Red Hat Enterprise Linux and its extended family, Fedora, CentOS, and the rest of the gang, include a fairly new kernel logging subsystem called auditd. auditd has three components: auditctl, ausearch and aureport. auditctl is the auditing daemon, ausearch is a search tool, and aureport is for formatting the data into nice neat columns.
mkbar and mkgraph make it easy to draw pretty graphs from SELinux audit data.
auditd works for any LSM (Linux security module)-based subsystems, such as SELinux. It can record virtually all kernel activity, such as logins, executables, users, file access, syscalls, and any event types from applications that have been designed to send them.
Test-based tools are okay, but graphs are usually better when you need to analyze large globs of logging data. This is a sample of the raw data from /var/log/audit/audit.log:
type=CONFIG_CHANGE msg=audit(1202382129.956:8): audit_backlog_limit=320 old=64 by |
aureport makes this a little nicer:
21. 02/07/2008 03:05:50 carla :0 ? /usr/sbin/gdm-binary 29 22. 02/07/2008 03:05:50 carla :0 localhost.localdomain /usr/sbin/gdm-binary 30 23. 02/07/2008 03:10:52 carla ? ? /usr/sbin/userhelper 31 24. 02/07/2008 03:10:52 carla ? ? /usr/sbin/userhelper 32 |
But still, “a picture is worth a thousand words.” mkgraph creates graphs that show the relationships between the various logged events, and mkgraph creates bar graphs. You can see examples of these and get more information at Audit Data Visualization.