Coder Social home page Coder Social logo

audit_pretty's Introduction

[WIP] audit-pretty

Linux Auditing System log files pretty printer.

Screenshot of raw log Screenshoot of log processed by this script

Installation

You can run script directly from repository: python3 -m audit_pretty ARGS... or install it to system directory: pip3 install audit_pretty.

Usage

You need only Python 3 for this script to work.

sudo dmesg | audit-pretty

sudo cat /var/log/audit/audit.log | audit-pretty

It works correctly with dmesg -w so you can watch live log in readable format!

sudo dmesg -w | audit-pretty

There are bunch of useful options you may want to use, check out audit-pretty -h!

Room for improvement

  • Don't use colors (--no-colors)
  • Filter by time (--since, --until)
  • Handle more than just AppArmor violations
  • Verbose option to include more info (-v, --verbose)
  • Filter message types (-e, --exclude, --only)
  • Merge repeated messages (useful for policy debugging) (--merge)

audit_pretty's People

Contributors

foxcpp avatar

Stargazers

avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar

Watchers

avatar avatar avatar

Forkers

pythonxuexi8888

audit_pretty's Issues

Cover more message types

Ref.: https://github.com/linux-audit/audit-documentation

  • SELinux
    Ref.: https://selinuxproject.org/page/NB_AL

    SELinux uses format different from all other audit events.
    I'm not going to support it now. If you interested in SELinux
    log pretty printing using audit_pretty - any help is appreciated.

    • AVC
    • USER_AVC
    • MAC_POLICY_LOAD
    • USER_MAC_POLICY_LOAD
    • MAC_CONFIG_CHANGE
    • MAC_STATUS
    • MAC_UNLBL_STCADD
    • MAC_IPSEC_EVENT
    • SELINUX_ERR
    • USER_ROLE_CHANGE

  • AppArmor

    • AVC (Policy violations)
    • AVC (Status messages)

  • System lifecycle events

    • SYSTEM_BOOT
    • SYSTEM_RUNLEVEL
    • DAEMON_START
    • DAEMON_ABORT
    • SERVICE_START (systemd)
    • SERVICE_STOP (systemd)
    • SERVICE_START (openrc)
    • SERVICE_STOP (openrc)
    • SYSTEM_SHUTDOWN
    • DAEMON_END

  • User account lifecycle events

    • ADD_USER
    • USER_MGMT
    • USER_CHAUTHTOK
    • ROLE_ASSIGN
    • ROLE_REMOVE
    • DEL_USER
    • ADD_GROUP
    • GRP_MGMT
    • GRP_CHAUTHTOK
    • DEL_GROUP

  • User login lifecycle events

    • CRYPTO_KEY_USER
    • CRYPTO_SESSION
    • USER_AUTH
    • LOGIN
    • USER_ACCT
    • USER_CHAUTHTOK
    • USER_ERR
    • CRED_ACQ
    • USER_ROLE_CHANGE
    • USER_START
    • USER_LOGIN
    • CRED_REFR
    • GRP_AUTH
    • CHUSER_ID
    • CHGRP_ID
    • USER_LOGOUT
    • USER_END
    • CRED_DISP
    • ANOM_LOGIN_FAILURES
    • ANOM_LOGIN_TIME
    • ANOM_LOGIN_SESSIONS
    • ANOM_LOGIN_ACCT
    • ANOM_LOGIN_LOCATION

  • Virt. manager guest lifecycle events

    • VIRT_MACHINE_ID
    • VIRT_INTEGRITY_CHECK
    • VIRT_RESOURCE
    • VIRT_CONTROL

  • Seccomp violation notifications

  • Generic record types

    • PROCTITLE
    • SYSCALL
    • PATH
    • CWD

This list is incomplete. More types listed here.

pip install audit_pretty error 

 pip install audit_pretty
/root/anaconda3/lib/python3.8/site-packages/secretstorage/dhcrypto.py:16: CryptographyDeprecationWarning: int_from_bytes is deprecated, use int.from_bytes instead
  from cryptography.utils import int_from_bytes
/root/anaconda3/lib/python3.8/site-packages/secretstorage/util.py:25: CryptographyDeprecationWarning: int_from_bytes is deprecated, use int.from_bytes instead
  from cryptography.utils import int_from_bytes
Defaulting to user installation because normal site-packages is not writeable
ERROR: Could not find a version that satisfies the requirement audit_pretty (from versions: none)
ERROR: No matching distribution found for audit_pretty
Note: you may need to restart the kernel to use updated packages.

In [15]: !/root/anaconda3/bin/python -V
Python 3.8.5

In [16]: pip -V
pip 20.2.4 from /root/anaconda3/lib/python3.8/site-packages/pip (python 3.8)
Note: you may need to restart the kernel to use updated packages.

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    ๐Ÿ–– Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. ๐Ÿ“Š๐Ÿ“ˆ๐ŸŽ‰

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google โค๏ธ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.