Auditd : Search Logs with ausearch2022/12/20 |
|
Some Audit rules are set by default like System Login, Modification of User Accounts,
Sudo Actions and so on, there logs are recorded in [/var/log/audit/audit.log].
|
|
| [1] | The logs are text format, so it's possible to see logs directly. |
|
root@dlp:~# tail -5 /var/log/audit/audit.log type=UNKNOWN[1420] msg=audit(1671503677.557:283): subj_apparmor=unconfined type=USER_START msg=audit(1671503677.557:284): pid=2166 uid=1000 auid=1000 ses=21 subj=? msg='op=PAM:session_open grantors=pam_keyinit,pam_env,pam_env,pam_mail,pam_limits,pam_permit,pam_umask,pam_unix,pam_systemd acct="root" exe="/usr/bin/su" hostname=dlp.srv.world addr=? terminal=/dev/ttyS0 res=success'UID="ubuntu" AUID="ubuntu" type=SYSCALL msg=audit(1671503677.557:284): arch=c000003e syscall=44 success=yes exit=228 a0=4 a1=7fff6da8e910 a2=e4 a3=0 items=0 ppid=2155 pid=2166 auid=1000 uid=1000 gid=1000 euid=0 suid=0 fsuid=0 egid=1000 sgid=1000 fsgid=1000 tty=ttyS0 ses=21 comm="su" exe="/usr/bin/su" subj=? key=(null)ARCH=x86_64 SYSCALL=sendto AUID="ubuntu" UID="ubuntu" GID="ubuntu" EUID="root" SUID="root" FSUID="root" EGID="ubuntu" SGID="ubuntu" FSGID="ubuntu" type=PROCTITLE msg=audit(1671503677.557:284): proctitle=7375002D type=UNKNOWN[1420] msg=audit(1671503677.557:284): subj_apparmor=unconfined |
| [2] | Many logs are recorded in [audit.log] and they are complicated, so [ausearch] command is provided by Audit package to search specific logs. |
|
# search USER_LOGIN related logs root@dlp:~# ausearch --message USER_LOGIN --interpret ---- type=USER_LOGIN msg=audit(12/20/2022 11:30:37.532:41) : pid=1408 uid=root auid=ubuntu ses=3 subj=? msg='op=login acct=ubuntu exe=/usr/bin/login hostname=dlp.srv.world addr=? terminal=/dev/ttyS0 res=success' ---- type=USER_LOGIN msg=audit(12/20/2022 11:30:43.588:67) : pid=1481 uid=root auid=root ses=5 subj=? msg='op=login acct=root exe=/usr/bin/login hostname=dlp.srv.world addr=? terminal=/dev/ttyS0 res=success' ---- type=USER_LOGIN msg=audit(12/20/2022 11:31:05.507:95) : pid=1581 uid=root auid=debian ses=7 subj=? msg='op=login acct=debian exe=/usr/bin/login hostname=dlp.srv.world addr=? terminal=/dev/ttyS0 res=success' ---- type=USER_LOGIN msg=audit(12/20/2022 11:31:12.087:119) : pid=1646 uid=root auid=root ses=9 subj=? msg='op=login acct=root exe=/usr/bin/login hostname=dlp.srv.world addr=? terminal=/dev/ttyS0 res=success' ..... ..... # search sudo actions by userID 1000 root@dlp:~# ausearch -x sudo -ua 1000 ---- time->Tue Dec 20 11:33:59 2022 type=USER_AUTH msg=audit(1671503639.397:255): pid=2079 uid=1001 auid=1001 ses=19 subj=? msg='op=PAM:authentication grantors=? acct="root" exe="/usr/bin/su" hostname=dlp.srv.world addr=? terminal=/dev/ttyS0 res=failed' ---- time->Tue Dec 20 11:34:22 2022 type=USER_AUTH msg=audit(1671503662.857:277): pid=2165 uid=1000 auid=1000 ses=21 subj=? msg='op=PAM:authentication grantors=? acct="ubuntu" exe="/usr/bin/sudo" hostname=dlp.srv.world addr=? terminal=/dev/ttyS0 res=failed' ---- time->Tue Dec 20 11:34:26 2022 type=USER_AUTH msg=audit(1671503666.009:278): pid=2165 uid=1000 auid=1000 ses=21 subj=? msg='op=PAM:authentication grantors=? acct="ubuntu" exe="/usr/bin/sudo" hostname=dlp.srv.world addr=? terminal=/dev/ttyS0 res=failed' ..... ..... # search failure events on [dlp.srv.world] root@dlp:~# ausearch --host dlp.srv.world --success no ---- time->Thu Mar 10 23:25:15 2022 type=USER_AUTH msg=audit(1646976315.473:406): pid=3329 uid=1000 auid=1000 ses=12 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='op=PAM:authentication grantors=? acct="root" exe="/usr/bin/su" hostname=dlp.srv.world addr=? terminal=/dev/ttyS0 res=failed' ---- time->Thu Mar 10 23:25:26 2022 type=USER_AUTH msg=audit(1646976326.418:410): pid=3333 uid=1000 auid=1000 ses=12 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='op=PAM:authentication grantors=? acct="cent" exe="/usr/bin/sudo" hostname=dlp.srv.world addr=? terminal=/dev/ttyS0 res=failed' ---- time->Thu Mar 10 23:25:30 2022 type=USER_AUTH msg=audit(1646976330.290:411): pid=3333 uid=1000 auid=1000 ses=12 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='op=PAM:authentication grantors=? acct="cent" exe="/usr/bin/sudo" hostname=dlp.srv.world addr=? terminal=/dev/ttyS0 res=failed' ..... ..... # search logs by a user who has login userID 1000 from 2022/12/19 to 2022/12/20 root@dlp:~# ausearch --start 12/19/2022 --end 12/20/2022 -ul 1001 ---- time->Tue Dec 20 11:31:05 2022 type=UNKNOWN[1420] msg=audit(1671503465.379:86): subj_apparmor=unconfined type=PROCTITLE msg=audit(1671503465.379:86): proctitle=2F62696E2F6C6F67696E002D70002D2D type=SYSCALL msg=audit(1671503465.379:86): arch=c000003e syscall=1 success=yes exit=4 a0=3 a1=7ffcff0f0ff0 a2=4 a3=0 items=0 ppid=1 pid=1581 auid=1001 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=ttyS0 ses=7 comm="login" exe="/usr/bin/login" subj=? key=(null) type=LOGIN msg=audit(1671503465.379:86): pid=1581 uid=0 subj=? old-auid=4294967295 auid=1001 tty=ttyS0 old-ses=4294967295 ses=7 res=1 type=UNKNOWN[1420] msg=audit(1671503465.379:86): subj_apparmor=unconfined ---- time->Tue Dec 20 11:31:05 2022 type=UNKNOWN[1420] msg=audit(1671503465.431:90): subj_apparmor=unconfined type=PROCTITLE msg=audit(1671503465.431:90): proctitle="(systemd)" type=SYSCALL msg=audit(1671503465.431:90): arch=c000003e syscall=1 success=yes exit=4 a0=7 a1=7fffc09c3420 a2=4 a3=0 items=0 ppid=1 pid=1628 auid=1001 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=8 comm="(systemd)" exe="/usr/lib/systemd/systemd" subj=? key=(null) type=LOGIN msg=audit(1671503465.431:90): pid=1628 uid=0 subj=? old-auid=4294967295 auid=1001 tty=(none) old-ses=4294967295 ses=8 res=1 type=UNKNOWN[1420] msg=audit(1671503465.431:90): subj_apparmor=unconfined ..... ..... |
| Sponsored Link |