From mboxrd@z Thu Jan 1 00:00:00 1970 From: Jonathan Abbey Subject: Re: Tools for reviewing audit logs ? Date: Wed, 13 Dec 2006 10:36:05 -0600 Message-ID: <20061213163604.GB5162@arlut.utexas.edu> References: <200612121729.04049.sgrubb@redhat.com> Mime-Version: 1.0 Content-Type: multipart/mixed; boundary="===============0239414161==" Return-path: In-Reply-To: <200612121729.04049.sgrubb@redhat.com> List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com To: Steve Grubb Cc: linux-audit@redhat.com, "Thomas, Daniel J." , "Wieprecht, Karen M." List-Id: linux-audit@redhat.com --===============0239414161== Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="tjCHc7DPkfUGtrlw" Content-Disposition: inline --tjCHc7DPkfUGtrlw Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Tue, Dec 12, 2006 at 05:29:03PM -0500, Steve Grubb wrote: | On Tuesday 12 December 2006 17:08, Wieprecht, Karen M. wrote: | > Steve, I'm testing the RHEL4 audit 1.0.14 now with the sample capp.rules | > , and I am generating data. =A0UGLY data. =A0I am wondering what | > tools/GUIs/scripts people are using to look at this data. =A0 |=20 | Some one published a perl based viewer to this mail list earlier this yea= r. I=20 | forget when. The aureport program was supposed to fill the immediate role= of=20 | breaking the data down into something a little more useful. My intentions= are=20 | to use that as the basis of a GUI based tool. The work is going slow and = I'm=20 | at the poiint of writing the parser library. I'm guessing that was Leigh Purdie and the Snare team down at Intersect Alliance in oz. They had their own kernel auditing framework that was hacked into earlier Linux kernels, and they have a central logging server that provides a nice GUI for reviewing color-coded audit records, in addition to a micro-web server that can be hosted on the individual system being audited. They've continued working on their toolset beyond the early work they posted here earlier, and you can get it from http://www.intersectalliance.com/projects/SnareLinux/index.html They are providing/recommending 'audit-1.2.1-1.i386.rpm' and 'audit-libs-1.2.1-1.i386.rpm' in addition to their SnareLinux-1.0b7-1.i386.rpm, which provides the higher level analysis tools, but I'm not sure why that's necessary, given that RHEL4 should be providing those pieces (albeit with lower version numbers?) out of the box. Jon | > but I don't want to reproduce effort if there are nice scripts or =A0GU= Is | > available already.=20 |=20 | Aside from that perl based viewer and aureport, nothing I know of. It wou= ld be=20 | helpful to me to know what your use cases/requirements are. |=20 | Thanks, | -Steve --=20 ---------------------------------------------------------------------------= ---- Jonathan Abbey jonabbey@arlut.utexas.edu Applied Research Laboratories The University of Texas at Au= stin GPG Key: 71767586 at keyserver pgp.mit.edu, http://www.ganymeta.org/workkey= .gpg --tjCHc7DPkfUGtrlw Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) iD8DBQFFgCv0GI9EwHF2dYYRArHcAJ0SOx7j27lwNZ5tqcXb8GqQ6Ma6pwCgsde3 dTFH0zmxDjrTYdj7WCY/mUA= =rpFb -----END PGP SIGNATURE----- --tjCHc7DPkfUGtrlw-- --===============0239414161== Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline --===============0239414161==--