1

Is there a way in linux to find out which user or which process killed another process? Maybe a log?

I searched through /var/log and specifically on auth.log.* but I didn't find anything interesting..

I suppose that the process was killed using htop but as far as I know it doesn't keep activities logs.

Thanks

gc5
  • 137
  • 1
  • 7
  • why downvote? comment please.. – gc5 Sep 30 '13 at 07:40
  • I didn't downvote this, but if you mouseover the downvote button, you'll see the popup "This question does not show any research effort, it is unclear or not useful". Downvotes without a given reason may be assumed to be for that one. – MadHatter Sep 30 '13 at 08:53
  • I don't know how does it seem unclear or not useful. Regarding research effort I only found this: http://stackoverflow.com/questions/726690/who-killed-my-process-and-why – gc5 Sep 30 '13 at 11:21
  • Telling us what you've already done to research the issue **in your original posting** is useful, since it avoids us wasting our time retreading ground you've already covered. I can't comment on whether or not the downvote was fair, since I didn't make it. You asked what a downvote without a comment means, and I told you; it's probably not worth getting defensive about. – MadHatter Sep 30 '13 at 13:24

1 Answers1

1

Without some form of auditing enabled, it's not possible to find out as far as I know.

There are some useful docs on Audit Control here (other distros will also find this useful): http://doc.opensuse.org/products/draft/SLES/SLES-security_sd_draft/cha.audit.comp.html

Specifically (untested):

auditctl -a exit,always -S all

Should have the desired effect providing the audit system is set up correctly.

Christian.

babelmonk
  • 296
  • 1
  • 4