Tip of the Trade: mkbar and mkgraph

Red Hat Enterprise Linux and its extended family, Fedora, CentOS, and the rest of the gang, include a fairly new kernel logging subsystem called auditd. auditd has three components: auditctl, ausearch and aureport. auditctl is the auditing daemon, ausearch is a search tool, and aureport is for formatting the data into nice neat columns.

mkbar and mkgraph make it easy to draw pretty graphs from SELinux audit data.

auditd works for any LSM (Linux security module)-based subsystems, such as SELinux. It can record virtually all kernel activity, such as logins, executables, users, file access, syscalls, and any event types from applications that have been designed to send them.

Test-based tools are okay, but graphs are usually better when you need to analyze large globs of logging data. This is a sample of the raw data from /var/log/audit/audit.log:

type=CONFIG_CHANGE msg=audit(1202382129.956:8): audit_backlog_limit=320 old=64 by
 auid=4294967295 res=1
type=USER_AUTH msg=audit(1202382217.315:11): user pid=2129 uid=0 auid=4294967295
 subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 msg='op=PAM:authentication acct=root
 exe="/usr/sbin/gdm-binary" (hostname=?, addr=?, terminal=:0 res=success)'
type=USER_ACCT msg=audit(1202382217.326:12): user pid=2129 uid=0 auid=4294967295
 subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 msg='op=PAM:accounting acct=root
 exe="/usr/sbin/gdm-binary" (hostname=?, addr=?, terminal=:0 res=success)'

aureport makes this a little nicer:

21. 02/07/2008 03:05:50 carla :0 ? /usr/sbin/gdm-binary 29

22. 02/07/2008 03:05:50 carla :0 localhost.localdomain /usr/sbin/gdm-binary 30
23. 02/07/2008 03:10:52 carla ? ? /usr/sbin/userhelper 31
24. 02/07/2008 03:10:52 carla ? ? /usr/sbin/userhelper 32

But still, “a picture is worth a thousand words.” mkgraph creates graphs that show the relationships between the various logged events, and mkgraph creates bar graphs. You can see examples of these and get more information at Audit Data Visualization.