Those who use a SELinux enabled distribution – more specifically those who have set the SELinux security layer to enforcing mode – will most probably know about the auditd daemon (part of the audit package in Fedora Core). By default, all SELinux messages are recorded to the syslog, but when auditd is running, then all messages are kept in /var/log/audit/audit.log.
The audit package, apart from the audit daemon, includes some very interesting utilities, aureport and ausearch, which are two great assistants in the procedure of locating the events that need investigation in the endless log files. aureport produces the report it has been asked for and ausearch is used to search the logs for a given event number. Enough said, now on to the script.
aureport has a shortcoming. It can only display one report at a time. So, in order to have daily SELinux reports in our inbox aureport needs to be called several times from within a cron job. This is why aureportgen.py was written. It can be configured to execute aureport several times collecting the pre-defined reports for a given period of time and then print a concatenation of these reports to the stdout.
Configuration
Open the aureportgen.py script in a text editor and scroll down to the configuration section. The available options are:
The path to the aureport executable:
aureportpath = "/sbin/aureport"
The list of the reports to collect:
reports = ["a", "mf", "ms", "lf", "ls"]
The line above might be a little cryptic so here is the convention on how to specify the report names:
- Each report name may consist of up to two letters. The first, which is mandatory, specifies the report type and the second, which is optional, specifies whether a successes or a failures report will be returned.
- All the aureport command line switches that specify a report type can be used as the first letter.
- Either the letter “f” or “s” can be used as the second letter to indicate a success-only or failure-only report.
- If the second letter is omitted, then a report that contains both successful and failed events is returned.
By using the configuration above, the following reports will be returned:
- AVC denials (successes or failures not applicable to this report)
- Account modification failures
- Account modification successes
- Login failures
- Login successes
Usage
This script was written in order to be called from within a cron job. It is mandatory to specify the number of days in the past the reports will be generated for. This is done with the –days command line option.
An example daily cron script is listed below:
#! /bin/bash python /path/to/aureportgen.py --days 1 | mail -s "SELinux Reports by aureport" root exit 0
The same as a cronjob would be:
0 0 * * * root python /path/to/aureportgen.py --days 1 | mail -s "SELinux Reports by aureport" root
This will scan the audit logs and the pre-defined reports will be generated for the last 24 hours. The output will be emailed to root.
WARNING: It should be possible to run this script directly on the CLI and have multiple reports displayed in the standard output, but if the login shell’s locale is different than the crn job’s, then there could be a problem. In such cases, you will still be able to run it from the CLI without errors by setting the extra configuration option fix_date to True:
fix_date = True
License
This project is released under the terms of the GNU General Public License version 2 or later.
Download
You can download this script from the following link:
Note that this is an alpha version, it is released without any warranties or support.
SELinux audit reports script by George Notaras is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License.
Copyright © 2006 - Some Rights Reserved