Re: Tools for reviewing audit logs ?

[Jonathan Abbey <jonabbey@arlut.utexas.edu>]

[-- Attachment #1.1: Type: text/plain, Size: 2222 bytes --]

On Tue, Dec 12, 2006 at 05:29:03PM -0500, Steve Grubb wrote:
| On Tuesday 12 December 2006 17:08, Wieprecht, Karen M. wrote:
| > Steve, I'm testing the RHEL4 audit 1.0.14 now with the sample capp.rules
| > , and I am generating data.  UGLY data.  I am wondering what
| > tools/GUIs/scripts people are using to look at this data.  
| 
| Some one published a perl based viewer to this mail list earlier this year. I 
| forget when. The aureport program was supposed to fill the immediate role of 
| breaking the data down into something a little more useful. My intentions are 
| to use that as the basis of a GUI based tool. The work is going slow and I'm 
| at the poiint of writing the parser library.

I'm guessing that was Leigh Purdie and the Snare team down at
Intersect Alliance in oz.  They had their own kernel auditing
framework that was hacked into earlier Linux kernels, and they have a
central logging server that provides a nice GUI for reviewing
color-coded audit records, in addition to a micro-web server that can
be hosted on the individual system being audited.

They've continued working on their toolset beyond the early work they
posted here earlier, and you can get it from

  http://www.intersectalliance.com/projects/SnareLinux/index.html

They are providing/recommending 'audit-1.2.1-1.i386.rpm' and
'audit-libs-1.2.1-1.i386.rpm' in addition to their
SnareLinux-1.0b7-1.i386.rpm, which provides the higher level analysis
tools, but I'm not sure why that's necessary, given that RHEL4 should
be providing those pieces (albeit with lower version numbers?) out of
the box.

 Jon

| > but I don't want to reproduce effort if there are nice scripts or  GUIs
| > available already. 
| 
| Aside from that perl based viewer and aureport, nothing I know of. It would be 
| helpful to me to know what your use cases/requirements are.
| 
| Thanks,
| -Steve

-- 
-------------------------------------------------------------------------------
Jonathan Abbey 				              jonabbey@arlut.utexas.edu
Applied Research Laboratories                 The University of Texas at Austin
GPG Key: 71767586 at keyserver pgp.mit.edu, http://www.ganymeta.org/workkey.gpg

[-- Attachment #1.2: Type: application/pgp-signature, Size: 189 bytes --]

[-- Attachment #2: Type: text/plain, Size: 0 bytes --]