3. 16/02/09 17:45:02 mkdir 20351 mkdir root 2285
...
The first thing that the visualization script needs to do on this report is to extract only
those columns that are of interest, in this example, the syscall and the comm columns.
The output is sorted and duplicates removed then the final output is piped into the visu-
alization program itself:
LC_ALL=C aureport -s -i | awk '/^[0-9]/ { print $6" "$4 }' | sort | uniq |
mkgraph
NOTE: Adjusting the Locale
Depending on your choice of locale in /etc/sysconfig/auditd, your au-
report output might contain an additional data column for AM/PM on time
stamps. To avoid having this confuse your scripts, precede your script calls with
LC_ALL=C to reset the locale and use the 24 hour time format.
Figure 30.2 Flow Graph—Program versus System Call Relationship
The second example illustrates the different types of events and how many of each type
have been logged. The appropriate aureport command to extract this kind of infor-
mation is aureport -e:
aureport -e -i --summary
Event Summary Report
======================
total
type
======================
2434
SYSCALL
816
USER_START
816
USER_ACCT
814
CRED_ACQ
810
LOGIN
806
CRED_DISP
779
USER_END
99
CONFIG_CHANGE
52
USER_LOGIN
Understanding Linux Audit
369