Novell LINUX ENTERPRISE DESKTOP 11 - SECURITY GUIDE 17-03-2009 Manual page 381

3. 16/02/09 17:45:02 mkdir 20351 mkdir root 2285
...
The first thing that the visualization script needs to do on this report is to extract only
those columns that are of interest, in this example, the syscall and the comm columns.
The output is sorted and duplicates removed then the final output is piped into the visu-
alization program itself:
LC_ALL=C aureport -s -i | awk '/^[0-9]/ { print $6" "$4 }' | sort | uniq |
mkgraph
NOTE: Adjusting the Locale
Depending on your choice of locale in /etc/sysconfig/auditd, your au-
report output might contain an additional data column for AM/PM on time
stamps. To avoid having this confuse your scripts, precede your script calls with
LC_ALL=C to reset the locale and use the 24 hour time format.
Figure 30.2 Flow Graph—Program versus System Call Relationship
The second example illustrates the different types of events and how many of each type
have been logged. The appropriate aureport command to extract this kind of infor-
mation is aureport -e:
aureport -e -i --summary
Event Summary Report
======================
total type
======================
2434 SYSCALL
816 USER_START
816 USER_ACCT
814 CRED_ACQ
810 LOGIN
806 CRED_DISP
779 USER_END
99 CONFIG_CHANGE
52 USER_LOGIN
Understanding Linux Audit 369