On 06/19/2014 09:25 AM, Tai Nguyen (tainguye) wrote: > We currently use both audit messages from auditd log and logcat > messages. We found it very useful to have both. The auditd log allows us > to quickly check if there is any unexpected audit messages. Audit > messages in logcat give us the context of the error.
In AOSP master, auditd functionality has been merged into logd. logd receives the audit messages from the kernel and then writes them to: 1) /dev/kmsg (so they continue to appear in dmesg or cat /proc/kmsg output, as before), and 2) the events log (displayed via logcat -b events), and 3) the main log (displayed via logcat -b main). On our older seandroid* branches, we had auditd as a separate service, and when you ran auditd, it only wrote the audit messages to /data/misc/audit/audit.log, so they were no longer available via dmesg or cat /proc/kmsg once auditd was running and they were never available in logcat output at all. I actually had problems with losing denials when running auditd due to rollover of audit.log and no way to capture the continuous stream (i.e. no equivalent to adb shell su 0 cat /proc/kmsg > dmesg.txt). Also, auditd didn't provide an equivalent to cat /proc/last_kmsg, which is a nice way to get denials from the previous boot (especially useful for collecting denials from recovery). _______________________________________________ Seandroid-list mailing list [email protected] To unsubscribe, send email to [email protected]. To get help, send an email containing "help" to [email protected].
