aureport summary

aureport summary

[LC Bruzenak]

Here is my report:
[root@hugo audit]# aureport --summary

Summary Report
======================
Range of time in logs: 05/27/2008 12:04:31.669 - 05/28/2008 18:14:56.100
Selected time for report: 05/27/2008 12:04:31 - 05/28/2008 18:14:56.100
Number of changes in configuration: 174
Number of changes to accounts, groups, or roles: 0
Number of logins: 5
Number of failed logins: 1
Number of authentications: 25
Number of failed authentications: 1
Number of users: 2
Number of terminals: 16
Number of host names: 8
Number of executables: 114
Number of files: 19536
Number of AVC's: 1007
Number of MAC events: 25
Number of failed syscalls: 1283
Number of anomaly events: 107
Number of responses to anomaly events: 0
Number of crypto events: 0
Number of keys: 14
Number of process IDs: 1473
Number of events: 37218


IIUC the last line - number of events - should be the sum of all the
previous. 
However, adding up the events (barring OE) before that comes to 23791. I
guess there are overlaps too - for example, the keys are possibly also
in syscall events?
Are some events missing on purpose?

Thx,
LCB.

-- 
LC (Lenny) Bruzenak
lenny@magitekltd.com

Re: aureport summary

[Steve Grubb]

On Wednesday 28 May 2008 19:27:45 LC Bruzenak wrote:
> IIUC the last line - number of events - should be the sum of all the
> previous.
> However, adding up the events (barring OE) before that comes to 23791. I
> guess there are overlaps too - for example, the keys are possibly also
> in syscall events?
> Are some events missing on purpose?

Yes. Not every event falls into a category mentioned above. For example, on 
login you have USER_ACCT and CRED_ACQ, both of which are not picked off and 
highlighted. Just the USER_AUTH and USER_START get counted. There are others 
like that all over. 

So, the short answer is that there are no guarantees that they all add up and 
yes there can be overlaps.

-Steve