The following script to convert aureport audit statistics into bar charts was created by Steve Grubb at Red Hat. It is available from http://people.redhat.com/sgrubb/audit/visualize/mkbar.
Because the current version of audit in SUSE Linux Enterprise does not ship with this script, proceed as follows to make it available on your system:
Download the script from http://people.redhat.com/sgrubb/audit/visualize/mkbar or copy the text below into a file called mkbar. Each line ending in \ is meant to be written on one continuous line. Adjust this by removing the trailing \ and merging the two lines if you use the copy method.
Move the mkbar file to root's home directory.
Adjust the file permissions to read, write, and execute for root.
#!/bin/sh
# Copyright 2005 Red Hat Inc., Durham, North Carolina.
# All Rights Reserved.
# This software may be freely redistributed and/or modified under the
# terms of the GNU General Public License as published by the Free
# Software Foundation; either version 2, or (at your option) any
# later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; see the file COPYING. If not, write to the
# Free Software Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
#
# Author: Steve Grubb <sgrubb@redhat.com>
#
#######
# This program will take data returned by aureport suumaries and
# produce a bar chart of it. You can optionally pass a parameter
# that names the file to create
#
# To see most often failed file access:
# aureport -f -i --summary --failed | mkbar failed-access
#
# To see syscalls:
# aureport -s -i --summary | ./mkbar syscall
#
# To see events:
# aureport -e -i --summary | ./mkbar events
#
# To see all events except syscall & config change:
# aureport -e -i --summary | egrep -vi '(syscall|change)' | ./mkbar events2
###
if [ x"$1" != "x" ] ; then
OUT="$1"
else
OUT="chart"
fi
EXT="png"
gpcommand="plot-script"
gpdata="$OUT.dat"
gpout="$OUT.$EXT"
plotcommand=`which gnuplot`
if [ x"$plotcommand" = "x" ] ; then
echo "gnuplot is not installed"
exit 1
fi
# create gnuplot command file
echo "set terminal $EXT small xfdf5e6 x000000 x404040 x0000ff x00ff00" > \
$gpcommand
echo "set grid ytics" >> $gpcommand
echo "set nokey" >> $gpcommand
echo "set nolabel" >> $gpcommand
echo "set data style lines" >> $gpcommand
echo "set noxzeroaxis" >> $gpcommand
echo "set noyzeroaxis" >> $gpcommand
echo "set boxwidth 0.9 relative" >> $gpcommand
echo "set style fill solid 1.0" >> $gpcommand
echo 'set output "'$gpout'"' >> $gpcommand
# This is to be able to start with a comma as we read input.
echo -n "set xtics rotate (\"-1\" -1" >> $gpcommand
# make sure we don't append to pre-existing file
rm -f $gpdata
# read input
i=0
while [ 1 ]
do
read -t 5 line 2>/dev/null
if [ $? -ne 0 ] ; then
break
fi
if [ x"$line" != "x" ] ; then
i=`expr $i + 1`
echo $line | awk '/^[0-9]/ { printf ", \"%s\" %d", $2, 1+num }' "num=$i" \
>> $gpcommand
echo $line | awk '/^[0-9]/ { printf "%d %s\n", 1+num, $1 }' "num=$i" >> \
$gpdata
fi
done
echo -e ')\n' >> $gpcommand
echo 'plot "'$gpdata'" with boxes' >> $gpcommand
# Create the chart
gnuplot $gpcommand
# Cleanup
rm -f $gpcommand $gpdata
# output results
if [ -e $gpout ] ; then
echo "Wrote $gpout"
exit 0
fi
exit 1