Hello,
The audit user space package has gained some real interesting features during
the 2.7.x releases. The events can now be normalized. So, what exactly does
that mean?
Events are composed of subject, action, object, and results. With the format
of the audit events, it can be hard for the unintiated to really tell what's
where with all the name=value fields and multi-lined events. What the
normalizer does is takes all that guess work out of interpreting the event.
Its presents an API in auparse that you can use to say, give me the subject,
give me the action, give me the results, etc.
The upshot of this is that you can use this to turn events into English
sentences. For example, this:
time->Mon Feb 13 10:09:04 2017
type=PROCTITLE msg=audit(1486998544.895:837):
proctitle=2F7573722F62696E2F696E7374616C6C002D6300636F6E66746573742E6F6E6500636F6E66746573742E74776F002F686F6D652F7367727562622F776F726B696E672F4255494C442F61756469742F636F6E66746573742E646972
type=PATH msg=audit(1486998544.895:837): item=0 name="/etc/selinux/config"
inode=17041117 dev=08:32 mode=0100600 ouid=0 ogid=0 rdev=00:00
obj=system_u:object_r:selinux_config_t:s0 nametype=NORMAL
type=CWD msg=audit(1486998544.895:837): cwd="/home/sgrubb/working/BUILD/audit"
type=SYSCALL msg=audit(1486998544.895:837): arch=c000003e syscall=2 success=no
exit=-13 a0=7fb05b8d5b8b a1=0 a2=1b6 a3=0 items=1 ppid=30491 pid=30650
auid=4325 uid=4325 gid=4325 euid=4325 suid=4325 fsuid=4325 egid=4325 sgid=4325
fsgid=4325 tty=pts3 ses=4 comm="install" exe="/usr/bin/install"
subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key="access"
Becomes:
At 10:09:04 02/13/2017 sgrubb unsuccessfully opened-file /etc/selinux/config
using /usr/bin/install
Big difference? Try it yourself. ausearch --start today --format text
But wait...there's more!!! ausearch can now also output events as a comma
separated file (CSV) format. What this can do for you is open the whole world
to high quality visualizations of audit events. You can do this:
ausearch --start today --format csv > audit.csv
Then you can open the file with libreoffice if you like:
ooffice audit.csv
Review the sample import and adjust or Click on OK when it asks. Then you
should see the audit data in nice neat columns with one event per row. If you
like using spreadsheets to do charts and graphs, have at it.
Or, you can close the spreadsheet and visit here:
http://app.rawgraphs.io/
Open your csv file in gedit or something and select all rows and copy to the
clipboard. The paste your data into the box at app.rawgraphs.io. Then select
alluvial diagram. Then scroll down to "map your dimensions". Grab
"subj_prime"
and drag it to the box labeled "steps". Then grab "event_kind" and
drag it
under "subj_prime". Then grab "action" and drag it under
"event_kind". This
shows who is doing what kind of things on the system.
If you wanted to see what login accounts transition to other accounts, delete
the green boxes in the "steps" section and grab "subj_prime" and drag
it to
the "steps". Then grab "subj_sec" and drag it under
"subj_prime". There's your
chart. Its that easy.
There are a few things that say "unknown". This is caused by malformed events
that we are still working to correct. Feel free to experiment. You can't
really break anything.
As mentioned before, I will be starting up a blog to explain how to use the R
programming langauge to create interesting reports. With the logs normalized,
we can now use Data Science tools to look at logs. That opens a whole lot of
doors.
-Steve