Novell LINUX ENTERPRISE SERVER 11 - SECURITY Manual page 433

Number of MAC events: 0
Number of failed syscalls: 994
Number of anomaly events: 0
Number of responses to anomaly events: 0
Number of crypto events: 0
Number of keys: 2
Number of process IDs: 713
Number of events: 1589
3 To list the files that could not be accessed, run a summary report of failed file
events:
aureport -f -i --failed --summary
Failed File Summary Report
===========================
total file
===========================
80 /var
80 spool
80 cron
80 lastrun
46 /usr/lib/locale/en_GB.UTF-8/LC_CTYPE
45 /usr/lib/locale/locale-archive
38 /usr/lib/locale/en_GB.UTF-8/LC_IDENTIFICATION
38 /usr/lib/locale/en_GB.UTF-8/LC_MEASUREMENT
38 /usr/lib/locale/en_GB.UTF-8/LC_TELEPHONE
38 /usr/lib/locale/en_GB.UTF-8/LC_ADDRESS
38 /usr/lib/locale/en_GB.UTF-8/LC_NAME
38 /usr/lib/locale/en_GB.UTF-8/LC_PAPER
38 /usr/lib/locale/en_GB.UTF-8/LC_MESSAGES
38 /usr/lib/locale/en_GB.UTF-8/LC_MONETARY
38 /usr/lib/locale/en_GB.UTF-8/LC_COLLATE
38 /usr/lib/locale/en_GB.UTF-8/LC_TIME
38 /usr/lib/locale/en_GB.UTF-8/LC_NUMERIC
8 /etc/magic.mgc
...
To focus this summary report on a few files or directories of interest only, such
as /etc/audit/auditd.conf, /etc/pam.d, and /etc/sysconfig,
use a command similar to the following:
aureport -f -i --failed --summary |grep -e "/etc/audit/auditd.conf" -e
"/etc/pam.d/" -e "/etc/sysconfig"
1 /etc/sysconfig/displaymanager
4 From the summary report, then proceed to isolate these items of interest from
the log and find out their event IDs for further analysis:
Setting Up the Linux Audit Framework 419