audit-explorer is an R shiny app that visualizes Linux audit data using many tools all in one app. With this program, you can interactively display:
- Bar Charts
- Heat Maps
- Pivot Tables
- Sankey Diagrams
- Trees/Dendrograms
See below for some screenshots.
audit-explorer runs under RStudio. You should either download a copy of it or build one as described here:
http://security-plus-data-science.blogspot.com/2017/02/building-r-studio.html
It also requires the following R libraries to be installed in RStudio:
- shiny
- shinyjs
- dplyr
- plyr
- networkD3
- rpivotTable
- data.tree
- ggplot2
It also uses the ausearch command to create the data files it needs to analyze. To have working CSV generation, you should have the Linux audit-2.7.5 or later package installed on your system.
The application is self-contained. It will expect the following directory structure to exist:
~/R/audit-data
To allow ausearch to work from RStudio, you should add a group, such as wheel, to your account. This is in order to allow group read access to the audit logs. Then go into /etc/audit/auditd.conf and set log_group = wheel. It does not have to be wheel, but the group added to your account must match the one auditd.conf has. Then restart auditd so that it can fix the directory permissions.
You can copy app.R to anywhere you want. You just cannot rename it. RStudio expects shiny applications to be named app.R. I would recommend placing it in ~/R/audit-explorer/.
- Start up RStudio
- Click on File|Open File...
- Select app.R (wherever you put it ~/R/audit-explorer/ is recommended)
- In the code pane, click on the Run App button
The program should start up. When its ready...
- Click the Load Events button and wait for the text below it to change
- If it says success, then click on the Filter tab at the top
- Click on Use All Events
- You can now click around on anything.
You can use the Filter tab to subset the events in many ways by using the Operand1, Operator, Operand2 drop boxes and then click Filter Events. If you want to go back to all events, then just click on Use All Events again. This page always lets you know how many events out of the total are selected.
You can also place a CSV file at ~/R/audit-data/audit.csv Then it can be opened using "Standard CSV" radio button from the Source menu item. If you do this, the program assumes you have already preselected the time range and options.
If you are using the Logs Event Source, then you can have extra data included in the generated CSV file by checking the boxes under the Extra CSV Info to Include.
There has been discussion about the different diagrams and source code here: http://security-plus-data-science.blogspot.com/
Questions may be asked on the Linux Audit Mail List: https://www.redhat.com/mailman/listinfo/linux-audit
Audit explorer allows you to build different reports and diagrams based on the contents of the audit trail. Your feedback about what kinds of diagrams, reports, or dashboards that you would like to see pre-canned as a part of an audit reporting tool would be greatly appreciated. It may be a part of this tool or some other web based tool being considered for the future. For example if you are interested in a heat map to detect anomalies, should there be any pre-filtering by default? Any ideas, suggestions, and proposals with or without screenshots are welcome. Please send them to the linux-audit mail list (see above) or you may file an issue - whichever is easiest. Your contributions and feedback are greatly appreciated.
audit-explorer is released under the GNU Affero General Public License v3.0.