[Crash-utility] feature to dump audit logs in vmcore

Dave Anderson anderson at redhat.com
Fri Mar 10 05:15:06 UTC 2017 


----- Original Message -----
> 
> 
> > -----Original Message-----
> > From: crash-utility-bounces at redhat.com
> > [mailto:crash-utility-bounces at redhat.com] On Behalf Of Dave Anderson
> > Sent: Friday, March 10, 2017 12:36 AM
> > To: Discussion list for crash utility usage, maintenance and development
> > <crash-utility at redhat.com>
> > Subject: Re: [Crash-utility] feature to dump audit logs in vmcore
> > 
> > 
> > 
> > ----- Original Message -----
> > > Dave,
> > >
> > > I wrote an extension module to dump audit logs in vmcore.
> > > How about this in crash utility as a built-in command?
> > >
> > >     crash> extend /root/repos/crash-dumpaudit-command/src/dumpaudit.so
> > >     /root/repos/crash-dumpaudit-command/src/dumpaudit.so: shared object
> > >     loaded
> > >     crash> dumpaudit
> > >     type=1300 audit(1489022639.875:164489): arch=c000003e syscall=0
> > >     success=yes exit=0 a0=5 a1=7fedd3b00000 a2=400 a3=22 items=0
> > >     ppid=2575
> > >     pid=10428 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0
> > >     fsgid=0
> > >     tty=pts1 ses=1 comm="pidof" exe="/usr/sbin/killall5"
> > >     subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
> > key=(null)
> > >     type=1320 audit(1489022639.875:164489):
> > >     type=1320 audit(1489022639.875:164487):
> > >     type=1300 audit(1489022639.875:164490): arch=c000003e syscall=3
> > >     success=yes exit=0 a0=5 a1=1 a2=8 a3=0 items=0 ppid=2575 pid=10428
> > >     auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0
> > >     tty=pts1
> > >     ses=1 comm="pidof" exe="/usr/sbin /killall5"
> > >     subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
> > key=(null)
> > >     ...<cut>...
> > 
> > OK, as I understand it, this is similar in nature to the trace extension module,
> > in that you can display the data that happened to be in kernel memory (and didn't
> > make it to disk) when the kernel crashed.
> > 
> > Honestly, I have never seen/heard of any discussions about audit logs w/respect to
> > crash analysis in the past, so I'm guessing that you must have come upon a real
> > kernel crash that involved auditing.
> 
> I have never seen audit itself causing kernel crash but I sometimes need to see
> audit logs to get any hint to know what was happening on the crashed system
> in the timing of crash.
> 
> > 
> > Anyway, I definitely don't see it as a top-level built-in command.  Perhaps you could
> > argue for an option to an existing command -- "ps", "log" or "sys" maybe?
> > 
> 
> Yes, I never definitely need the name "dumpaudit.
> 
> I think log command is best suited in meaning for audit logs.
> 
> By the way. I don't understand why you listed ps command first.
> I don't find any similarity to ps command with audit.

It was just an off-the-top-of-my-head suggestion, where I thought of it because auditing is often
concerned with process-related events.  But given there are other kinds of things that get audited,
I agree that "log" is more suitable.

Dave

More information about the Crash-utility mailing list