audit normalizer

Steve Grubb sgrubb at redhat.com
Mon Feb 13 16:15:15 UTC 2017 

Hello,

The audit user space package has gained some real interesting features during 
the 2.7.x releases. The events can now be normalized. So, what exactly does 
that mean?

Events are composed of subject, action, object, and results. With the format 
of the audit events, it can be hard for the unintiated to really tell what's 
where with all the name=value fields and multi-lined events. What the 
normalizer does is takes all that guess work out of interpreting the event. 
Its presents an API in auparse that you can use to say, give me the subject, 
give me the action, give me the results, etc.

The upshot of this is that you can use this to turn events into English 
sentences. For example, this:

time->Mon Feb 13 10:09:04 2017
type=PROCTITLE msg=audit(1486998544.895:837): 
proctitle=2F7573722F62696E2F696E7374616C6C002D6300636F6E66746573742E6F6E6500636F6E66746573742E74776F002F686F6D652F7367727562622F776F726B696E672F4255494C442F61756469742F636F6E66746573742E646972
type=PATH msg=audit(1486998544.895:837): item=0 name="/etc/selinux/config" 
inode=17041117 dev=08:32 mode=0100600 ouid=0 ogid=0 rdev=00:00 
obj=system_u:object_r:selinux_config_t:s0 nametype=NORMAL
type=CWD msg=audit(1486998544.895:837): cwd="/home/sgrubb/working/BUILD/audit"
type=SYSCALL msg=audit(1486998544.895:837): arch=c000003e syscall=2 success=no 
exit=-13 a0=7fb05b8d5b8b a1=0 a2=1b6 a3=0 items=1 ppid=30491 pid=30650 
auid=4325 uid=4325 gid=4325 euid=4325 suid=4325 fsuid=4325 egid=4325 sgid=4325 
fsgid=4325 tty=pts3 ses=4 comm="install" exe="/usr/bin/install" 
subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key="access"

Becomes:
At 10:09:04 02/13/2017 sgrubb unsuccessfully opened-file /etc/selinux/config 
using /usr/bin/install

Big difference? Try it yourself. ausearch --start today --format text

But wait...there's more!!! ausearch can now also output events as a comma 
separated file (CSV) format. What this can do for you is open the whole world 
to high quality visualizations of audit events. You can do this:

ausearch --start today --format csv > audit.csv

Then you can open the file with libreoffice if you like:

ooffice  audit.csv

Review the sample import and adjust or Click on OK when it asks. Then you 
should see the audit data in nice neat columns with one event per row. If you 
like using spreadsheets to do charts and graphs, have at it.

Or, you can close the spreadsheet and visit here:
http://app.rawgraphs.io/

Open your csv file in gedit or something and select all rows and copy to the 
clipboard. The paste your data into the box at app.rawgraphs.io. Then select 
alluvial diagram. Then scroll down to "map your dimensions". Grab "subj_prime" 
and drag it to the box labeled "steps". Then grab "event_kind" and drag it 
under "subj_prime". Then grab "action" and drag it under "event_kind". This 
shows who is doing what kind of things on the system.

If you wanted to see what login accounts transition to other accounts, delete 
the green boxes in the "steps" section and grab "subj_prime" and drag it to 
the "steps". Then grab "subj_sec" and drag it under "subj_prime". There's your 
chart. Its that easy.

There are a few things that say "unknown". This is caused by malformed events 
that we are still working to correct. Feel free to experiment. You can't 
really break anything.

As mentioned before, I will be starting up a blog to explain how to use the R 
programming langauge to create interesting reports. With the logs normalized, 
we can now use Data Science tools to look at logs. That opens a whole lot of 
doors.

-Steve

More information about the Linux-audit mailing list