Logging from within kernel
William Roberts
bill.c.roberts at gmail.com
Mon Nov 26 17:05:51 UTC 2018
On Mon, Nov 26, 2018 at 8:48 AM Paul Moore <paul at paul-moore.com> wrote:
>
> On Fri, Nov 23, 2018 at 6:47 PM Ranran <ranshalit at gmail.com> wrote:
> > Hello,
> >
> > Is it possible to log all messages from within kernel, (without any
> > userspace application and daemon) ?
>
> If you are not running an audit daemon then the audit records will be
> written to kernel's ring buffer (look for them in dmesg). This is not
> really considered ideal (e.g. one drawback is that the output is rate
> limited), but it can be attractive for small systems with a limited
> number of audit events; last I checked this is the approach used by
> Android.
Not since the official merge into mainline. I wrote a libaudit port
and Android's
logd system uses it. It pulls them up from audit into userspace, does some stuff
and send them out to log cat and back down to dmesg (I have no idea why).
It also does things like make sure any denials seen are tracked by a
bug and outputs
the bug information in the log.
If you have the AOSP tree checked out, you can see it:
system/core/logd/LogAudit.cpp
>
> If you want to configure the audit subsystem beyond the "audit=1/0" on
> the kernel command line, or whatever systemd is doing these days, you
> will need to use auditctl (or a similar tool). Unfortunately the
> in-kernel audit subsystem does a number of really awful things when it
> comes to the netlink interface so that generic netlink tools can not
> be used to configure the audit subsystem, you must use an audit
> specific tool.
>
> --
> paul moore
> www.paul-moore.com
>
> --
> Linux-audit mailing list
> Linux-audit at redhat.com
> https://www.redhat.com/mailman/listinfo/linux-audit
More information about the Linux-audit
mailing list