Description of problem: The OBJ_PID audit event looks like this: type=OBJ_PID msg=audit(08/21/2007 11:42:36.556:490) : opid=1709 obj=system_u:system_r:auditd_t:s0 It has no information useful for CAPP environments. It should have the uid of the process being signalled and the process name if possible. If the process name cannot be added due to being on the hotpath, then we can do without. Steps to Reproduce: 1.-a entry,always -S kill 2. kill -9 nnnn 3. ausearch -m OBJ_PID --start recent
This request was evaluated by Red Hat Product Management for inclusion in a Red Hat Enterprise Linux maintenance release. Product Management has requested further review of this request by Red Hat Engineering, for potential inclusion in a Red Hat Enterprise Linux Update release for currently deployed products. This request is not yet committed for inclusion in an Update release.
Sent a patch to linux-audit for comment It wastes 16x16 bytes of memory for every task that sends a signal if we do signal auditing, i doubt it generates much concern....
in 2.6.18-66.el5 You can download this test kernel from http://people.redhat.com/dzickus/el5
An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on the solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHBA-2008-0314.html