Re: [Crash-utility] feature to dump audit logs in vmcore

> -----Original Message----- > From: crash-utility-bounces(a)redhat.com > [mailto:crash-utility-bounces@redhat.com] On Behalf Of Dave Anderson > Sent: Friday, March 10, 2017 12:36 AM > To: Discussion list for crash utility usage, maintenance and development > <crash-utility(a)redhat.com&gt; > Subject: Re: [Crash-utility] feature to dump audit logs in vmcore > > > > ----- Original Message ----- > > Dave, > > > > I wrote an extension module to dump audit logs in vmcore. > > How about this in crash utility as a built-in command? > > > > crash> extend /root/repos/crash-dumpaudit-command/src/dumpaudit.so > > /root/repos/crash-dumpaudit-command/src/dumpaudit.so: shared object > > loaded > > crash> dumpaudit > > type=1300 audit(1489022639.875:164489): arch=c000003e syscall=0 > > success=yes exit=0 a0=5 a1=7fedd3b00000 a2=400 a3=22 items=0 > > ppid=2575 > > pid=10428 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 > > fsgid=0 > > tty=pts1 ses=1 comm="pidof" exe="/usr/sbin/killall5" > > subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 > key=(null) > > type=1320 audit(1489022639.875:164489): > > type=1320 audit(1489022639.875:164487): > > type=1300 audit(1489022639.875:164490): arch=c000003e syscall=3 > > success=yes exit=0 a0=5 a1=1 a2=8 a3=0 items=0 ppid=2575 pid=10428 > > auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 > > tty=pts1 > > ses=1 comm="pidof" exe="/usr/sbin /killall5" > > subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 > key=(null) > > ...<cut>... > > OK, as I understand it, this is similar in nature to the trace extension module, > in that you can display the data that happened to be in kernel memory (and didn't > make it to disk) when the kernel crashed. > > Honestly, I have never seen/heard of any discussions about audit logs w/respect to > crash analysis in the past, so I'm guessing that you must have come upon a real > kernel crash that involved auditing. I have never seen audit itself causing kernel crash but I sometimes need to see audit logs to get any hint to know what was happening on the crashed system in the timing of crash. > > Anyway, I definitely don't see it as a top-level built-in command. Perhaps you could > argue for an option to an existing command -- "ps", "log" or "sys" maybe? > Yes, I never definitely need the name "dumpaudit. I think log command is best suited in meaning for audit logs. By the way. I don't understand why you listed ps command first. I don't find any similarity to ps command with audit.