On Monday, February 10, 2014 07:20:37 PM Margaret M Sanders wrote: aureport is a good starting point. As for what you want out of it...that would depend on your security policy and threat model. For example, I put key labels on all rules. So, the main thing I want to see is the key summary report so that I have a general idea of what is going on with the system. Based on that, I then look closer at events with certain keys. For others, its different. I have seen in the past perl scripts that run several aureport commands and formats it into a report. But there really isn't a consensus on what a standard report would be. The audit.rules man page has some tips and pointers for rules and investigations. There is also some documentation here: https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Lin... and other distributions have documentation you can look at as well. Try "linux audit documentation" as a search to find more. -Steve