Dear List,
It would be really great if there were an audit rule hit counter like many firewalls have when IP traffic passes through a filter rule.
This would be beneficial for finding rules that might not be working the as intended (to fix user implementation problems).
I’m thinking it would be a switch option on auditctl –l (maybe –h for hitcount). This would list each rule that the kernel has, and how many times since auditd started that an event matched the rule.
Is this within the realm of feasibility? Does this function exist maybe elsewhere in the audit suite (like aureport)?
Kind Regards,
Kevin