Announcing audit-viewer

Announcing audit-viewer

[Miloslav Trmač]

Hello,
audit-viewer is now available in Fedora 9.  It is a GUI for viewing
audit logs and running simple reports on them, intended as an ueasy to
use alternative to ausearch and aureport.  To see what audit-viewer can
do, please read
https://fedorahosted.org/audit-viewer/wiki/AuditViewerTour .

The program is still under development, more features (graphs in
particular) and more polish is planned.  I'll be grateful for any
feedback (what works well, what doesn't work, what is difficult to do or
unintuitive).

To install audit-viewer on Fedora, run (yum install audit-viewer).  Then
you'll find it in the System/Administration menu as "Audit Logs".

To build audit-viewer on other distributions, you'll need the source
code available at https://fedorahosted.org/audit-viewer/ .  audit-viewer
depends on python-gtkextra, and the last release of python-gtkextra
doesn't build on recent systems.  You may find the patch at
http://cvs.fedora.redhat.com/viewcvs/devel/python-gtkextra/ useful.
	Mirek

Re: Announcing audit-viewer

[LC Bruzenak]

So far so good.
One very trivial suggestion is to have a horizontal scroll bar on the
bottom, so that when the "other fields" is off the page I can still see
the entire event.

Thx,
LCB.
-- 
LC (Lenny) Bruzenak
lenny@magitekltd.com

Re: Announcing audit-viewer

[LC Bruzenak]

Mirek,

First thing I want to say is that this is a really good first release
tool! There are a lot of things I like and so far not a lot I don't.
I have a couple of questions though:

1: The filters all seem to work fine, and I like the ability to store
the filter config. One thing I believe would be helpful, though, it to
have a way of temporarily filtering from the main screen without having
to add a specific filter, save it and then later remove it.
Like a "filter on": button added near the "Edit". It would need a
corresponding "clear" to reset. I recall my own use of the handy
Evolution mail search tool.

2: I'd also like to be able to launch results in a new window. The
reason for this is I see how helpful it would be to see, as an example,
a side-by-side audit comparison between hosts. What I'd do is filter on
a particular hostname & open that in a new window. Then I'd filter on a
different hostname and open those results in a new window. Then I could
easily compare what 2 different machines audit results look like. This
would be in a situation where I am seeing some audit anomaly or some key
in the audit data on one host but not another.

I'd consider these to be non-critical enhancements because I can do
everything I say above in (1) by making more filter configs and loading
those. I can also do the request in (2) by launching multiple
audit-viewers and then manipulating as desired.

But so far in my testing these are the things I see which would be
helpful and I thought you would appreciate some feedback. Again, kudos
on a nice initial release!

LCB.
-- 
LC (Lenny) Bruzenak
lenny@magitekltd.com

Re: Announcing audit-viewer

[Miloslav Trmač]

Hello,
LC Bruzenak píše v Čt 22. 05. 2008 v 17:27 -0500:
> So far so good.
> One very trivial suggestion is to have a horizontal scroll bar on the
> bottom, so that when the "other fields" is off the page I can still see
> the entire event.
I'm afraid the field width cannot be tuned automatically; the
performance hit is too large.  You can resize the "Other fields" column
manually (using the small field separator at the very right of the
column headers), and the scroll bar will appear if the field is wide
enough.

If you want to see the details of a specific event, double-click it to
see the "event details" dialog[1].  For often-used fields, you can add
them as columns to a saved view.

Thanks a lot for testing audit-viewer,
	Mirek

[1] Buttons for moving to the previous/next event will be added to the
dialog to make this way of viewing the records more comfortable.

Re: Announcing audit-viewer

[LC Bruzenak]

On Mon, 2008-06-02 at 15:01 +0000, Miloslav Trmač wrote: 
> Hello,
> LC Bruzenak píše v Čt 22. 05. 2008 v 17:27 -0500:
> > So far so good.
> > One very trivial suggestion is to have a horizontal scroll bar on the
> > bottom, so that when the "other fields" is off the page I can still see
> > the entire event.
> I'm afraid the field width cannot be tuned automatically; the
> performance hit is too large.  You can resize the "Other fields" column
> manually (using the small field separator at the very right of the
> column headers), and the scroll bar will appear if the field is wide
> enough.

