Auditd : Display Summary Logs with aureport2023/07/13 |
|
It's possible to display Audit logs summarily with [aureport] command that is included in Audit package.
|
|
| [1] | This is how to use [aureport] command. |
|
# display whole summary without arguments root@dlp:~# aureport Summary Report ====================== Range of time in logs: 07/12/2023 20:56:08.983 - 07/12/2023 21:03:37.912 Selected time for report: 07/12/2023 20:56:08 - 07/12/2023 21:03:37.912 Number of changes in configuration: 6 Number of changes to accounts, groups, or roles: 5 Number of logins: 6 Number of failed logins: 1 Number of authentications: 10 Number of failed authentications: 1 Number of users: 4 Number of terminals: 4 Number of host names: 2 Number of executables: 11 Number of commands: 5 Number of files: 0 Number of AVC's: 0 Number of MAC events: 0 Number of failed syscalls: 0 Number of anomaly events: 0 Number of responses to anomaly events: 0 Number of crypto events: 0 Number of integrity events: 0 Number of virt events: 0 Number of keys: 0 Number of process IDs: 32 Number of events: 241 # display kind of authentication logs root@dlp:~# aureport -au Authentication Report ============================================ # date time acct host term exe success event ============================================ 1. 07/12/2023 20:57:56 root dlp.srv.world /dev/ttyS0 /usr/bin/login no 37 2. 07/12/2023 20:58:03 root dlp.srv.world /dev/ttyS0 /usr/bin/login yes 39 3. 07/12/2023 20:59:04 debian dlp.srv.world /dev/ttyS0 /usr/bin/login yes 61 4. 07/12/2023 20:59:09 root dlp.srv.world /dev/ttyS0 /usr/bin/su yes 75 5. 07/12/2023 20:59:51 debian dlp.srv.world /dev/ttyS0 /usr/bin/sudo yes 81 6. 07/12/2023 21:00:27 root dlp.srv.world /dev/ttyS0 /usr/bin/login yes 111 7. 07/12/2023 21:02:55 root dlp.srv.world ttyS0 /usr/bin/chfn yes 134 8. 07/12/2023 21:03:05 bookworm dlp.srv.world /dev/ttyS0 /usr/bin/login yes 142 9. 07/12/2023 21:03:18 debian dlp.srv.world /dev/ttyS0 /usr/bin/login yes 161 10. 07/12/2023 21:03:25 bookworm dlp.srv.world /dev/ttyS0 /usr/bin/su yes 175 11. 07/12/2023 21:03:32 root dlp.srv.world /dev/ttyS0 /usr/bin/login yes 186 ..... ..... # display kind of failure authentication logs root@dlp:~# aureport -au --failed --summary Failed Authentication Summary Report ============================= total acct ============================= 4 debian 3 bookworm 1 root # display kind of modification of user accounts logs root@dlp:~# aureport -m -i Account Modifications Report ================================================= # date time auid addr term exe acct success event ================================================= 1. 07/12/2023 21:02:51 root dlp.srv.world ttyS0 /usr/sbin/groupadd ? yes 129 2. 07/12/2023 21:02:51 root dlp.srv.world ttyS0 /usr/sbin/groupadd ? yes 130 3. 07/12/2023 21:02:51 root dlp.srv.world ttyS0 /usr/sbin/groupadd ? yes 131 4. 07/12/2023 21:02:51 root dlp.srv.world ttyS0 /usr/sbin/useradd ? yes 132 5. 07/12/2023 21:02:55 root dlp.srv.world ttyS0 /usr/bin/passwd bookworm yes 133 ..... ..... # display kind of modification of user accounts logs since this month root@dlp:~# aureport -m -i --start this-month Account Modifications Report ================================================= # date time auid addr term exe acct success event ================================================= 1. 07/12/2023 21:02:51 root dlp.srv.world ttyS0 /usr/sbin/groupadd ? yes 129 2. 07/12/2023 21:02:51 root dlp.srv.world ttyS0 /usr/sbin/groupadd ? yes 130 3. 07/12/2023 21:02:51 root dlp.srv.world ttyS0 /usr/sbin/groupadd ? yes 131 4. 07/12/2023 21:02:51 root dlp.srv.world ttyS0 /usr/sbin/useradd ? yes 132 5. 07/12/2023 21:02:55 root dlp.srv.world ttyS0 /usr/bin/passwd bookworm yes 133 ..... ..... # display kind of executing logs root@dlp:~# aureport -x -i Executable Report ==================================== # date time exe term host auid event ==================================== 1. 07/12/2023 20:56:08 /usr/sbin/auditctl (none) ? unset 13 2. 07/12/2023 20:56:08 /usr/sbin/auditctl (none) ? unset 14 3. 07/12/2023 20:56:08 /usr/sbin/auditctl (none) ? unset 15 4. 07/12/2023 20:56:08 /usr/lib/systemd/systemd ? ? unset 16 5. 07/12/2023 20:57:11 /usr/lib/systemd/systemd ? ? unset 20 6. 07/12/2023 20:57:26 /usr/lib/systemd/systemd ? ? unset 21 7. 07/12/2023 20:57:26 /usr/lib/systemd/systemd ? ? unset 22 ..... ..... # display kind of executing logs from 2023/07/11 to 2023/07/12 root@dlp:~# aureport -x -i --start 07/11/2023 --end 07/12/2023 Executable Report ==================================== # date time exe term host auid event ==================================== 1. 07/12/2023 20:56:08 /usr/sbin/auditctl (none) ? unset 13 2. 07/12/2023 20:56:08 /usr/sbin/auditctl (none) ? unset 14 3. 07/12/2023 20:56:08 /usr/sbin/auditctl (none) ? unset 15 4. 07/12/2023 20:56:08 /usr/lib/systemd/systemd ? ? unset 16 5. 07/12/2023 20:57:11 /usr/lib/systemd/systemd ? ? unset 20 6. 07/12/2023 20:57:26 /usr/lib/systemd/systemd ? ? unset 21 7. 07/12/2023 20:57:26 /usr/lib/systemd/systemd ? ? unset 22 ..... ..... |
| [2] | Search and Display logs with [ausearch] and [aureport] like follows. |
|
# search and display sudo logs by UserID 1000 root@dlp:~# ausearch -x sudo -ua 1000 | aureport -au Authentication Report ============================================ # date time acct host term exe success event ============================================ 1. 07/12/2023 20:59:51 debian dlp.srv.world /dev/ttyS0 /usr/bin/sudo yes 81 2. 07/12/2023 21:12:19 debian dlp.srv.world /dev/ttyS0 /usr/bin/sudo yes 264 # search and display executing logs by UserID 1001 root@dlp:~# ausearch -ui 1001 | aureport -x -i Executable Report ==================================== # date time exe term host auid event ==================================== 1. 07/12/2023 21:12:49 /usr/bin/su /dev/ttyS0 dlp.srv.world root 285 2. 07/12/2023 21:12:49 /usr/bin/su /dev/ttyS0 dlp.srv.world root 286 3. 07/12/2023 21:12:49 /usr/bin/su /dev/ttyS0 dlp.srv.world root 287 4. 07/12/2023 21:12:49 /usr/bin/su /dev/ttyS0 dlp.srv.world root 288 5. 07/12/2023 21:12:50 /usr/bin/su /dev/ttyS0 dlp.srv.world root 289 ..... ..... |
| Sponsored Link |