3:26 p.m.
Hi,
I have managed to find an easy way to put the output of aureport into
neat columns. For example:
aureport -i -f | sed 's/=====/==== /g' | column -t
However, if I combine this with ausearch, as in:
ausearch -k ROOT |aureport -i -f | sed .....
then some lines come out properly and some have extra data that shifts
everything off. For example, here are two successive lines from the
output. The first has 9 fields and the second 15:
311. 12-07-12 16:21:03 /proc/self/loginuid open yes /usr/bin/sudo mm 597
312. 12-07-12 16:21:03 (null) inode=970 dev=08:01 mode=0100755 ouid=0
ogid=0 rdev=00:00 execve yes /sbin/aureport root 599
What is happening?
Thanks - Michael Mather
-----------------------
8:22 a.m.
On Thursday, July 12, 2012 04:26:25 PM Michael Mather wrote:
Hi,
I have managed to find an easy way to put the output of aureport into
neat columns. For example:
aureport -i -f | sed 's/=====/==== /g' | column -t
However, if I combine this with ausearch, as in:
ausearch -k ROOT |aureport -i -f | sed .....
Is this really the ausearch portion or did you omit some parameters for
brevity?
then some lines come out properly and some have extra data that
shifts
everything off. For example, here are two successive lines from the
output. The first has 9 fields and the second 15:
311. 12-07-12 16:21:03 /proc/self/loginuid open yes /usr/bin/sudo mm 597
312. 12-07-12 16:21:03 (null) inode=970 dev=08:01 mode=0100755 ouid=0
ogid=0 rdev=00:00 execve yes /sbin/aureport root 599
What is happening?
Does it behave better if you add --raw to the ausearch portion?
-Steve
8:27 a.m.
Is it possible that the output for these tools is not directed to STDOUT completely? In
which case you might have better luck redirecting output with something like 2>&1?
Just a thought...
-----Original Message-----
From: linux-audit-bounces(a)redhat.com [mailto:linux-audit-bounces@redhat.com] On Behalf Of
Steve Grubb
Sent: Friday, July 13, 2012 9:23 AM
To: linux-audit(a)redhat.com
Subject: Re: Output of aureport in columns
On Thursday, July 12, 2012 04:26:25 PM Michael Mather wrote:
Hi,
I have managed to find an easy way to put the output of aureport into
neat columns. For example:
aureport -i -f | sed 's/=====/==== /g' | column -t
However, if I combine this with ausearch, as in:
ausearch -k ROOT |aureport -i -f | sed .....
Is this really the ausearch portion or did you omit some parameters for brevity?
then some lines come out properly and some have extra data that
shifts
everything off. For example, here are two successive lines from the
output. The first has 9 fields and the second 15:
311. 12-07-12 16:21:03 /proc/self/loginuid open yes /usr/bin/sudo mm 597
312. 12-07-12 16:21:03 (null) inode=970 dev=08:01 mode=0100755 ouid=0
ogid=0 rdev=00:00 execve yes /sbin/aureport root 599
What is happening?
Does it behave better if you add --raw to the ausearch portion?
-Steve
--
Linux-audit mailing list
Linux-audit(a)redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit
CONFIDENTIALITY NOTE: This message and any attachments are confidential, may contain
information that is privileged and is intended only for the use of the addressee. If you
are not the intended recipient or an authorized representative of the intended recipient,
you are hereby notified that any dissemination of this communication is strictly
prohibited. If you have received this communication in error, please notify us immediately
by e-mail and delete the message and any attachments from your system. This message is not
meant to constitute an electronic signature or evidence intent to contract
electronically.
12:09 p.m.
Yes, Steve, adding --raw works beautifully. Thanks.
Now, where can I find a tutorial that might have taught me this?
And is there a way to search this list?
Michael Mather
--------------
On Fri, 2012-07-13 at 09:22 -0400, Steve Grubb wrote:
On Thursday, July 12, 2012 04:26:25 PM Michael Mather wrote:
> Hi,
>
> I have managed to find an easy way to put the output of aureport into
> neat columns. For example:
>
> aureport -i -f | sed 's/=====/==== /g' | column -t
>
> However, if I combine this with ausearch, as in:
>
> ausearch -k ROOT |aureport -i -f | sed .....
Is this really the ausearch portion or did you omit some parameters for
brevity?
> then some lines come out properly and some have extra data that shifts
> everything off. For example, here are two successive lines from the
> output. The first has 9 fields and the second 15:
>
> 311. 12-07-12 16:21:03 /proc/self/loginuid open yes /usr/bin/sudo mm 597
> 312. 12-07-12 16:21:03 (null) inode=970 dev=08:01 mode=0100755 ouid=0
> ogid=0 rdev=00:00 execve yes /sbin/aureport root 599
>
> What is happening?
Does it behave better if you add --raw to the ausearch portion?
-Steve
12:19 p.m.
On Friday, July 13, 2012 01:09:00 PM Michael Mather wrote:
Yes, Steve, adding --raw works beautifully. Thanks.
Now, where can I find a tutorial that might have taught me this?
There is some discussion of this in the audit.rules man page under the section
NOTES. There was also an article about using the audit system to debug the
whole OS at once. The article gives some examples of stringing together
searches and reports:
http://magazine.hitb.org/issues/HITB-Ezine-Issue-005.pdf
And is there a way to search this list?
You can use Google and the site operator to restrict the results:
site:www.redhat.com ausearch raw
-Steve
4545
days inactive
4546
days old
linux-audit@lists.linux-audit.osci.io
4 comments
3 participants
participants (3)
-
Michael Mather -
Patrick Synor -
Steve Grubb