Auditd Troubleshooting
Steve Grubb
sgrubb at redhat.com
Thu Jun 6 13:54:19 UTC 2019
On Thursday, June 6, 2019 9:31:41 AM EDT Boyce, Kevin P [US] (AS) wrote:
> Dear List,
>
> It would be really great if there were an audit rule hit counter like many
> firewalls have when IP traffic passes through a filter rule.
>
> This would be beneficial for finding rules that might not be working the as
> intended (to fix user implementation problems).
>
> I'm thinking it would be a switch option on auditctl -l (maybe -h for
> hitcount). This would list each rule that the kernel has, and how many
> times since auditd started that an event matched the rule.
>
> Is this within the realm of feasibility? Does this function exist maybe
> elsewhere in the audit suite (like aureport)?
Assuming that you put a key on each rule, you can get this functionality like
this:
aureport --start boot --key --summary
And in cases where you have multiple rules with the same key, then add a
number at the end like: time1, time2, time3, etc. Ausearch by default does
partial word matching. So you can still run "ausearch -k time" and it will
find all of them regardless of the number at the end.
-Steve
More information about the Linux-audit
mailing list