- First Post
- Replies
- Stats
-
Go to
- ----- 2024 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2023 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2022 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2021 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2020 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2019 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2018 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2017 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2016 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2015 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2014 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2013 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2012 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2011 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2010 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2009 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2008 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2007 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2006 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2005 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2004 -----
- December
- November
- October
- September
- August
Dear List,
It would be really great if there were an audit rule hit counter like many firewalls have
when IP traffic passes through a filter rule.
This would be beneficial for finding rules that might not be working the as intended (to
fix user implementation problems).
I'm thinking it would be a switch option on auditctl -l (maybe -h for hitcount). This
would list each rule that the kernel has, and how many times since auditd started that an
event matched the rule.
Is this within the realm of feasibility? Does this function exist maybe elsewhere in the
audit suite (like aureport)?
Kind Regards,
Kevin
Attachments:
- attachment.html (text/html — 2.6 KB)
On Thursday, June 6, 2019 9:31:41 AM EDT Boyce, Kevin P [US] (AS) wrote:
Dear List,
It would be really great if there were an audit rule hit counter like many
firewalls have when IP traffic passes through a filter rule.
This would be beneficial for finding rules that might not be working the as
intended (to fix user implementation problems).
I'm thinking it would be a switch option on auditctl -l (maybe -h for
hitcount). This would list each rule that the kernel has, and how many
times since auditd started that an event matched the rule.
Is this within the realm of feasibility? Does this function exist maybe
elsewhere in the audit suite (like aureport)?
Assuming that you put a key on each rule, you can get this functionality like
this:
aureport --start boot --key --summary
And in cases where you have multiple rules with the same key, then add a
number at the end like: time1, time2, time3, etc. Ausearch by default does
partial word matching. So you can still run "ausearch -k time" and it will
find all of them regardless of the number at the end.
-Steve
Thanks Steve. I thought you may have implemented this already!
Kevin
-----Original Message-----
From: Steve Grubb <sgrubb(a)redhat.com>
Sent: Thursday, June 06, 2019 9:54 AM
To: linux-audit(a)redhat.com
Cc: Boyce, Kevin P [US] (AS) <Kevin.Boyce(a)ngc.com>
Subject: EXT :Re: Auditd Troubleshooting
On Thursday, June 6, 2019 9:31:41 AM EDT Boyce, Kevin P [US] (AS) wrote:
Dear List,
It would be really great if there were an audit rule hit counter like
many firewalls have when IP traffic passes through a filter rule.
This would be beneficial for finding rules that might not be working
the as intended (to fix user implementation problems).
I'm thinking it would be a switch option on auditctl -l (maybe -h for
hitcount). This would list each rule that the kernel has, and how
many times since auditd started that an event matched the rule.
Is this within the realm of feasibility? Does this function exist
maybe elsewhere in the audit suite (like aureport)?
Assuming that you put a key on each rule, you can get this functionality like
this:
aureport --start boot --key --summary
And in cases where you have multiple rules with the same key, then add a number at the end
like: time1, time2, time3, etc. Ausearch by default does partial word matching. So you can
still run "ausearch -k time" and it will find all of them regardless of the
number at the end.
-Steve
2025
days inactive
2025
days old
linux-audit@lists.linux-audit.osci.io
2 comments
2 participants
tags (0)
participants (2)
-
Boyce, Kevin P [US] (AS) -
Steve Grubb