From mboxrd@z Thu Jan 1 00:00:00 1970 From: "Boyce, Kevin P [US] (AS)" Subject: RE: EXT :Re: Auditd Troubleshooting Date: Thu, 6 Jun 2019 15:01:33 +0000 Message-ID: References: <16ca40d7967a4a0198d1d2799c939349@XCGVAG30.northgrum.com> <2858763.hD381QzqKc@x2> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Return-path: In-Reply-To: <2858763.hD381QzqKc@x2> Content-Language: en-US List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com To: Steve Grubb , "linux-audit@redhat.com" List-Id: linux-audit@redhat.com Thanks Steve. I thought you may have implemented this already! Kevin -----Original Message----- From: Steve Grubb Sent: Thursday, June 06, 2019 9:54 AM To: linux-audit@redhat.com Cc: Boyce, Kevin P [US] (AS) Subject: EXT :Re: Auditd Troubleshooting On Thursday, June 6, 2019 9:31:41 AM EDT Boyce, Kevin P [US] (AS) wrote: > Dear List, > > It would be really great if there were an audit rule hit counter like > many firewalls have when IP traffic passes through a filter rule. > > This would be beneficial for finding rules that might not be working > the as intended (to fix user implementation problems). > > I'm thinking it would be a switch option on auditctl -l (maybe -h for > hitcount). This would list each rule that the kernel has, and how > many times since auditd started that an event matched the rule. > > Is this within the realm of feasibility? Does this function exist > maybe elsewhere in the audit suite (like aureport)? Assuming that you put a key on each rule, you can get this functionality like this: aureport --start boot --key --summary And in cases where you have multiple rules with the same key, then add a number at the end like: time1, time2, time3, etc. Ausearch by default does partial word matching. So you can still run "ausearch -k time" and it will find all of them regardless of the number at the end. -Steve