Hi Sebastian,

> >
> Yep. Kernel-land tools are the right ones, although
> acct(2) only works when the process calls exit(2).

Not quite (good that you mention it). The program gets logged, when the
task is being removed from the task list in do_exit() inside the kernel.
The actual reason why it died doesn't count (besides, there is a bug in
the lastcomm(1) manpage: Not only SIGTERM causes that "X" in lastcomm's
output!), since this reason is beyond the control of the userspace at this
stage.

> Programs killed with sigkill for example don't appear
> in the logs then.

This is a good reason for not trying this in user- and libraryspace.

# cd /var/account/
# touch pacct
# chmod 640 pacct
# accton pacct
# ls -la pacct
-rw-r----- 1 root root 64 Sep 18 14:08 pacct
# sleep 400 &
[1] 16390
# kill -9 16390
#
[1]+ Killed sleep 400
#
# lastcomm
sleep X root stdin 0.01 secs Tue Sep 18 14:08
ls root stdin 0.00 secs Tue Sep 18 14:08
accton S root stdin 0.00 secs Tue Sep 18 14:08
# accton

Roman.

-- 
 -                                                                      -
| Roman Drahtmüller      <drahtsuse.de> // "You don't need eyes to see, |
  SuSE GmbH - Security           Phone: //             you need vision!"
| Nürnberg, Germany     +49-911-740530 //           Maxi Jazz, Faithless |
 -                                                                      -
-- 
To unsubscribe, e-mail: suse-security-unsubscribesuse.com
For additional commands, e-mail: suse-security-helpsuse.com

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]