I went to try this and now have another problem - audit-viewer is
crashing on startup. Last week I updated to some new python modules.

Now when I try to run audit-viewer I get:

[root@hugo audit]# audit-viewer 
Traceback (most recent call last):
  File "/usr/share/audit-viewer/main.py", line 73, in <module>
    w.run(cl, args)
  File "/usr/share/audit-viewer/main_window.py", line 115, in run
    self.__refresh_all_tabs()
  File "/usr/share/audit-viewer/main_window.py", line 328, in
__refresh_all_tabs
    tab.refresh()
  File "/usr/share/audit-viewer/list_tab.py", line 121, in refresh
    True)
  File "/usr/share/audit-viewer/main_window.py", line 209, in
read_events
    keep_raw_records)
  File "/usr/share/audit-viewer/event_source.py", line 135, in
read_events
    e = events[(ts.serial, ts.sec, ts.milli)]
AttributeError: 'NoneType' object has no attribute 'serial'

Here is the complete list of python rpms(please let me know what else I
can provide):

[root@hugo audit]# rpm -qa | grep python | sort
at-spi-python-1.22.1-1.fc9.x86_64
audit-libs-python-1.7.4-1.fc9.x86_64
cracklib-python-2.8.12-2.x86_64
dbus-python-0.82.4-2.fc9.x86_64
gamin-python-0.1.9-5.fc9.x86_64
gnome-python2-2.22.0-2.fc9.x86_64
gnome-python2-applet-2.22.0-2.fc9.x86_64
gnome-python2-bonobo-2.22.0-2.fc9.x86_64
gnome-python2-canvas-2.22.0-2.fc9.x86_64
gnome-python2-desktop-2.22.0-2.fc9.x86_64
gnome-python2-extras-2.19.1-15.fc9.x86_64
gnome-python2-gconf-2.22.0-2.fc9.x86_64
gnome-python2-gnomeprint-2.22.0-2.fc9.x86_64
gnome-python2-gnomevfs-2.22.0-2.fc9.x86_64
gnome-python2-gtkhtml2-2.19.1-15.fc9.x86_64
gnome-python2-libegg-2.19.1-15.fc9.x86_64
gstreamer-python-0.10.11-2.fc9.x86_64
libbdevid-python-6.0.52-2.fc9.x86_64
libselinux-python-2.0.64-2.fc9.x86_64
libuser-python-0.56.9-1.x86_64
libxml2-python-2.6.32-2.fc9.x86_64
newt-python-0.52.9-1.fc9.x86_64
notify-python-0.1.1-3.fc9.x86_64
python-2.5.1-25.fc9.x86_64
python-crypto-2.0.1-12.1.x86_64
python-devel-2.5.1-25.fc9.i386
python-genshi-0.4.4-2.fc8.noarch
python-gtkextra-1.1.0-3.fc9.x86_64
python-iniparse-0.2.3-3.fc9.noarch
python-libs-2.5.1-25.fc9.i386
python-libs-2.5.1-25.fc9.x86_64
python-numeric-24.2-11.fc9.x86_64
python-paste-1.6-1.fc9.noarch
python-pyblock-0.31-2.x86_64
python-setuptools-0.6c7-2.fc8.noarch
python-sexy-0.1.9-5.fc9.x86_64
python-urlgrabber-3.0.0-8.fc9.noarch
rpm-python-4.4.2.3-2.fc9.x86_64

[root@hugo audit]# rpm -qa | grep audit-viewer
audit-viewer-0.2-2.fc9.x86_64

LCB.

-- 
LC (Lenny) Bruzenak
lenny@magitekltd.com