#!/bin/sh # ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ # # aucoverage of /CoreOS/audit/Sanity/normalizer # Description: Event coverage of audit logs # Author: Natalia Bubakova # Ondrej Moris # Date: 11.4.2022 # # This is an auxilliary script that helps with audit logs review, it is not included in runtest.sh. # It can show all audit events, check covered audit events within an input_log or merge logs for newly covered events in input_log into output_log. # # ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ if [ $# -lt 1 -o $# -gt 2 -o "$1" = "--help" -o "$1" = "-h" ] ; then echo "USAGE:" echo -e "\t./aucoverage INLOG [OUTLOG] | --events\n" echo "DESCRIPTION:" echo -e "\t--events\tprints all the events (one per line)" echo -e "\tINLOG\t\tprints the events covered in INLOG and one-line log message of its status" echo -e "\tINLOG OUTLOG\tif OUTLOG is present, does the same as above, yet it appends all the newly covered events within INLOG into the OUTLOG \n\t\t\t(merges logs so there are no duplicates and states its merge status)" exit 1 fi if [ "$1" = "--events" ] ; then ausearch -m 2>&1 | tr ' ' '\n'| egrep [A-Z] | egrep -v 'ALL|Argument|Valid|EOE|TRUSTED_APP|KERNEL_OTHER' | sort exit 0 fi INLOG="$1" if [ ! -e $INLOG ] ; then echo "Can't read $INLOG" exit 1 fi OUTLOG="$2" if [ $# -eq 2 -a ! -e $OUTLOG ] ; then echo "Can't read $OUTLOG" exit 1 fi found=0 appended=0 total=$(ausearch -m 2>&1 | tr ' ' '\n'| egrep [A-Z] | egrep -v 'ALL|Argument|Valid|EOE|TRUSTED_APP|KERNEL_OTHER' | sort | wc -l) types=`ausearch -m 2>&1 | tr ' ' '\n'| egrep [A-Z] | egrep -v 'ALL|Argument|Valid|EOE|TRUSTED_APP|KERNEL_OTHER' | sort` for t in $types do ausearch -if $INLOG -m $t --just-one --raw 2>/dev/null 1>&2 if [ $? -eq 0 ] ; then echo "$t" ((found++)) if [ $# -eq 2 ] ; then ausearch -if $OUTLOG -m $t --just-one --raw 2>/dev/null 1>&2 if [ $? -ne 0 ] ; then ausearch -if $INLOG -m $t --just-one --raw 2>/dev/null >> $OUTLOG echo "Appended $t to $OUTLOG" appended=1 fi fi fi done if [ $# -eq 2 -a $appended -eq 0 ] ; then echo "There are no new records to merge" fi lines=$(cat $INLOG | wc -l) echo "Input log '$INLOG' ($lines lines) uses $found out of $total event types"