Using Seaudit For Audit Log Analysis - Red Hat ENTERPRISE LINUX 4 - SELINUX GUIDE Manual

76
Option
,
-a --all
,
-l --lineno
Table 6-1. Options for

6.2. Using seaudit for Audit Log Analysis

Troubleshooting policy violations can mean wading through convoluted audit logs. The seaudit ap-
plication is designed to help you read, sort, and query your SELinux audit messages. In addition,
generates formatted reports of SELinux messages from the audit log, useful for
seaudit-report
reports such as those generated by
problems and creating solutions.
It is necessary to have super-user privileges to run seaudit, because it looks into system logs. For this
reason,
/usr/bin/seaudit
by root at
/usr/sbin/seaudit
You can choose which log and policy file to use when starting the application, for example,
-l /path/to/log -p $SELINUX_SRC//policy.conf
policy files.
Although simpler than the related apol, seaudit has more capabilities than are covered
by this section. This section focuses on how to accomplish basic tasks using seaudit.
For more information
/usr/share/doc/setools- version /seaudit_help.txt
Help menu in seaudit.
Figure 6-1 shows seaudit displaying the audit log with several different kinds of messages displayed.
The Other column is where the timestamp and serial number are displayed.
Chapter 6. Tools for Manipulating and Analyzing SELinux
Behavior
Show all rules. You must specify one of the rule types in
your search terms:
--neverallow
In the search results, specify the line number in
policy.conf
binary policy.
sesearch
. The information you gather helps you in analyzing
logwatch
is a symlink to consolehelper, as well as a program accessible directly
.
seaudit
about what
, ,
-a --allow
, or .
--type
. This option is ignored when you search a
. seaudit can use both binary and source
is, read the online
, which is also available from the
,
--audit
seaudit
documentation at