ausearch

ausearch is a tool that can query the audit daemon logs based for events based on different search criteria. The ausearch utility can also take input from stdin as long as the input is the raw log data.^[1]

Documentation

man 8 'ausearch' [EN]

Syntax

ausearch [PARAMETER ...]

Parameters

-c NAME, --comm NAME: Search for an event based on the given NAME. The 'NAME is the executable's name from the task structure.

-r, --raw: Output is completely unformatted. This is useful for extracting records that can still be interpreted by audit tools.

Examples

Add a SELinux policy to allow a Traefik container to read from /var/run/docker.sock

Scan the log file and report all discovered SELinux issues:

sealert --analyze '/var/log/audit/audit.log'

Create a SELinux policy for the Traefik container:

ausearch --comm 'traefik' --raw | audit2allow --module-package='my-traefik'

Install the SELinux policy for the Traefik container:

semodule --install='my-traefik'

References

↑ man 8 'ausearch'

[1] 8 'ausearch'

[1]