Logging from within kernel
Paul Moore
paul at paul-moore.com
Mon Nov 26 16:48:08 UTC 2018
On Fri, Nov 23, 2018 at 6:47 PM Ranran <ranshalit at gmail.com> wrote:
> Hello,
>
> Is it possible to log all messages from within kernel, (without any
> userspace application and daemon) ?
If you are not running an audit daemon then the audit records will be
written to kernel's ring buffer (look for them in dmesg). This is not
really considered ideal (e.g. one drawback is that the output is rate
limited), but it can be attractive for small systems with a limited
number of audit events; last I checked this is the approach used by
Android.
If you want to configure the audit subsystem beyond the "audit=1/0" on
the kernel command line, or whatever systemd is doing these days, you
will need to use auditctl (or a similar tool). Unfortunately the
in-kernel audit subsystem does a number of really awful things when it
comes to the netlink interface so that generic netlink tools can not
be used to configure the audit subsystem, you must use an audit
specific tool.
--
paul moore
www.paul-moore.com
More information about the Linux-audit
mailing list