1.报错: Program terminated with signal SIGKILL,Killed
1.demo.c
#include <unistd.h>
#include <sys/syscall.h>
#include <stdio.h>int main(){pid_t tid;while(1){sleep(1);tid = syscall(SYS_gettid);printf("tid(hex) = %#x, tid(dex) = %d\n",tid,tid);}
}
# gcc demo.c
# ps aux | grep a.out
12977 // = 0x32b1//添加规则:a0=16进制
# auditctl -a exit,always -S kill
# auditctl -a exit,always -S kill -F a0=0x32b1//杀掉a.out进程,查看bash的进程号
# kill -9 12977//查看log
# tail -f /var/log/audit/audit.log
//关键字:SYSCALL:表示杀进程者:pid = 12550
type=SYSCALL msg=audit(1607179009.753:345): arch=c000003e syscall=62 success=yes exit=0 a0=32b1 a1=9 a2=0 a3=7f5a5f278cc0 items=0 ppid=12526 pid=12550 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=pts1 ses=3 comm="bash" exe="/bin/bash" key=(null)//关键字:OBJ_PID:表示哪个进程被杀了:opid = 12977
type=OBJ_PID msg=audit(1607179009.753:345): opid=12977 oauid=1000 ouid=1000 oses=3 ocomm="a.out"# ps aux|grep bash 12550 //bash进程//父进程,terminal的服务程序
12526 /usr/lib/gnome-terminal/gnome-terminal-server1.杀进程者:
pid=12550 表示这个进程发的kill信号;ppid=12526 表示这个进程的父进程;2.被杀者:表示进程12977被杀了
OBJ_PID opid= 129773.时间戳
时间戳:1607179009.753:345
转化为北京时间:2020-12-05 22:36:49.753
