemon, however I have not
observed that. Any ideas?
AUDIT_SIGNAL_INFO is sent when the kernel gets an AUDIT_SIGNAL_INFO
request from auditd.
Basically if you send a signal to the audit daemon, the audit daemon
sends a message to the kernel requesting AUDIT_SIGNAL_INFO. The kernel
sends the info back to auditd. Auditd then uses that info to log about
the signal it took. auditd then acts on the signal it took.
So you wouldn't see it in the normal audit logs. it's really just a
communication medium between the kernel and auditd.
-Eric