This directory contains two tools, packaged by SuSE for example purposes only 
which can be used as a basis for graphically visualizing audit data. Success
in using the tools requires some level of  Unix scripting skills using 
awk, perl, python etc as as well as tools such as uniq and sort.  We welcome 
your suggestions on these two tools and their future development but cannot 
guarantee to incorporate all feedback.

These tools were originally created by RedHat and limited documentation on
their use can be found at the following location:
	http://people.redhat.com/sgrubb/audit/visualize/index.html

In addition, examples of how to use the scripts is presented below.

Additional information on audit and it's tools is available at:
	maillist: http://www.redhat.com/mailman/listinfo/linux-audit
	irc: #audit (freenode)

-------

Examples:

1. Generate a flow graph of executables and the syscalls they invoke

aureport -s -i | awk '/^[0-9]/ { printf "%s %s\n", $6, $4 }' | sort | uniq | ./mkgraph

The mkgraph script is very simple expecting line input of the form:
	executable syscall

aureport -s displays a syscall report, -i converts from syscall numbers to
syscall names.  Awk is used to filter out and reorder the two colums to the
format expected by mkgraph.

2. Generate a bar graph showing the distribution of syscalls made by a 
specific process

aureport -s -i | awk '$5 == 1 {print $4}' | sort | uniq -c | mkbar

The mkbar script is very simple expecting line input of the form:
	count item-name

This example tracks sycalls for the init process (pid 1; and of course assumes 
you have used auditctl to instruct the audit system to collect the necessary 
syscall data). Field 5 in the aureport output is the process id and field 4 
is the syscall name.   If auid generation is enabled on your system (by 
enabling pam_logiguid.so in your PAM confiuration) you can generate a graph 
of the syscall distribution for all processes for a given user session by 
comparing against field 7 rather than field 5.

