The 2.6 Linux kernel comes with a very flexible and powerful auditing subsystem called auditd. auditd is composed of two parts. The main work is done in kernel-space (kernel/audit.c, kernel/auditsc.c). In user-land, auditd is listening for generated audit events. auditd is able to log file-watches as well as syscalls. All LSM-based subsystems–for example, SELinux–are logging via auditd as well. All events are written to /var/log/audit/audit.log.

A typical log messsage for a SELinux AVC message looks like this:

type=AVC msg=audit(1194365688.964:124): avc:  denied  { search } for
pid=16063 comm="sh" name="ftp" dev=dm-2 ino=9198817
scontext=system_u:system_r:vpnc_t:s0
tcontext=system_u:object_r:public_content_t:s0 tclass=dir

aureport is a tool which generates summaries based on your audit data. To get a summary of all AVC messages, starting on Dec 1th 2007, just
call aureport like this:

[root@tiffy ~]# aureport --avc --summary --start 12/01/2007

Avc Object Summary Report
=================================
total  obj
=================================
22  system_u:object_r:public_content_t:s0
19  system_u:object_r:user_home_t:s0
15  system_u:object_r:file_t:s0
11  system_u:system_r:gpodder_t:s0
11  system_u:system_r:mono_t:s0
9  system_u:object_r:auditd_etc_t:s0
8  system_u:object_r:tmpfs_t:s0
8  system_u:object_r:tmp_t:s0
4  system_u:object_r:src_t:s0
4  system_u:object_r:mono_exec_t:s0
2  system_u:object_r:xdm_tmp_t:s0
2  system_u:object_r:user_gnome_home_t:s0
2  system_u:object_r:system_dbusd_var_run_t:s0
2  system_u:object_r:unconfined_tmpfs_t:s0
1  system_u:object_r:boot_t:s0
1  system_u:system_r:system_dbusd_t:s0
1  system_u:system_r:unconfined_t:s0
1  system_u:system_r:java_t:s0
1  system_u:object_r:lib_t:s0
1  system_u:object_r:user_home_dir_t:s0
1  system_u:object_r:var_log_t:s0
1  system_u:system_r:unconfined_execmem_t:s0

Now, ever wondered how to get this magic lines looking more user-friendly?

Steve Grubb wrote a small script called mkbar. It converts these lines into gnuplot-compatible data. Gnuplot is a 2D/3D plotting program which is able to produce nice-looking graphics. If you would like to get a graphic showing which SELinux file types are generating an AVC message (and in what proportions), just call aureport and pipe its output through mkbar:

[root@tiffy ~]# aureport --avc --summary --start 12/01/2007|mkbar avc
Wrote avc.png

Isn’t that figure somehow more meaningful than the raw audit log data?

You can download the mkbar tool and see more examples on the auditd project page.

The information provided in this article is for your information only. The origin of this information may be internal or external to Red Hat. While Red Hat attempts to verify the validity of this information before it is posted, Red Hat makes no express or implied claims to its validity.

原文链接: http://www.redhatmagazine.com/2008/01/22/tips-from-an-rhce-visualizing-audit-logs-with-mkbar/