- 1 Vapor IO Brings OpenDCRE to General Availability
- 2 VMware Takes the Wraps Off vRealize Automation and vRealize Business
- 3 Microsoft Previews Hyper-V Containers for Windows Server 2016
- 4 Mirantis Led FUEL Project Gets Installed Under OpenStack Big Tent
- 5 Red Hat Enterprise Linux 7.2 Adds Security, DR Features
Tip of the Trade: mkbar and mkgraph
Red Hat Enterprise Linux and its extended family, Fedora, CentOS, and the rest of the gang, include a fairly new kernel logging subsystem called auditd. auditd has three components: auditctl, ausearch and aureport. auditctl is the auditing daemon, ausearch is a search tool, and aureport is for formatting the data into nice neat columns. mkbar and mkgraph make it easy to draw pretty graphs from SELinux audit data.
auditd works for any LSM (Linux security module)-based subsystems, such as SELinux. It can record virtually all kernel activity, such as logins, executables, users, file access, syscalls, and any event types from applications that have been designed to send them.
Test-based tools are okay, but graphs are usually better when you need to analyze large globs of logging data. This is a sample of the raw data from /var/log/audit/audit.log:
type=CONFIG_CHANGE msg=audit(1202382129.956:8): audit_backlog_limit=320 old=64 by
21. 02/07/2008 03:05:50 carla :0 ? /usr/sbin/gdm-binary 29 22. 02/07/2008 03:05:50 carla :0 localhost.localdomain /usr/sbin/gdm-binary 30 23. 02/07/2008 03:10:52 carla ? ? /usr/sbin/userhelper 31 24. 02/07/2008 03:10:52 carla ? ? /usr/sbin/userhelper 32