This repository contains scripts that visualize data coming from the Linux audit subsystem. The scripts are originally from Steve Grubb <sgrubb@redhat.com> and can be found at https://people.redhat.com/sgrubb/audit/visualize/.
This scripts have been adapted to work with modern versions of GNUPlot and to write png files instead of Postscript.
$ sudo aureport -s -i --summary | bash ./mkbar syscall $ sudo aureport -f -i --summary --failed | bash ./mkbar failed-access $ sudo aureport -e -i --summary | egrep -vi '(syscall|change)' $ sudo aureport -e -i --summary | egrep -vi '(syscall|change)' | bash ./mkbar events2
- Syscalls
- Failed Filesystem Access
- Audit Events
- Syscall usage of processes
$ sudo aureport -s -i | awk '/^[0-9]/ { printf "%s %s\n", $6, $4 }' | sort | uniq | bash ./mkgraph
Graph was written to gr.png
- which user executes which processes
sudo aureport -u -i | awk '/^[0-9]/ { printf "%s %s\n", $4, $7 }' | sort | uniq | bash ./mkgraph
- who accesses which files
sudo aureport -f -i | awk '/^[0-9]/ { printf "%s %s\n", $8, $4 }' | sort | uniq | bash ./mkgraph
- Example