While running FreeBSD a long time ago, there was a default feature which logged when a process received one of the fatal signals, like SIGSEGV, SIGBUS, SIGKILL, etc. and was terminated because of that.
Is there something similar for Linux?
While running FreeBSD a long time ago, there was a default feature which logged when a process received one of the fatal signals, like SIGSEGV, SIGBUS, SIGKILL, etc. and was terminated because of that.
Is there something similar for Linux?
The auditd
suggestion is solid, but note that it only works if the kill(2)
syscall is invoked. SIGBUS
, for example, doesn't invoke that syscall; it's an interrupt handler inside of the kernel that then propagates the signal directly to the relevant process with no syscall interface required.
To accomplish your goal perfectly, you're probably looking for BPF. This is an excellent resource to start playing with. At a guess—no warranties expressed or implied—you might want to instrument here.
If you're looking for signals sent to a specific process, strace may be all you need:
# strace -e trace=signal -p <pid>
Lots of info available in the strace manpage...
There is also the "auditd" package.
This post over at redhat.com addresses you're specific question: https://access.redhat.com/solutions/36278
Summarizing from the redhat post:
1) Install auditd
2) Edit /etc/audit/audit.rules to include the line:
-a entry,always -F arch=b64 -S kill -k teste_kill
3) restart the auditd service (or stop/start)
# service auditd restart
4) tail the auditd log file
# tail -f /var/log/audit/audit.log