I am using auditd to monitor my system for kills. Normally I see the following pair of lines. As an example from a bash shell I have performed a kill -9 on a sleep command with pid 16207. As I understand it, a0=3f4f in the SYSCALL is the hex representation of the pid to be killed, namely opid=16207 in the OBJ_PID.
type=SYSCALL msg=audit(1484657892.027:5580849): arch=c000003e syscall=62 success=yes exit=0 a0=3f4f a1=9 a2=0 a3=7ffe782998e0 items=0 ppid=16209 pid=16212 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts2 ses=2282 comm="bash" exe="/usr/bin/bash" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key="log_kill"
type=OBJ_PID msg=audit(1484657892.027:5580849): opid=16207 oauid=0 ouid=0 oses=2275 obj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 ocomm="sleep"
This is all ok and I think I understand what is being logged. On our live system where we have many processes running I occasionally have a process that is killed. When I examine the kill signals in the audit log I get the following:
type=SYSCALL msg=audit(1484742595.249:7657673): arch=c000003e syscall=62 success=yes exit=0 a0=9640 a1=f a2=0 a3=7ffec4d845f0 items=0 ppid=1 pid=38430 auid=1158 uid=1158 gid=1173 euid=1158 suid=1158 fsuid=1158 egid=1173 sgid=1173 fsgid=1173 tty=(none) ses=1730 comm="startkde" exe="/usr/bin/bash" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key="log_kill"
type=OBJ_PID msg=audit(1484742595.249:7657673): opid=38373 oauid=1158 ouid=1158 oses=1730 obj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 ocomm="java"
Here a0=9640 gives a decimal pid of 38464, which is not opid=38373. Can anyone explain why this should be the case?
Or, to rephrase the question, why should a SYSCALL kill sent to process with pid 0x9640 (i.e. 38464) be received by OBJ_PID 38373?
ps
to see what you're doing. It is also essential to see the actual command to understand your situation as killing a process will often cause some related processes to die. – Julie Pelletier Jan 19 '17 at 15:02