To avoid having to dig through the raw audit logs to get an impression of what your system is currently doing, run custom audit reports at certain intervals. Custom audit reports enable you to focus on areas of interest and get meaningful statistics on the nature and frequency of the events you are monitoring. To analyze individual events in detail, use the ausearch tool.
Before setting up audit reporting, consider the following:
What types of events do you want to monitor by generating regular reports? Select the appropriate aureport command lines as described in Section 1.5.2, Generating Custom Audit Reports.
What do you want to do with the audit reports? Decide whether to create graphical charts from the data accumulated or whether it should be transferred into any sort of spreadsheet or database. Set up the aureport command line and further processing similar to the examples shown in Section 2.7, Configuring Log Visualization if you want to visualize your reports.
When and at which intervals should the reports run? Set up appropriate automated reporting using cron.
For this example, assume that you are interested in finding out about any attempts to access your audit, PAM, and system configuration. Proceed as follows to find out about file events on your system:
Generate a full summary report of all events and check for any
anomalies in the summary report, for example, have a look at the
failed syscalls
record, because these might have failed
due to insufficient permissions to access a file or a file not being
there at all:
aureport
Summary Report
======================
Range of time: 04/19/2007 13:42:43.280 - 05/02/2007 14:05:49.302
Number of changes in configuration: 215
Number of changes to accounts, groups, or roles: 0
Number of logins: 47
Number of failed logins: 16
Number of users: 5
Number of terminals: 17
Number of host names: 7
Number of executables: 16
Number of files: 173
Number of AVC denials: 0
Number of MAC events: 0
Number of failed syscalls: 799
Number of anomaly events: 0
Number of responses to anomaly events: 0
Number of crypto events: 0
Number of process IDs: 2382
Number of events: 14424
Run a summary report for failed events and check the
files
record for the number of failed file access
events:
aureport --failed
Failed Summary Report
======================
Range of time: 04/19/2007 13:42:43.280 - 05/02/2007 14:07:41.609
Number of changes in configuration: 0
Number of changes to accounts, groups, or roles: 0
Number of logins: 0
Number of failed logins: 16
Number of users: 1
Number of terminals: 7
Number of host names: 4
Number of executables: 7
Number of files: 102
Number of AVC denials: 0
Number of MAC events: 0
Number of failed syscalls: 799
Number of anomaly events: 0
Number of responses to anomaly events: 0
Number of crypto events: 0
Number of process IDs: 40
Number of events: 841
To list the files that could not be accessed, run a summary report of failed file events:
aureport -f -i --failed --summary
Failed File Summary Report
===========================
total file
===========================
21 /usr/lib/locale/locale-archive
13 /usr/lib/locale/en_US.UTF-8/LC_IDENTIFICATION
13 /usr/lib/locale/en_US.UTF-8/LC_MEASUREMENT
13 /usr/lib/locale/en_US.UTF-8/LC_TELEPHONE
13 /usr/lib/locale/en_US.UTF-8/LC_ADDRESS
13 /usr/lib/locale/en_US.UTF-8/LC_NAME
13 /usr/lib/locale/en_US.UTF-8/LC_PAPER
13 /usr/lib/locale/en_US.UTF-8/LC_MESSAGES
13 /usr/lib/locale/en_US.UTF-8/LC_MONETARY
13 /usr/lib/locale/en_US.UTF-8/LC_COLLATE
13 /usr/lib/locale/en_US.UTF-8/LC_TIME
13 /usr/lib/locale/en_US.UTF-8/LC_NUMERIC
13 /usr/lib/locale/en_US.UTF-8/LC_CTYPE
13 /etc/ld.so.preload
...
To focus this summary report on a few files or directories of interest only, such as /etc/auditd.conf, /etc/pam.d, and /etc/sysconfig, use a command similar to the following:
aureport -f -i --failed --summary |grep -e "/etc/auditd.conf" -e "/etc/pam.d/" -e "/etc/sysconfig"
1 /etc/sysconfig/displaymanager
From the summary report, then proceed to isolate these items of interest from the log and find out their event IDs for further analysis:
aureport -f -i --failed |grep -e "/etc/auditd.conf" -e "/etc/pam.d/" -e "/etc/sysconfig"
68. 04/27/2007 04:45:00 PM /etc/sysconfig/displaymanager getxattr no /bin/vim root 1451
Use the event ID to get a detailed record for each item of interest:
ausearch -a 1451 -i
type=PATH msg=audit(04/27/2007 16:45:00.736:1451) : item=0 name=/etc/sysconfig/displaymanager inode=440645 dev=03:01 mode=file,644 ouid=root ogid=root rdev=00:00
type=CWD msg=audit(04/27/2007 16:45:00.736:1451) : cwd=/root
type=SYSCALL msg=audit(04/27/2007 16:45:00.736:1451) : arch=i386 syscall=getxattr success=no exit=-61(No data available) a0=8175bf8 a1=b7f00c4f a2=bf88d950 a3=84 items=1 ppid=7591 pid=7593 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts0 comm=vi exe=/bin/vim subj=unconstrained key=(null)
HINT: Focusing on a Certain Time Frame
If you are interested in events during a particular period of time, trim down the reports by using start and end dates and times with your aureport commands (-ts and -te). For more information, refer to Section 1.5.2, Generating Custom Audit Reports.
All steps except for the last one can be run automatically and would easily be scriptable and configured as cron jobs. Any of the --failed --summary reports could be transformed easily into a bar chart that plots files versus failed access attempts. For more information about visualizing audit report data, refer to Section 2.7, Configuring Log Visualization.