Tips from an RHCE: Visualizing audit logs with mkbar
by the editorial team
The 2.6 Linux kernel comes with a very flexible and powerful auditing subsystem called auditd. auditd is composed of two parts. The main work is done in kernel-space (kernel/audit.c, kernel/auditsc.c). In user-land, auditd is listening for generated audit events. auditd is able to log file-watches as well as syscalls. All LSM-based subsystems–for example, SELinux–are logging via auditd as well. All events are written to /var/log/audit/audit.log.
A typical log messsage for a SELinux AVC message looks like this:
type=AVC msg=audit(1194365688.964:124): avc: denied { search } for
pid=16063 comm="sh" name="ftp" dev=dm-2 ino=9198817
scontext=system_u:system_r:vpnc_t:s0
tcontext=system_u:object_r:public_content_t:s0 tclass=dir
aureport is a tool which generates summaries based on your audit data. To get a summary of all AVC messages, starting on Dec 1th 2007, just
call aureport like this:
[root@tiffy ~]# aureport --avc --summary --start 12/01/2007 Avc Object Summary Report ================================= total obj ================================= 22 system_u:object_r:public_content_t:s0 19 system_u:object_r:user_home_t:s0 15 system_u:object_r:file_t:s0 11 system_u:system_r:gpodder_t:s0 11 system_u:system_r:mono_t:s0 9 system_u:object_r:auditd_etc_t:s0 8 system_u:object_r:tmpfs_t:s0 8 system_u:object_r:tmp_t:s0 4 system_u:object_r:src_t:s0 4 system_u:object_r:mono_exec_t:s0 2 system_u:object_r:xdm_tmp_t:s0 2 system_u:object_r:user_gnome_home_t:s0 2 system_u:object_r:system_dbusd_var_run_t:s0 2 system_u:object_r:unconfined_tmpfs_t:s0 1 system_u:object_r:boot_t:s0 1 system_u:system_r:system_dbusd_t:s0 1 system_u:system_r:unconfined_t:s0 1 system_u:system_r:java_t:s0 1 system_u:object_r:lib_t:s0 1 system_u:object_r:user_home_dir_t:s0 1 system_u:object_r:var_log_t:s0 1 system_u:system_r:unconfined_execmem_t:s0
Now, ever wondered how to get this magic lines looking more user-friendly?
Steve Grubb wrote a small script called mkbar. It converts these lines into gnuplot-compatible data. Gnuplot is a 2D/3D plotting program which is able to produce nice-looking graphics. If you would like to get a graphic showing which SELinux file types are generating an AVC message (and in what proportions), just call aureport and pipe its output through mkbar:
[root@tiffy ~]# aureport --avc --summary --start 12/01/2007|mkbar avc Wrote avc.png
Isn’t that figure somehow more meaningful than the raw audit log data?
You can download the mkbar tool and see more examples on the auditd project page.
January 23rd, 2008 at 8:22 am
[…] Przeciętny zjadacz chleba może mieć duży problem z odnalezieniem się w logach demona audit. W Red Hat Magazine zamieszczono poradę jak wykorzystać mkbar do wizualizacji tych logów. […]
January 23rd, 2008 at 8:24 am
[…] PrzeciÄ™tny zjadacz chleba może mieć duży problem z odnalezieniem siÄ™ w logach demona audit. W Red Hat Magazine zamieszczono poradÄ™ jak wykorzystać mkbar do wizualizacji tych logów. […]
March 10th, 2008 at 2:01 pm
Nice updation about kernel and auditing of logs towards updation of knowledge
March 19th, 2008 at 7:43 pm
I saw your posting and thought you might be interested to know that there is now a book on Gnuplot: “Gnuplot in Action”. You can pre-order it directly from the publisher: Manning: Gnuplot in Action.
If you want to learn more about the book and the author, check out my book page at Principal Value - Gnuplot in Action.
Let me know if you are interested in a review copy.