6

I'm looking for a signals logger for the Linux kernel, without patching of kernel.

I found many articles with patching, but I am not interested in that.

I'm running default Ubuntu 13.04.

# uname -a
Linux bt 3.8.0-26-lowlatency #18-Ubuntu SMP PREEMPT Tue Jun 25 22:36:04 UTC 2013 x86_64 x86_64 x86_64 GNU/Linux

I need: pid, comm (sender) -> SIGNAL (number 0-31) -> pid, comm (catcher)

Would be great too:

  pidtree of sender ----- - - - - - receiver(cmd) ---- child1 of receiver, etc
              /                     \----child2---child1 of child2(cmd)
             ppid(+cmd)               ----child3(+cmd)
            /                          \__child4(+cmd)
           ppid of ppid(cmd)
          ....
         /
        init

And the same for catcher. + timestamps.

What I have already found:

superfrink.net: patch Linux UserSpace Signal Logging (Logs signals sent from userspace programs.) by Chad Clark (Version 10 March 2003)

grsecurity patch has similar realization.

I need light and easy way to achieve this on Ubuntu.

1 Answers1

1

I can give you a partial solution to it.

Use the audit subsystem in linux kernel. The audit sub sytem logs the core dump signals. The core dump signals are :

  1. ABRT
  2. FPE
  3. ILL
  4. QUIT
  5. SEGV
  6. TRAP
  7. SYS
  8. EMT
  9. BUS
  10. XCPU
  11. XFSZ

The audit log can be found at /var/log/audit.log . For core dump signals the audit logs as below

type=ANOM_ABEND msg=audit(1386433952.455:141): auid=1000 uid=1000 gid=1000 ses=2 pid=6664 comm="bash" reason="memory violation" sig=24

The above is an example for the logging done on a signal SIGXCPU to a process 6664 of the user with uid 1000. From this log you can figure out the details of the comm and pid of the "catcher". Note that reason field in the log is broken. Even with this log we are clueless about the sender.

You can find the configuration details here

PaulDaviesC
  • 547