EXT :Re: Auditd Troubleshooting
Boyce, Kevin P [US] (AS)
Kevin.Boyce at ngc.com
Thu Jun 6 15:01:33 UTC 2019
Thanks Steve. I thought you may have implemented this already!
Kevin
-----Original Message-----
From: Steve Grubb <sgrubb at redhat.com>
Sent: Thursday, June 06, 2019 9:54 AM
To: linux-audit at redhat.com
Cc: Boyce, Kevin P [US] (AS) <Kevin.Boyce at ngc.com>
Subject: EXT :Re: Auditd Troubleshooting
On Thursday, June 6, 2019 9:31:41 AM EDT Boyce, Kevin P [US] (AS) wrote:
> Dear List,
>
> It would be really great if there were an audit rule hit counter like
> many firewalls have when IP traffic passes through a filter rule.
>
> This would be beneficial for finding rules that might not be working
> the as intended (to fix user implementation problems).
>
> I'm thinking it would be a switch option on auditctl -l (maybe -h for
> hitcount). This would list each rule that the kernel has, and how
> many times since auditd started that an event matched the rule.
>
> Is this within the realm of feasibility? Does this function exist
> maybe elsewhere in the audit suite (like aureport)?
Assuming that you put a key on each rule, you can get this functionality like
this:
aureport --start boot --key --summary
And in cases where you have multiple rules with the same key, then add a number at the end like: time1, time2, time3, etc. Ausearch by default does partial word matching. So you can still run "ausearch -k time" and it will find all of them regardless of the number at the end.
-Steve
More information about the Linux-audit
mailing list