Re: Fw: How to define rule for SERVICE_START/STOP?
On Tue, 2014-08-05 at 12:48 -0400, Steve Grubb wrote:
On Tuesday, August 05, 2014 10:36:17 AM Gisela Cheng wrote:
> Would this trigger the creation of the audit record?
I don't think anything in the config file would affect this. The requirements are
to record all starts and stops. I don't think it can record a segfault kind of
stop. That would, however, generate an ANOM_ABEND event.
All stops of a non-forking daemon will be properly tracked with a stop
event (including segfault). systemd doesn't just start processes and
forget about them. It isn't sysv. We don't live in the stone ages any
more :)
For forking services (like yours) it gets it right most of the time,
especially since you told it the pid file, but I understand it isn't
perfect. sendmail is a forking service if you kill -SIGV $SENDMAIL_PID
you will get something like:
type=ANOM_ABEND msg=audit(1407329684.562:419): auid=4294967295 uid=0 gid=0 ses=4294967295
subj=system_u:system_r:sendmail_t:s0 pid=1114 comm="sendmail"
exe="/usr/sbin/sendmail.sendmail" sig=11
type=SERVICE_STOP msg=audit(1407329684.570:420): pid=1 uid=0 auid=4294967295
ses=4294967295 subj=system_u:system_r:init_t:s0 msg=' comm="sendmail"
exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=failed'
Aka, Steve is right and you are right.