方法1 systemtap:
probe begin
{
printf("%-8s %-16s %-5s %-16s %6s %-16s\n",
"SPID", "SNAME", "RPID", "RNAME", "SIGNUM", "SIGNAME")
}
probe signal.send
{
if (sig_name == @1 && sig_pid == target())
printf("%-8d %-16s %-5d %-16s %-6d %-16s\n",
pid(), execname(), sig_pid, pid_name, sig, sig_name)
}
stap -x pid sigmon.stp SIGKILL
方法2:audit
在Who sends a SIGKILL to my process mysteriously on ubuntu server中,提到了另外一个更加简单的方法,那就是使用audit
安装很简单:sudo apt-get install auditd
启动服务并查看状态: service auditd start & service auditd status
然后通过auditctrl添加规则: auditctl -a exit,always -F arch=b64 -S kill -F a1=9
然后使用ausearch搜索结果: ausearch -sc kill。结果类似如下
time->Mon Dec 25 19:52:55 2017
type=PROCTITLE msg=audit(1514202775.088:351): proctitle="bash"
type=OBJ_PID msg=audit(1514202775.088:351): opid=24067 日uid=-1 ouid=3010 oses=-1 ocomm="python"
type=SYSCALL msg=audit(1514202775.088:351): arch=c000003e syscall=62 success=yes exit=0 a0=5e03 a1=9 a2=0 a3=7ffc0d9f7b90 items=0 ppid=1349 pid=1350 uid=3010 gid=3010 euid=3010 suid=3010 fsuid=3010 egid=3010 sgid=3010 fsgid=3010 tty=pts0 comm="bash" exe="/bin/bash" key=(null)
可以看到,信号的目标进程是一个python程序,pid是24067,启动该进程的用户的id是3010。kil进程的信号被用户3010在pid为1350的bash中发出