Visualizing Audit Data

Neither the data trail in /var/log/audit/audit.log nor the different report types generated by aureport, described in Section 29.5.2, “Generating Custom Audit Reports”, provide an intuitive reading experience to the user. The aureport output is formatted in columns and thus easily available to any sed, perl, or awk scripts that users might connect to the audit framework to visualize the audit data.

The visualization scripts (see Section 30.6, “Configuring Log Visualization” are one example of how to use standard Linux tools available with openSUSE or any other Linux distribution to create easy-to-read audit output. The following examples help you understand how the plain audit reports can be transformed into human readable graphics.

The first example illustrates the relationship of programs and system calls. To get to this kind of data, you need to determine the appropriate aureport command that delivers the source data from which to generate the final graphic:

aureport -s -i

Syscall Report
=======================================
# date time syscall pid comm auid event
=======================================
1. 16/02/09 17:45:01 open 20343 cron unset 2279
2. 16/02/09 17:45:02 mkdir 20350 mktemp root 2284
3. 16/02/09 17:45:02 mkdir 20351 mkdir root 2285
...

The first thing that the visualization script needs to do on this report is to extract only those columns that are of interest, in this example, the syscall and the comm columns. The output is sorted and duplicates removed then the final output is piped into the visualization program itself:

LC_ALL=C aureport -s -i | awk '/^[0-9]/ { print $6" "$4 }' | sort | uniq | mkgraph
[Note]Adjusting the Locale

Depending on your choice of locale in /etc/sysconfig/auditd, your aureport output might contain an additional data column for AM/PM on time stamps. To avoid having this confuse your scripts, precede your script calls with LC_ALL=C to reset the locale and use the 24 hour time format.

Figure 29.2. Flow Graph—Program versus System Call Relationship

Flow Graph—Program versus System Call Relationship

The second example illustrates the different types of events and how many of each type have been logged. The appropriate aureport command to extract this kind of information is aureport -e:

aureport -e -i --summary

Event Summary Report
======================
total  type
======================
2434  SYSCALL
816  USER_START
816  USER_ACCT
814  CRED_ACQ
810  LOGIN
806  CRED_DISP
779  USER_END
99  CONFIG_CHANGE
52  USER_LOGIN

Because this type of report already contains a two column output, it is just fed into the the visualization script and transformed into a bar chart.

aureport -e -i --summary  | mkbar events

Figure 29.3. Bar Chart—Common Event Types

Bar Chart—Common Event Types

For background information about the visualization of audit data, refer to the Web site of the audit project at http://people.redhat.com/sgrubb/audit/visualize/index.html.