From: William Roberts <bill.c.roberts@gmail.com>
To: Paul Moore <paul@paul-moore.com>
Cc: linux-audit@redhat.com
Subject: Re: Logging from within kernel
Date: Mon, 26 Nov 2018 09:05:51 -0800 [thread overview]
Message-ID: <CAFftDdohO5ZT7rPZ295xmALZy2ksiSEuxdaZ=r1i=_53jNpjMQ@mail.gmail.com> (raw)
In-Reply-To: <CAHC9VhROKV86E3dQET2VQnHMhNkeE3sP2bsLCEi_iNvk9==d4A@mail.gmail.com>
On Mon, Nov 26, 2018 at 8:48 AM Paul Moore <paul@paul-moore.com> wrote:
>
> On Fri, Nov 23, 2018 at 6:47 PM Ranran <ranshalit@gmail.com> wrote:
> > Hello,
> >
> > Is it possible to log all messages from within kernel, (without any
> > userspace application and daemon) ?
>
> If you are not running an audit daemon then the audit records will be
> written to kernel's ring buffer (look for them in dmesg). This is not
> really considered ideal (e.g. one drawback is that the output is rate
> limited), but it can be attractive for small systems with a limited
> number of audit events; last I checked this is the approach used by
> Android.
Not since the official merge into mainline. I wrote a libaudit port
and Android's
logd system uses it. It pulls them up from audit into userspace, does some stuff
and send them out to log cat and back down to dmesg (I have no idea why).
It also does things like make sure any denials seen are tracked by a
bug and outputs
the bug information in the log.
If you have the AOSP tree checked out, you can see it:
system/core/logd/LogAudit.cpp
>
> If you want to configure the audit subsystem beyond the "audit=1/0" on
> the kernel command line, or whatever systemd is doing these days, you
> will need to use auditctl (or a similar tool). Unfortunately the
> in-kernel audit subsystem does a number of really awful things when it
> comes to the netlink interface so that generic netlink tools can not
> be used to configure the audit subsystem, you must use an audit
> specific tool.
>
> --
> paul moore
> www.paul-moore.com
>
> --
> Linux-audit mailing list
> Linux-audit@redhat.com
> https://www.redhat.com/mailman/listinfo/linux-audit
next prev parent reply other threads:[~2018-11-26 17:06 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-11-23 23:47 Logging from within kernel Ranran
2018-11-25 17:06 ` Richard Guy Briggs
2018-11-26 16:48 ` Paul Moore
2018-11-26 17:05 ` William Roberts [this message]
2018-11-26 17:54 ` Paul Moore
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='CAFftDdohO5ZT7rPZ295xmALZy2ksiSEuxdaZ=r1i=_53jNpjMQ@mail.gmail.com' \
--to=bill.c.roberts@gmail.com \
--cc=linux-audit@redhat.com \
--cc=paul@paul-moore.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.