Auditd Troubleshooting

Auditd Troubleshooting

[Boyce, Kevin P [US] (AS)]

[-- Attachment #1.1: Type: text/plain, Size: 628 bytes --]

Dear List,

It would be really great if there were an audit rule hit counter like many firewalls have when IP traffic passes through a filter rule.

This would be beneficial for finding rules that might not be working the as intended (to fix user implementation problems).

I'm thinking it would be a switch option on auditctl -l (maybe -h for hitcount).  This would list each rule that the kernel has, and how many times since auditd started that an event matched the rule.

Is this within the realm of feasibility?  Does this function exist maybe elsewhere in the audit suite (like aureport)?

Kind Regards,
Kevin

[-- Attachment #1.2: Type: text/html, Size: 2732 bytes --]

[-- Attachment #2: Type: text/plain, Size: 0 bytes --]

Re: Auditd Troubleshooting

[Steve Grubb]

On Thursday, June 6, 2019 9:31:41 AM EDT Boyce, Kevin P [US] (AS) wrote:
> Dear List,
> 
> It would be really great if there were an audit rule hit counter like many
> firewalls have when IP traffic passes through a filter rule.
> 
> This would be beneficial for finding rules that might not be working the as
> intended (to fix user implementation problems).
> 
> I'm thinking it would be a switch option on auditctl -l (maybe -h for
> hitcount).  This would list each rule that the kernel has, and how many
> times since auditd started that an event matched the rule.
> 
> Is this within the realm of feasibility?  Does this function exist maybe
> elsewhere in the audit suite (like aureport)?

Assuming that you put a key on each rule, you can get this functionality like 
this:

aureport --start boot --key --summary

And in cases where you have multiple rules with the same key, then add a 
number at the end like: time1, time2, time3, etc. Ausearch by default does 
partial word matching. So you can still run "ausearch -k time" and it will 
find all of them regardless of the number at the end.

-Steve

RE: EXT :Re: Auditd Troubleshooting

[Boyce, Kevin P [US] (AS)]

Thanks Steve.  I thought you may have implemented this already!

Kevin

-----Original Message-----
From: Steve Grubb <sgrubb@redhat.com> 
Sent: Thursday, June 06, 2019 9:54 AM
To: linux-audit@redhat.com
Cc: Boyce, Kevin P [US] (AS) <Kevin.Boyce@ngc.com>
Subject: EXT :Re: Auditd Troubleshooting

On Thursday, June 6, 2019 9:31:41 AM EDT Boyce, Kevin P [US] (AS) wrote:
> Dear List,
> 
> It would be really great if there were an audit rule hit counter like 
> many firewalls have when IP traffic passes through a filter rule.
> 
> This would be beneficial for finding rules that might not be working 
> the as intended (to fix user implementation problems).
> 
> I'm thinking it would be a switch option on auditctl -l (maybe -h for 
> hitcount).  This would list each rule that the kernel has, and how 
> many times since auditd started that an event matched the rule.
> 
> Is this within the realm of feasibility?  Does this function exist 
> maybe elsewhere in the audit suite (like aureport)?

Assuming that you put a key on each rule, you can get this functionality like
this:

aureport --start boot --key --summary

And in cases where you have multiple rules with the same key, then add a number at the end like: time1, time2, time3, etc. Ausearch by default does partial word matching. So you can still run "ausearch -k time" and it will find all of them regardless of the number at the end.

-Steve