Re: [Crash-utility] feature to dump audit logs in vmcore
-----Original Message-----
From: crash-utility-bounces(a)redhat.com
[mailto:crash-utility-bounces@redhat.com] On Behalf Of Dave Anderson
Sent: Friday, March 10, 2017 12:36 AM
To: Discussion list for crash utility usage, maintenance and development
<crash-utility(a)redhat.com>
Subject: Re: [Crash-utility] feature to dump audit logs in vmcore
----- Original Message -----
> Dave,
>
> I wrote an extension module to dump audit logs in vmcore.
> How about this in crash utility as a built-in command?
>
> crash> extend /root/repos/crash-dumpaudit-command/src/dumpaudit.so
> /root/repos/crash-dumpaudit-command/src/dumpaudit.so: shared object
> loaded
> crash> dumpaudit
> type=1300 audit(1489022639.875:164489): arch=c000003e syscall=0
> success=yes exit=0 a0=5 a1=7fedd3b00000 a2=400 a3=22 items=0 ppid=2575
> pid=10428 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0
> tty=pts1 ses=1 comm="pidof" exe="/usr/sbin/killall5"
> subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
key=(null)
> type=1320 audit(1489022639.875:164489):
> type=1320 audit(1489022639.875:164487):
> type=1300 audit(1489022639.875:164490): arch=c000003e syscall=3
> success=yes exit=0 a0=5 a1=1 a2=8 a3=0 items=0 ppid=2575 pid=10428
> auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1
> ses=1 comm="pidof" exe="/usr/sbin /killall5"
> subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
key=(null)
> ...<cut>...
OK, as I understand it, this is similar in nature to the trace extension module,
in that you can display the data that happened to be in kernel memory (and didn't
make it to disk) when the kernel crashed.
Honestly, I have never seen/heard of any discussions about audit logs w/respect
to
crash analysis in the past, so I'm guessing that you must have come upon a real
kernel crash that involved auditing.
I have never seen audit itself causing kernel crash but I sometimes need to see
audit logs to get any hint to know what was happening on the crashed system
in the timing of crash.
Anyway, I definitely don't see it as a top-level built-in command. Perhaps
you could
argue for an option to an existing command -- "ps", "log" or
"sys" maybe?
Yes, I never definitely need the name "dumpaudit.
I think log command is best suited in meaning for audit logs.
By the way. I don't understand why you listed ps command first.
I don't find any similarity to ps command with audit.