Introducing audit-explorer

Vincas Dargis vindrg at gmail.com
Wed Jun 28 16:31:12 UTC 2017 

2017.06.20 20:22, Steve Grubb wrote:
> I am working my way around to this. For one, its hard to imagine all the
> reports that might be of interest without overwhelming the report. If we could
> define a small list of what is expected or useful, then we can work towards
> this.

Well, we have `aureport --summary`, and if any of these summary items has non-zero
event count, it would be useful to know the details.

If there is: "Number of users: 5", automatically output of `aureport --summary -u`
might be useful.

For flexibility, if there are:

"Number of executables: 14"

And if one has custom audit rule with it's filter key set, with (pseudo) configuration as:

alias="Commands executd as root:",
executables,
key=root,
type=EXECVE,
<something more fore aggregation?>

Administrator could receive something like this (it's snippet from my homebrew script):

--- Commands executed as root: ---

       1 a0="/usr/sbin/exim4" a1="-Mc" a2="1dPibe-000889-Jy"
       1 a0="/usr/sbin/exim4" a1="-Mc" a2="1dPn4O-0006hm-2W"
       1 a0="/usr/sbin/exim4" a1="-Mc" a2="1dPnE4-0002ux-4g"
       1 a0="/usr/sbin/exim4" a1="-Mc" a2="1dPyzk-00032N-PR"
       1 a0="/usr/sbin/exim4" a1="-Mc" a2="1dPz9Q-0005QM-4E"
       3 a0="sudo" a1="-i"
       4 a0="send-mail" a1="-i" a2="--" a3="root at localhost"
      48 a0="/usr/sbin/exim4" a1="-q"
     288 a0="/usr/bin/sudo" a1="-u" a2="root" a3="/usr/sbin/exim4" a4="-bpc"
     288 a0="/usr/sbin/exim4" a1="-bpu"
    1440 a0="sudo" a1="/usr/local/nagios/plugins/check_apparmor_unconfined_with_profile"



> The aureport tool is good at doing summary reports. It's about 12 years old.
> There are newer technologies that might be better to use. For example, how
> would people like to see reporting in a Jupyter notebook? If you don't know
> what a Jupyter notebook is, then take a few minutes and google it. Or take a
> look here:
> 
> https://github.com/jupyter/jupyter/wiki/A-gallery-of-interesting-Jupyter-Notebooks

Can't comment it yet, needs free few minutes :-) .

> Yes. Another way forward might be to use the CSV extraction options in
> ausearch and send that into a SQL database. Then any SQL reporting tool out
> there can be used.

Yeah, good idea with CSV. I guess SQLite could be rather enough for such reporting.

> I'm going to be starting the 2.8 development cycle in the near future. The
> goal for it is to get the remote logging better and continue improving the
> auparse_normalizer API. This will directly lead to more and better reporting
> options.
> 
> Things that may be possible:
> push events in realtime to datalake such as kafka
> push events in realtime to SQL database
> demux events out of rsyslog and push into audit aggregation server
> enhance collectors for various SIEMs

Yes, sending to Graylog using GELF format would be useful too, for example.

> Of course to do any of this means I need participation and collaboration from
> the community. I can't guess what people need to hook up the audit trail to
> reporting tools.

Sure thing. It would be nice to have feedback about this topic from administrators
handling big shops, my comments are rather amateurish.

More information about the Linux-audit mailing list