I have a working (but rough) perl script and accompanying module that
will do the following:
1. delete all existing rules shown by '/sbin/auditctl -a'
Given a list of user names, directories of interest, and system call
names:
2. add rules to report all exit!= 0 for all calls and user names of
interest
3. run a query on an audit log and spit out info on lines of interest
Given the present state of auditd messages this is the best I can come
up with for now. I think it is easiy modifiable for those interested.
One thing I know it needs now is a list of specific return codes of
interest for the query.
By the way, I see that there are not always pairs of messages. If a
syscall has at least one accompanying message it has 'items=1' (or more
sometimes I guess). So while querying I check for that and look behind
one line for additional info if appropriate. There may be other gotchas
I gain more experience sifting through the log.
Let me know if you want a copy.
-Tom Browder