The following script to convert aureport audit statistics into flow graphs was created by Steve Grubb at Red Hat. It is available from http://people.redhat.com/sgrubb/audit/visualize/mkgraph.
Because the current version of audit in SUSE Linux Enterprise does not ship with this script, proceed as follows to make it available on your system:
Download the script from http://people.redhat.com/sgrubb/audit/visualize/mkgraph or copy the text below into a file called mkgraph. Each line containing commented aureport commands is meant to be written on one continuous line. Adjust this if you use the copy method.
Move the mkgraph file to root's home directory.
Adjust the file permissions to read, write, and execute for root.
#!/bin/sh
#
# Copyright 2005 Red Hat Inc., Durham, North Carolina.
# All Rights Reserved.
# This software may be freely redistributed and/or modified under the
# terms of the GNU General Public License as published by the Free
# Software Foundation; either version 2, or (at your option) any
# later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; see the file COPYING. If not, write to the
# Free Software Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
#
# Author: Steve Grubb <sgrubb@redhat.com>
#
########
#
# This program will take stdin and produce a graph for it. The input
# should be 2 objects per line separated by a space.
# Some interesting uses:
#
# See what syscalls a program makes
# aureport -s -i | awk '/^[0-9]/ { printf "%s %s\n", $6, $4 }' | sort | uniq | ./mkgraph
#
# See avc denied subject to object map
# aureport -a --failed -i | awk '/^[0-9]/ { printf "%s %s\n", $5, $8 }' | sort
| uniq | ./mkgraph
#
# See who is accessing files
#aureport -f -i | awk '/^[0-9]/ { printf "%s %s\n", $8, $4 }' | sort | uniq | ./mkgraph
#
# See what account is running which exes
# aureport -u -i | awk '/^[0-9]/ { printf "%s %s\n", $4, $7 }' | sort | uniq | ./mkgraph
#
# See what accounts are being used by remote hosts
#aureport -h -i | awk '/^[0-9]/ { printf "%s %s\n", $4, $6 }' | sort | uniq | ./mkgraph
#
# Graphs can be combined, too. For example, to see what host people logged in
# from and the commands they ran:
#aureport -h -i | awk '/^[0-9]/ { printf "%s %s\n", $4, $6 }' | sort | uniq > tmp.rpt
#aureport -u -i | awk '/^[0-9]/ { printf "%s %s\n", $4, $7 }' | sort | uniq >> tmp.rpt
#cat tmp.rpt | ./mkgraph
if [ x"$1" != "x" ] ; then
OUT="$1"
else
OUT="gr"
fi
DOT_CMD=`which dot 2>/dev/null`
DOT_FILE="./$OUT.dot"
IDX_FILE="./$OUT.index"
# use png, ps, or jpg
EXT="ps"
if [ x"$DOT_CMD" = "x" ] ; then
echo "graphviz is not installed. Exiting."
exit 1
fi
echo "digraph G {" > $DOT_FILE
# Some options you may want to set
#echo -e "\torientation=landscape" >> $DOT_FILE
#echo -e "\tsize=\"60,18\"" >> $DOT_FILE
#echo -e "\tranksep=\"1.25\"" >> $DOT_FILE
#echo -e "\tratio=fill" >> $DOT_FILE
#echo -e "\tpage=\"8.5,11\";" >> $DOT_FILE
while [ 1 ]
do
read -t 5 line 2>/dev/null
if [ $? -ne 0 ] ; then
break
fi
if [ x"$line" != "x" ] ; then
echo $line | awk '{ printf("\t\"%s\" -> \"%s\";\n", $1, $2); }' >> $DOT_FILE
fi
done
echo "}" >> $DOT_FILE
echo " " >> $DOT_FILE
$DOT_CMD -T$EXT -o ./$OUT.$EXT $DOT_FILE 1>&2 2>/dev/null
if [ $? -ne 0 ] ; then
echo "Error rendering"
rm -f $DOT_FILE
exit 1
fi
rm -f $DOT_FILE
if [ "$EXT" = "ps" ] ; then
echo "Gzipping graph..."
rm -f ./$OUT.ps.gz 2>/dev/null
gzip --best ./$OUT.ps
echo "Graph was written to $OUT.$EXT.gz"
else
echo "Graph was written to $OUT.$EXT"
fi
exit 0