linux 上进程被随机kill掉，如何监测和查询；谁杀了我的进程；Who sends a SIGKILL to my process mysteriously on ubuntu server

xuyaowen

发布于 2022-05-09 16:22:15

3.2K0

发布于 2022-05-09 16:22:15

文章被收录于专栏：XUYAOWEN的专栏

今天跑实验，发现进程被随机kill。咨询了服务器上的其他同学，他们说之前也发生过，一直存在。看来可能有可能不是我自己程序的原因，只能自己动手解决了。

在 Who sends a SIGKILL to my process mysteriously on ubuntu server 中，提到一个简单的方法，使用audit。

Linux 审计系统：audit

Audit does not provide additional security to your system; rather, it can be used to discover violations of security policies used on your system. These violations can further be prevented by additional security measures such as SELinux.

The Linux Audit system provides a way to track security-relevant information on your system. Based on pre-configured rules, Audit generates log entries to record as much information about the events that are happening on your system as possible. This information is crucial for mission-critical environments to determine the violator of the security policy and the actions they performed.

关于系统的更多内容，可参考 redhat 管理员手册。

安装很简单：sudo apt install auditd

启动服务并查看状态： systemctl enable auditd.service; systemctl restart auditd.service

然后通过auditctrl添加规则： auditctl -a exit,always -F arch=b64 -S kill -F a1=9

测试：

启动然后kill掉Python程序; 查看日志，即可发现kill发起的程序和用户；

sudo ausearch -sc kill

time->Thu Feb 24 04:00:08 2022
type=PROCTITLE msg=audit(1645675208.403:201): proctitle="htop"
type=OBJ_PID msg=audit(1645675208.403:201): opid=40099 oauid=1016 ouid=1016 oses=12951 obj==unconfined ocomm="nvtop"
type=SYSCALL msg=audit(1645675208.403:201): arch=c000003e syscall=62 success=yes exit=0 a0=9ca3 a1=9 a2=c1 a3=8 items=0 ppid=45939 pid=40129 auid=1016 uid=1016 gid=1016 euid=1016 suid=1016 fsuid=1016 egid=1016 sgid=1016 fsgid=1016 tty=pts4 ses=18035 comm="htop" exe="/usr/bin/htop" subj==unconfined key=(null)

下面开始守株待兔了, 再跑一下程序，找到被kill的原因；

# 2022年02月24日12:30:12, 被我找到了，应该是一个恶意程序。。