[Crash-utility] feature to dump audit logs in vmcore
Dave Anderson
anderson at redhat.com
Fri Mar 10 05:15:06 UTC 2017
----- Original Message -----
>
>
> > -----Original Message-----
> > From: crash-utility-bounces at redhat.com
> > [mailto:crash-utility-bounces at redhat.com] On Behalf Of Dave Anderson
> > Sent: Friday, March 10, 2017 12:36 AM
> > To: Discussion list for crash utility usage, maintenance and development
> > <crash-utility at redhat.com>
> > Subject: Re: [Crash-utility] feature to dump audit logs in vmcore
> >
> >
> >
> > ----- Original Message -----
> > > Dave,
> > >
> > > I wrote an extension module to dump audit logs in vmcore.
> > > How about this in crash utility as a built-in command?
> > >
> > > crash> extend /root/repos/crash-dumpaudit-command/src/dumpaudit.so
> > > /root/repos/crash-dumpaudit-command/src/dumpaudit.so: shared object
> > > loaded
> > > crash> dumpaudit
> > > type=1300 audit(1489022639.875:164489): arch=c000003e syscall=0
> > > success=yes exit=0 a0=5 a1=7fedd3b00000 a2=400 a3=22 items=0
> > > ppid=2575
> > > pid=10428 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0
> > > fsgid=0
> > > tty=pts1 ses=1 comm="pidof" exe="/usr/sbin/killall5"
> > > subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
> > key=(null)
> > > type=1320 audit(1489022639.875:164489):
> > > type=1320 audit(1489022639.875:164487):
> > > type=1300 audit(1489022639.875:164490): arch=c000003e syscall=3
> > > success=yes exit=0 a0=5 a1=1 a2=8 a3=0 items=0 ppid=2575 pid=10428
> > > auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0
> > > tty=pts1
> > > ses=1 comm="pidof" exe="/usr/sbin /killall5"
> > > subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
> > key=(null)
> > > ...<cut>...
> >
> > OK, as I understand it, this is similar in nature to the trace extension module,
> > in that you can display the data that happened to be in kernel memory (and didn't
> > make it to disk) when the kernel crashed.
> >
> > Honestly, I have never seen/heard of any discussions about audit logs w/respect to
> > crash analysis in the past, so I'm guessing that you must have come upon a real
> > kernel crash that involved auditing.
>
> I have never seen audit itself causing kernel crash but I sometimes need to see
> audit logs to get any hint to know what was happening on the crashed system
> in the timing of crash.
>
> >
> > Anyway, I definitely don't see it as a top-level built-in command. Perhaps you could
> > argue for an option to an existing command -- "ps", "log" or "sys" maybe?
> >
>
> Yes, I never definitely need the name "dumpaudit.
>
> I think log command is best suited in meaning for audit logs.
>
> By the way. I don't understand why you listed ps command first.
> I don't find any similarity to ps command with audit.
It was just an off-the-top-of-my-head suggestion, where I thought of it because auditing is often
concerned with process-related events. But given there are other kinds of things that get audited,
I agree that "log" is more suitable.
Dave
More information about the Crash-utility
mailing list