1

I am using auditd to monitor my system for kills. Normally I see the following pair of lines. As an example from a bash shell I have performed a kill -9 on a sleep command with pid 16207. As I understand it, a0=3f4f in the SYSCALL is the hex representation of the pid to be killed, namely opid=16207 in the OBJ_PID.

type=SYSCALL msg=audit(1484657892.027:5580849): arch=c000003e syscall=62 success=yes exit=0 a0=3f4f a1=9 a2=0 a3=7ffe782998e0 items=0 ppid=16209 pid=16212 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts2 ses=2282 comm="bash" exe="/usr/bin/bash" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key="log_kill"
type=OBJ_PID msg=audit(1484657892.027:5580849): opid=16207 oauid=0 ouid=0 oses=2275 obj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 ocomm="sleep"

This is all ok and I think I understand what is being logged. On our live system where we have many processes running I occasionally have a process that is killed. When I examine the kill signals in the audit log I get the following:

type=SYSCALL msg=audit(1484742595.249:7657673): arch=c000003e syscall=62 success=yes exit=0 a0=9640 a1=f a2=0 a3=7ffec4d845f0 items=0 ppid=1 pid=38430 auid=1158 uid=1158 gid=1173 euid=1158 suid=1158 fsuid=1158 egid=1173 sgid=1173 fsgid=1173 tty=(none) ses=1730 comm="startkde" exe="/usr/bin/bash" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key="log_kill"
type=OBJ_PID msg=audit(1484742595.249:7657673): opid=38373 oauid=1158 ouid=1158 oses=1730 obj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 ocomm="java"

Here a0=9640 gives a decimal pid of 38464, which is not opid=38373. Can anyone explain why this should be the case?

Or, to rephrase the question, why should a SYSCALL kill sent to process with pid 0x9640 (i.e. 38464) be received by OBJ_PID 38373?

BarneyW
  • 11
  • Why don't you compare with simpler tools like ps to see what you're doing. It is also essential to see the actual command to understand your situation as killing a process will often cause some related processes to die. – Julie Pelletier Jan 19 '17 at 15:02
  • Thanks Julie but ps doesn't help me. I need to know which process is sending a kill to my process. That is why I am using auditd. – BarneyW Jan 19 '17 at 15:20
  • @BarneyW That's a different question though. – Kusalananda Jan 19 '17 at 15:23
  • If I can understand why the killing process appears to be trying to kill pid38464 but ends up killing pid38373 (as I read it from the audit log) I will be a long way towards finding out why my process is killed. – BarneyW Jan 19 '17 at 15:28
  • 1
    Are you using multiple threads? Could one of these be a thread ID within the same process? – Random832 Jan 19 '17 at 18:46
  • According to the documentation they are pids. a0 is the process id and a1 is the kill level. – BarneyW Jan 19 '17 at 20:05
  • I'm not clear why startkde would kill a java process and only a java process. Are there any other OBJ_PID records from around that time? – Mark Plotnick Jan 19 '17 at 20:14
  • Yes, plenty. But only in this pair do the source and target pids differ – BarneyW Jan 19 '17 at 20:42
  • Are there any entries for pid 38464 after the entry for the kill targeting it? – Mark Plotnick Jan 19 '17 at 21:24
  • No, neither in hex format or decimal, but I am only auditing the kills. – BarneyW Jan 20 '17 at 05:22

0 Answers0