Re: Auditd Troubleshooting
On Thursday, June 6, 2019 9:31:41 AM EDT Boyce, Kevin P [US] (AS) wrote:
Dear List,
It would be really great if there were an audit rule hit counter like many
firewalls have when IP traffic passes through a filter rule.
This would be beneficial for finding rules that might not be working the as
intended (to fix user implementation problems).
I'm thinking it would be a switch option on auditctl -l (maybe -h for
hitcount). This would list each rule that the kernel has, and how many
times since auditd started that an event matched the rule.
Is this within the realm of feasibility? Does this function exist maybe
elsewhere in the audit suite (like aureport)?
Assuming that you put a key on each rule, you can get this functionality like
this:
aureport --start boot --key --summary
And in cases where you have multiple rules with the same key, then add a
number at the end like: time1, time2, time3, etc. Ausearch by default does
partial word matching. So you can still run "ausearch -k time" and it will
find all of them regardless of the number at the end.
-Steve