linux 上进程被随机kill掉,如何监测和查询;谁杀了我的进程;Who sends a SIGKILL to my process mysteriously on ubuntu server
作者:互联网
今天跑实验,发现进程被随机kill。咨询了服务器上的其他同学,他们说之前也发生过,一直存在。看来可能有可能不是我自己程序的原因,只能自己动手解决了。
在 Who sends a SIGKILL to my process mysteriously on ubuntu server 中,提到一个简单的方法,使用audit。
Linux 审计系统:audit
Audit does not provide additional security to your system; rather, it can be used to discover violations of security policies used on your system. These violations can further be prevented by additional security measures such as SELinux.
The Linux Audit system provides a way to track security-relevant information on your system. Based on pre-configured rules, Audit generates log entries to record as much information about the events that are happening on your system as possible. This information is crucial for mission-critical environments to determine the violator of the security policy and the actions they performed.
关于系统的更多内容,可参考 redhat 管理员手册。
安装很简单:sudo apt install auditd
启动服务并查看状态: systemctl enable auditd.service; systemctl restart auditd.service
然后通过auditctrl添加规则: auditctl -a exit,always -F arch=b64 -S kill -F a1=9
测试:
启动然后kill掉Python程序; 查看日志,即可发现kill发起的程序和用户;
sudo ausearch -sc kill
time->Thu Feb 24 04:00:08 2022 type=PROCTITLE msg=audit(1645675208.403:201): proctitle="htop" type=OBJ_PID msg=audit(1645675208.403:201): opid=40099 oauid=1016 ouid=1016 oses=12951 obj==unconfined ocomm="nvtop" type=SYSCALL msg=audit(1645675208.403:201): arch=c000003e syscall=62 success=yes exit=0 a0=9ca3 a1=9 a2=c1 a3=8 items=0 ppid=45939 pid=40129 auid=1016 uid=1016 gid=1016 euid=1016 suid=1016 fsuid=1016 egid=1016 sgid=1016 fsgid=1016 tty=pts4 ses=18035 comm="htop" exe="/usr/bin/htop" subj==unconfined key=(null)
下面开始守株待兔了, 再跑一下程序,找到被kill的原因;
# 2022年02月24日12:30:12, 被我找到了,应该是一个恶意程序。。
参考链接:
https://documentation.suse.com/sles/12-SP4/html/SLES-all/cha-audit-comp.html
https://www.cnblogs.com/xybaby/p/8098229.html
保持更新;cnblogs.com/xuyaowen;
标签:audit,SIGKILL,process,system,kill,进程,1016,com,security 来源: https://www.cnblogs.com/xuyaowen/p/linux-audit.html