----- Original Message ----- > > > > -----Original Message----- > > From: crash-utility-bounces@xxxxxxxxxx > > [mailto:crash-utility-bounces@xxxxxxxxxx] On Behalf Of Dave Anderson > > Sent: Friday, March 10, 2017 12:36 AM > > To: Discussion list for crash utility usage, maintenance and development > > <crash-utility@xxxxxxxxxx> > > Subject: Re: feature to dump audit logs in vmcore > > > > > > > > ----- Original Message ----- > > > Dave, > > > > > > I wrote an extension module to dump audit logs in vmcore. > > > How about this in crash utility as a built-in command? > > > > > > crash> extend /root/repos/crash-dumpaudit-command/src/dumpaudit.so > > > /root/repos/crash-dumpaudit-command/src/dumpaudit.so: shared object > > > loaded > > > crash> dumpaudit > > > type=1300 audit(1489022639.875:164489): arch=c000003e syscall=0 > > > success=yes exit=0 a0=5 a1=7fedd3b00000 a2=400 a3=22 items=0 > > > ppid=2575 > > > pid=10428 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 > > > fsgid=0 > > > tty=pts1 ses=1 comm="pidof" exe="/usr/sbin/killall5" > > > subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 > > key=(null) > > > type=1320 audit(1489022639.875:164489): > > > type=1320 audit(1489022639.875:164487): > > > type=1300 audit(1489022639.875:164490): arch=c000003e syscall=3 > > > success=yes exit=0 a0=5 a1=1 a2=8 a3=0 items=0 ppid=2575 pid=10428 > > > auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 > > > tty=pts1 > > > ses=1 comm="pidof" exe="/usr/sbin /killall5" > > > subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 > > key=(null) > > > ...<cut>... > > > > OK, as I understand it, this is similar in nature to the trace extension module, > > in that you can display the data that happened to be in kernel memory (and didn't > > make it to disk) when the kernel crashed. > > > > Honestly, I have never seen/heard of any discussions about audit logs w/respect to > > crash analysis in the past, so I'm guessing that you must have come upon a real > > kernel crash that involved auditing. > > I have never seen audit itself causing kernel crash but I sometimes need to see > audit logs to get any hint to know what was happening on the crashed system > in the timing of crash. > > > > > Anyway, I definitely don't see it as a top-level built-in command. Perhaps you could > > argue for an option to an existing command -- "ps", "log" or "sys" maybe? > > > > Yes, I never definitely need the name "dumpaudit. > > I think log command is best suited in meaning for audit logs. > > By the way. I don't understand why you listed ps command first. > I don't find any similarity to ps command with audit. It was just an off-the-top-of-my-head suggestion, where I thought of it because auditing is often concerned with process-related events. But given there are other kinds of things that get audited, I agree that "log" is more suitable. Dave -- Crash-utility mailing list Crash-utility@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/crash-utility
