From mboxrd@z Thu Jan 1 00:00:00 1970 From: Steve Grubb Subject: Re: Tools for reviewing audit logs ? Date: Wed, 13 Dec 2006 12:09:29 -0500 Message-ID: <200612131209.29772.sgrubb@redhat.com> References: Mime-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Return-path: In-Reply-To: Content-Disposition: inline List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com To: "Wieprecht, Karen M." Cc: linux-audit@redhat.com, "Thomas, Daniel J." List-Id: linux-audit@redhat.com On Wednesday 13 December 2006 11:45, Wieprecht, Karen M. wrote: > I guess the main thing we want is to make the audit data easier to > understand when we are reviewing it, and I'd rather not have to issue > multiple ausearch commands per machine times n systems to get an > overview of possible wrongdoing on the machine ... Certainly I can use > those tools to investigate further if I see something suspicious. =A0 That was the intent of the aureport program. An example running the repor= t at a remote machine: [root@discovery ~]# ssh spirit aureport -ts 12/1/2006 root@spirit's password:=20 Summary Report =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D Range of time in logs: 09/05/2006 17:07:44.602 - 12/13/2006 11:59:14.425 Selected time for report: 12/01/2006 00:00:01 - 12/13/2006 11:59:14.425 Number of changes in configuration: 47 Number of changes to accounts, groups, or roles: 4 Number of logins: 10 Number of failed logins: 1 Number of users: 2 Number of terminals: 11 Number of host names: 5 Number of executables: 15 Number of files: 44 Number of AVC denials: 114 Number of MAC events: 4 Number of failed syscalls: 68 Number of anomaly events: 0 Number of responses to anomaly events: 0 Number of crypto events: 0 Number of process IDs: 201 Number of events: 879 Hmm, failed login? Need more details... [root@discovery ~]# ssh spirit aureport -ts 12/01/2006 -l -i root@spirit's password:=20 Login Report =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D # date time auid host term exe success event =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D 1. 12/01/2006 08:35:03 sgrubb discovery /dev/pts/0 /usr/sbin/sshd yes 35 2. 12/01/2006 08:40:26 root ? tty1 /bin/login yes 45 3. 12/04/2006 13:44:58 sgrubb spirit :0 /usr/sbin/gdm-binary yes 35 4. 12/12/2006 09:41:03 root ? tty1 /bin/login yes 23 5. 12/12/2006 11:11:09 root ? tty1 /bin/login yes 15 6. 12/12/2006 11:16:29 root ? tty2 /bin/login yes 35 7. 12/12/2006 11:23:22 root ? tty1 /bin/login yes 15 8. 12/12/2006 13:02:00 root 192.168.1.200 sshd /usr/sbin/sshd no 43 9. 12/12/2006 13:19:00 root ? tty1 /bin/login yes 15 10. 12/12/2006 14:43:21 sgrubb ? tty2 /bin/login yes 27 11. 12/12/2006 16:16:36 root ? tty1 /bin/login yes 1 Let's see the actual event that failed: [root@discovery ~]# ssh spirit ausearch -ts 12/12/2006 13:02:00 -sv no -a= 43 -i root@spirit's password:=20 ---- type=3DUSER_LOGIN msg=3Daudit(12/12/2006 13:02:00.400:43) : user pid=3D10= 118 uid=3Droot auid=3Droot subj=3Droot:system_r:unconfined_t:s0-s0:c0.c1023 msg=3D'acct=3Dsgrubb: e= xe=3D/usr/sbin/sshd=20 (hostname=3D?, addr=3D192.168.1.200, terminal=3Dsshd res=3Dfailed)'=20 Does the above not look better than just reviewing the audit logs directl= y? > If not, here's a feel for what we'd be interested in as a bare minimum,= =A0and=20 > certainly any improvements would be even better. I do plan to write the audit transport mechanism so that we can have=20 centralized audit logs in the near future. But the parser library is firs= t order of business. After that, there are plans to build a GUI that can=20 review the logs. I have a documented road map in the TODO file of the audit source code. -Steve