* Auditd Troubleshooting
@ 2019-06-06 13:31 Boyce, Kevin P [US] (AS)
2019-06-06 13:54 ` Steve Grubb
0 siblings, 1 reply; 3+ messages in thread
From: Boyce, Kevin P [US] (AS) @ 2019-06-06 13:31 UTC (permalink / raw)
To: linux-audit
[-- Attachment #1.1: Type: text/plain, Size: 628 bytes --]
Dear List,
It would be really great if there were an audit rule hit counter like many firewalls have when IP traffic passes through a filter rule.
This would be beneficial for finding rules that might not be working the as intended (to fix user implementation problems).
I'm thinking it would be a switch option on auditctl -l (maybe -h for hitcount). This would list each rule that the kernel has, and how many times since auditd started that an event matched the rule.
Is this within the realm of feasibility? Does this function exist maybe elsewhere in the audit suite (like aureport)?
Kind Regards,
Kevin
[-- Attachment #1.2: Type: text/html, Size: 2732 bytes --]
[-- Attachment #2: Type: text/plain, Size: 0 bytes --]
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: Auditd Troubleshooting
2019-06-06 13:31 Auditd Troubleshooting Boyce, Kevin P [US] (AS)
@ 2019-06-06 13:54 ` Steve Grubb
2019-06-06 15:01 ` EXT :Re: " Boyce, Kevin P [US] (AS)
0 siblings, 1 reply; 3+ messages in thread
From: Steve Grubb @ 2019-06-06 13:54 UTC (permalink / raw)
To: linux-audit
On Thursday, June 6, 2019 9:31:41 AM EDT Boyce, Kevin P [US] (AS) wrote:
> Dear List,
>
> It would be really great if there were an audit rule hit counter like many
> firewalls have when IP traffic passes through a filter rule.
>
> This would be beneficial for finding rules that might not be working the as
> intended (to fix user implementation problems).
>
> I'm thinking it would be a switch option on auditctl -l (maybe -h for
> hitcount). This would list each rule that the kernel has, and how many
> times since auditd started that an event matched the rule.
>
> Is this within the realm of feasibility? Does this function exist maybe
> elsewhere in the audit suite (like aureport)?
Assuming that you put a key on each rule, you can get this functionality like
this:
aureport --start boot --key --summary
And in cases where you have multiple rules with the same key, then add a
number at the end like: time1, time2, time3, etc. Ausearch by default does
partial word matching. So you can still run "ausearch -k time" and it will
find all of them regardless of the number at the end.
-Steve
^ permalink raw reply [flat|nested] 3+ messages in thread
* RE: EXT :Re: Auditd Troubleshooting
2019-06-06 13:54 ` Steve Grubb
@ 2019-06-06 15:01 ` Boyce, Kevin P [US] (AS)
0 siblings, 0 replies; 3+ messages in thread
From: Boyce, Kevin P [US] (AS) @ 2019-06-06 15:01 UTC (permalink / raw)
To: Steve Grubb, linux-audit
Thanks Steve. I thought you may have implemented this already!
Kevin
-----Original Message-----
From: Steve Grubb <sgrubb@redhat.com>
Sent: Thursday, June 06, 2019 9:54 AM
To: linux-audit@redhat.com
Cc: Boyce, Kevin P [US] (AS) <Kevin.Boyce@ngc.com>
Subject: EXT :Re: Auditd Troubleshooting
On Thursday, June 6, 2019 9:31:41 AM EDT Boyce, Kevin P [US] (AS) wrote:
> Dear List,
>
> It would be really great if there were an audit rule hit counter like
> many firewalls have when IP traffic passes through a filter rule.
>
> This would be beneficial for finding rules that might not be working
> the as intended (to fix user implementation problems).
>
> I'm thinking it would be a switch option on auditctl -l (maybe -h for
> hitcount). This would list each rule that the kernel has, and how
> many times since auditd started that an event matched the rule.
>
> Is this within the realm of feasibility? Does this function exist
> maybe elsewhere in the audit suite (like aureport)?
Assuming that you put a key on each rule, you can get this functionality like
this:
aureport --start boot --key --summary
And in cases where you have multiple rules with the same key, then add a number at the end like: time1, time2, time3, etc. Ausearch by default does partial word matching. So you can still run "ausearch -k time" and it will find all of them regardless of the number at the end.
-Steve
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2019-06-06 15:01 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2019-06-06 13:31 Auditd Troubleshooting Boyce, Kevin P [US] (AS)
2019-06-06 13:54 ` Steve Grubb
2019-06-06 15:01 ` EXT :Re: " Boyce, Kevin P [US] (AS)
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.