今天跑實驗,發現進程被隨機kill。諮詢了服務器上的其他同學,他們說之前也發生過,一直存在。看來可能有可能不是我自己程序的原因,只能自己動手解決了。
在 Who sends a SIGKILL to my process mysteriously on ubuntu server 中,提到一個簡單的方法,使用audit。
Linux 審計系統:audit
Audit does not provide additional security to your system; rather, it can be used to discover violations of security policies used on your system. These violations can further be prevented by additional security measures such as SELinux.
The Linux Audit system provides a way to track security-relevant information on your system. Based on pre-configured rules, Audit generates log entries to record as much information about the events that are happening on your system as possible. This information is crucial for mission-critical environments to determine the violator of the security policy and the actions they performed.
關於系統的更多內容,可參考 redhat 管理員手冊。
安裝很簡單:sudo apt install auditd
啓動服務並查看狀態: systemctl enable auditd.service; systemctl restart auditd.service
然後通過auditctrl添加規則: auditctl -a exit,always -F arch=b64 -S kill -F a1=9
測試:
啓動然後kill掉Python程序; 查看日誌,即可發現kill發起的程序和用戶;
sudo ausearch -sc kill
time->Thu Feb 24 04:00:08 2022 type=PROCTITLE msg=audit(1645675208.403:201): proctitle="htop" type=OBJ_PID msg=audit(1645675208.403:201): opid=40099 oauid=1016 ouid=1016 oses=12951 obj==unconfined ocomm="nvtop" type=SYSCALL msg=audit(1645675208.403:201): arch=c000003e syscall=62 success=yes exit=0 a0=9ca3 a1=9 a2=c1 a3=8 items=0 ppid=45939 pid=40129 auid=1016 uid=1016 gid=1016 euid=1016 suid=1016 fsuid=1016 egid=1016 sgid=1016 fsgid=1016 tty=pts4 ses=18035 comm="htop" exe="/usr/bin/htop" subj==unconfined key=(null)
下面開始守株待兔了, 再跑一下程序,找到被kill的原因;
# 2022年02月24日12:30:12, 被我找到了,應該是一個惡意程序。。
參考鏈接:
https://documentation.suse.com/sles/12-SP4/html/SLES-all/cha-audit-comp.html
https://www.cnblogs.com/xybaby/p/8098229.html
保持更新;cnblogs.com/xuyaowen;