Debian 12 bookworm
Sponsored Link

Auditd : Display Summary Logs with aureport2023/07/13

 
It's possible to display Audit logs summarily with [aureport] command that is included in Audit package.
[1] This is how to use [aureport] command.
# display whole summary without arguments

root@dlp:~#
aureport


Summary Report
======================
Range of time in logs: 07/12/2023 20:56:08.983 - 07/12/2023 21:03:37.912
Selected time for report: 07/12/2023 20:56:08 - 07/12/2023 21:03:37.912
Number of changes in configuration: 6
Number of changes to accounts, groups, or roles: 5
Number of logins: 6
Number of failed logins: 1
Number of authentications: 10
Number of failed authentications: 1
Number of users: 4
Number of terminals: 4
Number of host names: 2
Number of executables: 11
Number of commands: 5
Number of files: 0
Number of AVC's: 0
Number of MAC events: 0
Number of failed syscalls: 0
Number of anomaly events: 0
Number of responses to anomaly events: 0
Number of crypto events: 0
Number of integrity events: 0
Number of virt events: 0
Number of keys: 0
Number of process IDs: 32
Number of events: 241

# display kind of authentication logs

root@dlp:~#
aureport -au


Authentication Report
============================================
# date time acct host term exe success event
============================================
1. 07/12/2023 20:57:56 root dlp.srv.world /dev/ttyS0 /usr/bin/login no 37
2. 07/12/2023 20:58:03 root dlp.srv.world /dev/ttyS0 /usr/bin/login yes 39
3. 07/12/2023 20:59:04 debian dlp.srv.world /dev/ttyS0 /usr/bin/login yes 61
4. 07/12/2023 20:59:09 root dlp.srv.world /dev/ttyS0 /usr/bin/su yes 75
5. 07/12/2023 20:59:51 debian dlp.srv.world /dev/ttyS0 /usr/bin/sudo yes 81
6. 07/12/2023 21:00:27 root dlp.srv.world /dev/ttyS0 /usr/bin/login yes 111
7. 07/12/2023 21:02:55 root dlp.srv.world ttyS0 /usr/bin/chfn yes 134
8. 07/12/2023 21:03:05 bookworm dlp.srv.world /dev/ttyS0 /usr/bin/login yes 142
9. 07/12/2023 21:03:18 debian dlp.srv.world /dev/ttyS0 /usr/bin/login yes 161
10. 07/12/2023 21:03:25 bookworm dlp.srv.world /dev/ttyS0 /usr/bin/su yes 175
11. 07/12/2023 21:03:32 root dlp.srv.world /dev/ttyS0 /usr/bin/login yes 186
.....
.....

# display kind of failure authentication logs

root@dlp:~#
aureport -au --failed --summary


Failed Authentication Summary Report
=============================
total  acct
=============================
4  debian
3  bookworm
1  root

# display kind of modification of user accounts logs

root@dlp:~#
aureport -m -i


Account Modifications Report
=================================================
# date time auid addr term exe acct success event
=================================================
1. 07/12/2023 21:02:51 root dlp.srv.world ttyS0 /usr/sbin/groupadd ? yes 129
2. 07/12/2023 21:02:51 root dlp.srv.world ttyS0 /usr/sbin/groupadd ? yes 130
3. 07/12/2023 21:02:51 root dlp.srv.world ttyS0 /usr/sbin/groupadd ? yes 131
4. 07/12/2023 21:02:51 root dlp.srv.world ttyS0 /usr/sbin/useradd ? yes 132
5. 07/12/2023 21:02:55 root dlp.srv.world ttyS0 /usr/bin/passwd bookworm yes 133
.....
.....

# display kind of modification of user accounts logs since this month

root@dlp:~#
aureport -m -i --start this-month


Account Modifications Report
=================================================
# date time auid addr term exe acct success event
=================================================
1. 07/12/2023 21:02:51 root dlp.srv.world ttyS0 /usr/sbin/groupadd ? yes 129
2. 07/12/2023 21:02:51 root dlp.srv.world ttyS0 /usr/sbin/groupadd ? yes 130
3. 07/12/2023 21:02:51 root dlp.srv.world ttyS0 /usr/sbin/groupadd ? yes 131
4. 07/12/2023 21:02:51 root dlp.srv.world ttyS0 /usr/sbin/useradd ? yes 132
5. 07/12/2023 21:02:55 root dlp.srv.world ttyS0 /usr/bin/passwd bookworm yes 133
.....
.....

# display kind of executing logs

root@dlp:~#
aureport -x -i


Executable Report
====================================
# date time exe term host auid event
====================================
1. 07/12/2023 20:56:08 /usr/sbin/auditctl (none) ? unset 13
2. 07/12/2023 20:56:08 /usr/sbin/auditctl (none) ? unset 14
3. 07/12/2023 20:56:08 /usr/sbin/auditctl (none) ? unset 15
4. 07/12/2023 20:56:08 /usr/lib/systemd/systemd ? ? unset 16
5. 07/12/2023 20:57:11 /usr/lib/systemd/systemd ? ? unset 20
6. 07/12/2023 20:57:26 /usr/lib/systemd/systemd ? ? unset 21
7. 07/12/2023 20:57:26 /usr/lib/systemd/systemd ? ? unset 22
.....
.....

# display kind of executing logs from 2023/07/11 to 2023/07/12

root@dlp:~#
aureport -x -i --start 07/11/2023 --end 07/12/2023


Executable Report
====================================
# date time exe term host auid event
====================================
1. 07/12/2023 20:56:08 /usr/sbin/auditctl (none) ? unset 13
2. 07/12/2023 20:56:08 /usr/sbin/auditctl (none) ? unset 14
3. 07/12/2023 20:56:08 /usr/sbin/auditctl (none) ? unset 15
4. 07/12/2023 20:56:08 /usr/lib/systemd/systemd ? ? unset 16
5. 07/12/2023 20:57:11 /usr/lib/systemd/systemd ? ? unset 20
6. 07/12/2023 20:57:26 /usr/lib/systemd/systemd ? ? unset 21
7. 07/12/2023 20:57:26 /usr/lib/systemd/systemd ? ? unset 22
.....
.....
[2] Search and Display logs with [ausearch] and [aureport] like follows.
# search and display sudo logs by UserID 1000

root@dlp:~#
ausearch -x sudo -ua 1000 | aureport -au


Authentication Report
============================================
# date time acct host term exe success event
============================================
1. 07/12/2023 20:59:51 debian dlp.srv.world /dev/ttyS0 /usr/bin/sudo yes 81
2. 07/12/2023 21:12:19 debian dlp.srv.world /dev/ttyS0 /usr/bin/sudo yes 264

# search and display executing logs by UserID 1001

root@dlp:~#
ausearch -ui 1001 | aureport -x -i


Executable Report
====================================
# date time exe term host auid event
====================================
1. 07/12/2023 21:12:49 /usr/bin/su /dev/ttyS0 dlp.srv.world root 285
2. 07/12/2023 21:12:49 /usr/bin/su /dev/ttyS0 dlp.srv.world root 286
3. 07/12/2023 21:12:49 /usr/bin/su /dev/ttyS0 dlp.srv.world root 287
4. 07/12/2023 21:12:49 /usr/bin/su /dev/ttyS0 dlp.srv.world root 288
5. 07/12/2023 21:12:50 /usr/bin/su /dev/ttyS0 dlp.srv.world root 289
.....
.....
Matched Content