On Thursday, June 6, 2019 9:31:41 AM EDT Boyce, Kevin P [US] (AS) wrote: > Dear List, > > It would be really great if there were an audit rule hit counter like many > firewalls have when IP traffic passes through a filter rule. > > This would be beneficial for finding rules that might not be working the as > intended (to fix user implementation problems). > > I'm thinking it would be a switch option on auditctl -l (maybe -h for > hitcount). This would list each rule that the kernel has, and how many > times since auditd started that an event matched the rule. > > Is this within the realm of feasibility? Does this function exist maybe > elsewhere in the audit suite (like aureport)?
Assuming that you put a key on each rule, you can get this functionality like this: aureport --start boot --key --summary And in cases where you have multiple rules with the same key, then add a number at the end like: time1, time2, time3, etc. Ausearch by default does partial word matching. So you can still run "ausearch -k time" and it will find all of them regardless of the number at the end. -Steve -- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
