[Crash-utility] feature to dump audit logs in vmcore

Hatayama, Daisuke d.hatayama at jp.fujitsu.com
Fri Mar 10 01:24:29 UTC 2017 


> -----Original Message-----
> From: crash-utility-bounces at redhat.com
> [mailto:crash-utility-bounces at redhat.com] On Behalf Of Dave Anderson
> Sent: Friday, March 10, 2017 12:36 AM
> To: Discussion list for crash utility usage, maintenance and development
> <crash-utility at redhat.com>
> Subject: Re: [Crash-utility] feature to dump audit logs in vmcore
> 
> 
> 
> ----- Original Message -----
> > Dave,
> >
> > I wrote an extension module to dump audit logs in vmcore.
> > How about this in crash utility as a built-in command?
> >
> >     crash> extend /root/repos/crash-dumpaudit-command/src/dumpaudit.so
> >     /root/repos/crash-dumpaudit-command/src/dumpaudit.so: shared object
> >     loaded
> >     crash> dumpaudit
> >     type=1300 audit(1489022639.875:164489): arch=c000003e syscall=0
> >     success=yes exit=0 a0=5 a1=7fedd3b00000 a2=400 a3=22 items=0 ppid=2575
> >     pid=10428 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0
> >     tty=pts1 ses=1 comm="pidof" exe="/usr/sbin/killall5"
> >     subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
> key=(null)
> >     type=1320 audit(1489022639.875:164489):
> >     type=1320 audit(1489022639.875:164487):
> >     type=1300 audit(1489022639.875:164490): arch=c000003e syscall=3
> >     success=yes exit=0 a0=5 a1=1 a2=8 a3=0 items=0 ppid=2575 pid=10428
> >     auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1
> >     ses=1 comm="pidof" exe="/usr/sbin /killall5"
> >     subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
> key=(null)
> >     ...<cut>...
> 
> OK, as I understand it, this is similar in nature to the trace extension module,
> in that you can display the data that happened to be in kernel memory (and didn't
> make it to disk) when the kernel crashed.
> 
> Honestly, I have never seen/heard of any discussions about audit logs w/respect
> to
> crash analysis in the past, so I'm guessing that you must have come upon a real
> kernel crash that involved auditing.

I have never seen audit itself causing kernel crash but I sometimes need to see
audit logs to get any hint to know what was happening on the crashed system
in the timing of crash.

> 
> Anyway, I definitely don't see it as a top-level built-in command.  Perhaps
> you could
> argue for an option to an existing command -- "ps", "log" or "sys" maybe?
> 

Yes, I never definitely need the name "dumpaudit.

I think log command is best suited in meaning for audit logs.

By the way. I don't understand why you listed ps command first.
I don't find any similarity to ps command with audit.

More information about the Crash-utility mailing list