问题
I'm searching for a library that I could import to my python (3.5) code to ease the processing of audit.log (on my CentOS6 it is /var/log/audit/audit.log). I'm thinking about a library that grabs the log lines to python and enables the querying/filtering in a human way.
There are rumors of a tool called audit-python, but it's not in pip list, doesn't really look promising. So far no hope of a library handling this widespread audit log.
Maybe some would share their code of how they did process the audit.log in python? It would be useful for every sysadmin that uses python.
回答1:
As I didn't found a library nor did anyone suggest one, so I have come up with this function using a binary provided by the audit's package:
def read_audit(before,now,user):
auparam = " -sc EXECVE"
cmd = "ausearch -ts " + before.strftime('%H:%M:%S') + " -te " + now.strftime('%H:%M:%S') + " -ua " + user + auparam
p = subprocess.Popen(cmd, shell=True, stdout=subprocess.PIPE)
res = p.stdout.read().decode()
return res
I call the binary by the subprocess module, so an import subprocess is needed in the header of the code. The function grabs logs of program executions between the provided times via the ausearch tool.
回答2:
You can install the package: setroubleshoot-server
Then look at the file /bin/sealert which is a python program and does a lot of stuff with audit.log based on the flags.
来源:https://stackoverflow.com/questions/38916777/python-library-for-handling-linuxs-audit-log