* Logging from within kernel
@ 2018-11-23 23:47 Ranran
2018-11-25 17:06 ` Richard Guy Briggs
2018-11-26 16:48 ` Paul Moore
0 siblings, 2 replies; 5+ messages in thread
From: Ranran @ 2018-11-23 23:47 UTC (permalink / raw)
To: linux-audit
Hello,
Is it possible to log all messages from within kernel, (without any
userspace application and daemon) ?
Thank you,
Ran
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: Logging from within kernel
2018-11-23 23:47 Logging from within kernel Ranran
@ 2018-11-25 17:06 ` Richard Guy Briggs
2018-11-26 16:48 ` Paul Moore
1 sibling, 0 replies; 5+ messages in thread
From: Richard Guy Briggs @ 2018-11-25 17:06 UTC (permalink / raw)
To: Ranran; +Cc: linux-audit
On 2018-11-24 01:47, Ranran wrote:
> Hello,
>
> Is it possible to log all messages from within kernel, (without any
> userspace application and daemon) ?
No. The log messages leave the kernel via the audit netlink socket and
get consumed by a userspace process.
There is no facility to write it directly to disk in the kernel if that
is what you are asking.
> Ran
- RGB
--
Richard Guy Briggs <rgb@redhat.com>
Sr. S/W Engineer, Kernel Security, Base Operating Systems
Remote, Ottawa, Red Hat Canada
IRC: rgb, SunRaycer
Voice: +1.647.777.2635, Internal: (81) 32635
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: Logging from within kernel
2018-11-23 23:47 Logging from within kernel Ranran
2018-11-25 17:06 ` Richard Guy Briggs
@ 2018-11-26 16:48 ` Paul Moore
2018-11-26 17:05 ` William Roberts
1 sibling, 1 reply; 5+ messages in thread
From: Paul Moore @ 2018-11-26 16:48 UTC (permalink / raw)
To: ranshalit; +Cc: linux-audit
On Fri, Nov 23, 2018 at 6:47 PM Ranran <ranshalit@gmail.com> wrote:
> Hello,
>
> Is it possible to log all messages from within kernel, (without any
> userspace application and daemon) ?
If you are not running an audit daemon then the audit records will be
written to kernel's ring buffer (look for them in dmesg). This is not
really considered ideal (e.g. one drawback is that the output is rate
limited), but it can be attractive for small systems with a limited
number of audit events; last I checked this is the approach used by
Android.
If you want to configure the audit subsystem beyond the "audit=1/0" on
the kernel command line, or whatever systemd is doing these days, you
will need to use auditctl (or a similar tool). Unfortunately the
in-kernel audit subsystem does a number of really awful things when it
comes to the netlink interface so that generic netlink tools can not
be used to configure the audit subsystem, you must use an audit
specific tool.
--
paul moore
www.paul-moore.com
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: Logging from within kernel
2018-11-26 16:48 ` Paul Moore
@ 2018-11-26 17:05 ` William Roberts
2018-11-26 17:54 ` Paul Moore
0 siblings, 1 reply; 5+ messages in thread
From: William Roberts @ 2018-11-26 17:05 UTC (permalink / raw)
To: Paul Moore; +Cc: linux-audit
On Mon, Nov 26, 2018 at 8:48 AM Paul Moore <paul@paul-moore.com> wrote:
>
> On Fri, Nov 23, 2018 at 6:47 PM Ranran <ranshalit@gmail.com> wrote:
> > Hello,
> >
> > Is it possible to log all messages from within kernel, (without any
> > userspace application and daemon) ?
>
> If you are not running an audit daemon then the audit records will be
> written to kernel's ring buffer (look for them in dmesg). This is not
> really considered ideal (e.g. one drawback is that the output is rate
> limited), but it can be attractive for small systems with a limited
> number of audit events; last I checked this is the approach used by
> Android.
Not since the official merge into mainline. I wrote a libaudit port
and Android's
logd system uses it. It pulls them up from audit into userspace, does some stuff
and send them out to log cat and back down to dmesg (I have no idea why).
It also does things like make sure any denials seen are tracked by a
bug and outputs
the bug information in the log.
If you have the AOSP tree checked out, you can see it:
system/core/logd/LogAudit.cpp
>
> If you want to configure the audit subsystem beyond the "audit=1/0" on
> the kernel command line, or whatever systemd is doing these days, you
> will need to use auditctl (or a similar tool). Unfortunately the
> in-kernel audit subsystem does a number of really awful things when it
> comes to the netlink interface so that generic netlink tools can not
> be used to configure the audit subsystem, you must use an audit
> specific tool.
>
> --
> paul moore
> www.paul-moore.com
>
> --
> Linux-audit mailing list
> Linux-audit@redhat.com
> https://www.redhat.com/mailman/listinfo/linux-audit
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: Logging from within kernel
2018-11-26 17:05 ` William Roberts
@ 2018-11-26 17:54 ` Paul Moore
0 siblings, 0 replies; 5+ messages in thread
From: Paul Moore @ 2018-11-26 17:54 UTC (permalink / raw)
To: bill.c.roberts; +Cc: linux-audit
On Mon, Nov 26, 2018 at 12:06 PM William Roberts
<bill.c.roberts@gmail.com> wrote:
> On Mon, Nov 26, 2018 at 8:48 AM Paul Moore <paul@paul-moore.com> wrote:
> > On Fri, Nov 23, 2018 at 6:47 PM Ranran <ranshalit@gmail.com> wrote:
> > > Hello,
> > >
> > > Is it possible to log all messages from within kernel, (without any
> > > userspace application and daemon) ?
> >
> > If you are not running an audit daemon then the audit records will be
> > written to kernel's ring buffer (look for them in dmesg). This is not
> > really considered ideal (e.g. one drawback is that the output is rate
> > limited), but it can be attractive for small systems with a limited
> > number of audit events; last I checked this is the approach used by
> > Android.
>
> Not since the official merge into mainline. I wrote a libaudit port
> and Android's logd system uses it ...
Good to know, thanks!
--
paul moore
www.paul-moore.com
^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2018-11-26 17:54 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2018-11-23 23:47 Logging from within kernel Ranran
2018-11-25 17:06 ` Richard Guy Briggs
2018-11-26 16:48 ` Paul Moore
2018-11-26 17:05 ` William Roberts
2018-11-26 17:54 ` Paul Moore
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.