From mboxrd@z Thu Jan  1 00:00:00 1970
From: Paul Moore <paul@paul-moore.com>
Subject: Re: Logging from within kernel
Date: Mon, 26 Nov 2018 11:48:08 -0500
Message-ID: <CAHC9VhROKV86E3dQET2VQnHMhNkeE3sP2bsLCEi_iNvk9==d4A@mail.gmail.com>
References: <CAJ2oMhJ4tSZ76yS-+6gOwS=juYFThH6OxeWE4ciuSQVQ1NeARw@mail.gmail.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Return-path: <linux-audit-bounces@redhat.com>
Received: from mx1.redhat.com (ext-mx07.extmail.prod.ext.phx2.redhat.com
	[10.5.110.31])
	by smtp.corp.redhat.com (Postfix) with ESMTPS id 6DCC460141
	for <linux-audit@redhat.com>; Mon, 26 Nov 2018 16:48:22 +0000 (UTC)
Received: from mail-lf1-f53.google.com (mail-lf1-f53.google.com
	[209.85.167.53])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by mx1.redhat.com (Postfix) with ESMTPS id 7DCFEC049D4B
	for <linux-audit@redhat.com>; Mon, 26 Nov 2018 16:48:21 +0000 (UTC)
Received: by mail-lf1-f53.google.com with SMTP id p6so14089499lfc.1
	for <linux-audit@redhat.com>; Mon, 26 Nov 2018 08:48:21 -0800 (PST)
In-Reply-To: <CAJ2oMhJ4tSZ76yS-+6gOwS=juYFThH6OxeWE4ciuSQVQ1NeARw@mail.gmail.com>
List-Unsubscribe: <https://www.redhat.com/mailman/options/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/linux-audit>
List-Post: <mailto:linux-audit@redhat.com>
List-Help: <mailto:linux-audit-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=subscribe>
Sender: linux-audit-bounces@redhat.com
Errors-To: linux-audit-bounces@redhat.com
To: ranshalit@gmail.com
Cc: linux-audit@redhat.com
List-Id: linux-audit@redhat.com

On Fri, Nov 23, 2018 at 6:47 PM Ranran <ranshalit@gmail.com> wrote:
> Hello,
>
> Is it possible to log all messages from within kernel, (without any
> userspace application and daemon) ?

If you are not running an audit daemon then the audit records will be
written to kernel's ring buffer (look for them in dmesg).  This is not
really considered ideal (e.g. one drawback is that the output is rate
limited), but it can be attractive for small systems with a limited
number of audit events; last I checked this is the approach used by
Android.

If you want to configure the audit subsystem beyond the "audit=1/0" on
the kernel command line, or whatever systemd is doing these days, you
will need to use auditctl (or a similar tool).  Unfortunately the
in-kernel audit subsystem does a number of really awful things when it
comes to the netlink interface so that generic netlink tools can not
be used to configure the audit subsystem, you must use an audit
specific tool.

-- 
paul moore
www.paul-moore.com