All of lore.kernel.org
 help / color / mirror / Atom feed
From: Paul Moore <paul@paul-moore.com>
To: ranshalit@gmail.com
Cc: linux-audit@redhat.com
Subject: Re: Logging from within kernel
Date: Mon, 26 Nov 2018 11:48:08 -0500	[thread overview]
Message-ID: <CAHC9VhROKV86E3dQET2VQnHMhNkeE3sP2bsLCEi_iNvk9==d4A@mail.gmail.com> (raw)
In-Reply-To: <CAJ2oMhJ4tSZ76yS-+6gOwS=juYFThH6OxeWE4ciuSQVQ1NeARw@mail.gmail.com>

On Fri, Nov 23, 2018 at 6:47 PM Ranran <ranshalit@gmail.com> wrote:
> Hello,
>
> Is it possible to log all messages from within kernel, (without any
> userspace application and daemon) ?

If you are not running an audit daemon then the audit records will be
written to kernel's ring buffer (look for them in dmesg).  This is not
really considered ideal (e.g. one drawback is that the output is rate
limited), but it can be attractive for small systems with a limited
number of audit events; last I checked this is the approach used by
Android.

If you want to configure the audit subsystem beyond the "audit=1/0" on
the kernel command line, or whatever systemd is doing these days, you
will need to use auditctl (or a similar tool).  Unfortunately the
in-kernel audit subsystem does a number of really awful things when it
comes to the netlink interface so that generic netlink tools can not
be used to configure the audit subsystem, you must use an audit
specific tool.

-- 
paul moore
www.paul-moore.com

  parent reply	other threads:[~2018-11-26 16:48 UTC|newest]

Thread overview: 5+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2018-11-23 23:47 Logging from within kernel Ranran
2018-11-25 17:06 ` Richard Guy Briggs
2018-11-26 16:48 ` Paul Moore [this message]
2018-11-26 17:05   ` William Roberts
2018-11-26 17:54     ` Paul Moore

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to='CAHC9VhROKV86E3dQET2VQnHMhNkeE3sP2bsLCEi_iNvk9==d4A@mail.gmail.com' \
    --to=paul@paul-moore.com \
    --cc=linux-audit@redhat.com \
    --cc=ranshalit@gmail.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.