Capturing core files in Red Hat Enterprise Linux 1 comment
Capturing core files in Solaris is pretty straightforward – even more so if you’ve used JASS to secure the system. By default JASS will give you a nice /etc/coreadm.conf file:
COREADM_GLOB_PATTERN=/var/core/core_%n_%f_%u_%g_%t_%p COREADM_GLOB_CONTENT=default COREADM_INIT_PATTERN=core COREADM_INIT_CONTENT=default COREADM_GLOB_ENABLED=yes COREADM_PROC_ENABLED=no COREADM_GLOB_SETID_ENABLED=yes COREADM_PROC_SETID_ENABLED=no COREADM_GLOB_LOG_ENABLED=yes
This ensures that we keep all our core files in a sensible place, and that they have enough information in the filename to identify where they came from.
With some visualisation applications required Linux – more specifically Red Hat Enterprise Linux (RHEL), you’ll find the handy coreadm tool missing. Core file management is instead configured in the kernel configuration file, /etc/sysctl.conf
We’ve got three main challenges in RHEL:
- enable core dumps from setuid processes
- remove file size limits for core dumps
- stick them all in a sensible place, and give the core files sensible names
To accomplish all of this, we need to add the following lines into /etc/sysctl.conf:
fs.suid_dumpable = 2 kernel.core_pattern = /var/corecore_%h_%e_%u_%g_%t_%p
And then to make sure we aren’t imposing limits on our core files, we add the following to /etc/sysconfig/init:
DAEMON_COREFILE_LIMIT='unlimited' # don't limit our core file sizes
Luckily there’s just a couple of differences between Solaris and Linux when it comes to naming our core files:
| Solaris | Variable | Linux |
|---|---|---|
| %n | nodename | %n |
| %f | executable name | %e |
| %u | UID | %u |
| %g | GID | %g |
| %t | epoch time | %t |
| %p | PID | %p |
Once you’ve updated /etc/sysctl.conf we can just refresh our settings by running sysctl:
[[email protected] ~]# /sbin/sysctl -p < list of kernel tunables > fs.suid_dumpable = 2 kernel.core_pattern = /var/core/core_%h_%e_%u_%g_%t_%p < list of kernel tunables >
