9:36 a.m.
----- Original Message -----
Dave,
I wrote an extension module to dump audit logs in vmcore.
How about this in crash utility as a built-in command?
crash> extend /root/repos/crash-dumpaudit-command/src/dumpaudit.so
/root/repos/crash-dumpaudit-command/src/dumpaudit.so: shared object
loaded
crash> dumpaudit
type=1300 audit(1489022639.875:164489): arch=c000003e syscall=0
success=yes exit=0 a0=5 a1=7fedd3b00000 a2=400 a3=22 items=0 ppid=2575
pid=10428 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0
tty=pts1 ses=1 comm="pidof" exe="/usr/sbin/killall5"
subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
type=1320 audit(1489022639.875:164489):
type=1320 audit(1489022639.875:164487):
type=1300 audit(1489022639.875:164490): arch=c000003e syscall=3
success=yes exit=0 a0=5 a1=1 a2=8 a3=0 items=0 ppid=2575 pid=10428
auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1
ses=1 comm="pidof" exe="/usr/sbin /killall5"
subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
...<cut>...
OK, as I understand it, this is similar in nature to the trace extension module,
in that you can display the data that happened to be in kernel memory (and didn't
make it to disk) when the kernel crashed.
Honestly, I have never seen/heard of any discussions about audit logs w/respect to
crash analysis in the past, so I'm guessing that you must have come upon a real
kernel crash that involved auditing.
Anyway, I definitely don't see it as a top-level built-in command. Perhaps you could
argue for an option to an existing command -- "ps", "log" or
"sys" maybe?
Thanks,
Dave
What the extension module does is so simple that it retrives audit
logs from a queue. Looking back into kernel git logs, this design that
audit logs are held in the queue, was introduced at the following
patch to introduce kauditd kernel thread and have never changed until
now:
# git describe b7d1125817c9a46cc46f57db89d9c195e7af22f8
v2.6.12-rc4-48-gb7d1125
# git log -1 -p b7d1125817c9a46cc46f57db89d9c195e7af22f8
commit b7d1125817c9a46cc46f57db89d9c195e7af22f8
Author: David Woodhouse <dwmw2(a)shinybook.infradead.org>
Date: Thu May 19 10:56:58 2005 +0100
AUDIT: Send netlink messages from a separate kernel thread
netlink_unicast() will attempt to reallocate and will free messages
if
the socket's rcvbuf limit is reached unless we give it an infinite
timeout. So do that, from a kernel thread which is dedicated to
spewing
stuff up the netlink socket.
Signed-off-by: David Woodhouse <dwmw2(a)infradead.org>
I confirmed the comamnd works well on fedora 4.8 kernel, RHEL7.3,
RHEL6.8 and RHEL5.11; RHEL6.8 was tested both on x86_64 and x86_32.
So, I guess the design will rarely be changed also in the future for
some time.
To get vmcore full of audit logs, run the following commands:
# auditctl -a exit,always -S all # always record exit of all system calls
# auditctl -e 1 # enable audit logging
# auditctl -f 2 # configure kernel to panic when audit
buffer becomes full
# kill -STOP $(pidof auditd) # stop auditd that is a unique process
# to read and reduce audit buffer
# dd if=/dev/zero of=/dev/null # issue system calls a lot
then kernel will panic when audit buffer becomes full.
To dump audit logs, simply, run dumpaudit command:
crash> extend /root/repos/crash-dumpaudit-command/src/dumpaudit.so
/root/repos/crash-dumpaudit-command/src/dumpaudit.so: shared object
loaded
crash> dumpaudit
type=1300 audit(1489022639.875:164489): arch=c000003e syscall=0
success=yes exit=0 a0=5 a1=7fedd3b00000 a2=400 a3=22 items=0 ppid=2575
pid=10428 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0
tty=pts1 ses=1 comm="pidof" exe="/usr/sbin/killall5"
subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
type=1320 audit(1489022639.875:164489):
type=1320 audit(1489022639.875:164487):
type=1300 audit(1489022639.875:164490): arch=c000003e syscall=3
success=yes exit=0 a0=5 a1=1 a2=8 a3=0 items=0 ppid=2575 pid=10428
auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1
ses=1 comm="pidof" exe="/usr/sbin /killall5"
subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
...<cut>...
On the vmcore created like above, log command should show the messages
ending with:
crash> log | tail -n 21
[253655.583070] audit: audit_backlog=321 > audit_backlog_limit=320
[253655.583124] audit: audit_backlog=321 > audit_backlog_limit=320
[253655.583129] audit: audit_lost=1 audit_rate_limit=0
audit_backlog_limit=320
[253655.583139] Kernel panic - not syncing: audit: backlog limit exceeded
[253655.583142] CPU: 0 PID: 2575 Comm: bash Not tainted
3.10.0-327.el7.x86_64 #1
[253655.583143] Hardware name: Red Hat KVM, BIOS 0.5.1 01/01/2007
[253655.583147] ffffffff81870541 000000007dd10266 ffff8800b8a43d40
ffffffff816351f1
[253655.583149] ffff8800b8a43dc0 ffffffff8162ea6c ffffffff00000010
ffff8800b8a43dd0
[253655.583151] ffff8800b8a43d70 000000007dd10266 0000000000000000
ffffffff818705e8
[253655.583152] Call Trace:
[253655.583168] [<ffffffff816351f1>] dump_stack+0x19/0x1b
[253655.583170] [<ffffffff8162ea6c>] panic+0xd8/0x1e7
[253655.583178] [<ffffffff81103ce4>] audit_panic+0x64/0x70
[253655.583180] [<ffffffff81103d2f>] audit_log_lost+0x3f/0xd0
[253655.583186] [<ffffffff811049bc>] audit_log_start+0x1bc/0x4b0
[253655.583189] [<ffffffff810919dc>] ? do_send_sig_info+0x6c/0xa0
[253655.583193] [<ffffffff810b8c10>] ? wake_up_state+0x20/0x20
[253655.583199] [<ffffffff81108ce1>] audit_log_exit+0x51/0xb90
[253655.583201] [<ffffffff8110b7cd>] __audit_syscall_exit+0x21d/0x280
[253655.583208] [<ffffffff81645a2b>] sysret_audit+0x17/0x21
where audit_backlog_limit=320 means the limit number of audit logs
configured in /etc/audit.conf was 320 and audit_backlog=321 means the
audit queue, or audit backlog, became full amounting to 321.
dumpaudit should dump audit logs as many lines as the limit:
crash> dumpaudit | wc -l
321
--
Thanks.
HATAYAMA, Daisuke
--
Crash-utility mailing list
Crash-utility(a)redhat.com
https://www.redhat.com/mailman/listinfo/crash-utility