Ubuntu 22.04
Sponsored Link

Auditd : aureport के साथ सारांश लॉग प्रदर्शित करें2023/09/20

 
Audit पैकेज में शामिल [aureport] कमांड के साथ ऑडिट लॉग को संक्षेप में प्रदर्शित करना संभव है।
[1] [aureport] कमांड का उपयोग इस प्रकार करें।
# बिना तर्क के संपूर्ण सारांश प्रदर्शित करें

root@dlp:~#
aureport


Summary Report
======================
Range of time in logs: 12/20/2022 11:29:48.328 - 12/20/2022 11:44:19.603
Selected time for report: 12/20/2022 11:29:48 - 12/20/2022 11:44:19.603
Number of changes in configuration: 4
Number of changes to accounts, groups, or roles: 5
Number of logins: 10
Number of failed logins: 3
Number of authentications: 14
Number of failed authentications: 7
Number of users: 4
Number of terminals: 6
Number of host names: 3
Number of executables: 10
Number of commands: 12
Number of files: 0
Number of AVC's: 0
Number of MAC events: 0
Number of failed syscalls: 0
Number of anomaly events: 0
Number of responses to anomaly events: 0
Number of crypto events: 0
Number of integrity events: 0
Number of virt events: 0
Number of keys: 0
Number of process IDs: 38
Number of events: 491

# प्रमाणीकरण लॉग के प्रकार प्रदर्शित करें

root@dlp:~#
aureport -au


Authentication Report
============================================
# date time acct host term exe success event
============================================
1. 12/20/2022 11:30:37 ubuntu dlp.srv.world /dev/ttyS0 /usr/bin/login yes 30
2. 12/20/2022 11:30:43 root dlp.srv.world /dev/ttyS0 /usr/bin/login yes 52
3. 12/20/2022 11:30:54 root dlp.srv.world ttyS0 /usr/bin/chfn yes 75
4. 12/20/2022 11:31:05 debian dlp.srv.world /dev/ttyS0 /usr/bin/login yes 84
5. 12/20/2022 11:31:11 root dlp.srv.world /dev/ttyS0 /usr/bin/login yes 104
6. 12/20/2022 11:31:20 debian dlp.srv.world /dev/ttyS0 /usr/bin/login yes 127
7. 12/20/2022 11:31:26 debian 127.0.0.1 ssh /usr/sbin/sshd no 141
8. 12/20/2022 11:31:30 debian 127.0.0.1 ssh /usr/sbin/sshd no 143
9. 12/20/2022 11:31:35 debian 127.0.0.1 ssh /usr/sbin/sshd no 145
.....
.....

# विफलता प्रमाणीकरण लॉग के प्रकार प्रदर्शित करें

root@dlp:~#
aureport -au --failed --summary


Failed Authentication Summary Report
=============================
total  acct
=============================
3  debian
3  ubuntu
1  root

# उपयोगकर्ता खातों के लॉग में संशोधन का प्रकार प्रदर्शित करें

root@dlp:~#
aureport -m -i


Account Modifications Report
=================================================
# date time auid addr term exe acct success event
=================================================
1. 12/20/2022 11:30:47 root dlp.srv.world ttyS0 /usr/sbin/groupadd ? yes 68
2. 12/20/2022 11:30:47 root dlp.srv.world ttyS0 /usr/sbin/groupadd ? yes 69
3. 12/20/2022 11:30:47 root dlp.srv.world ttyS0 /usr/sbin/groupadd ? yes 70
4. 12/20/2022 11:30:47 root dlp.srv.world ttyS0 /usr/sbin/useradd ? yes 71
5. 12/20/2022 11:30:54 root dlp.srv.world ttyS0 /usr/bin/passwd debian yes 74

# इस महीने से उपयोगकर्ता खातों के लॉग में विभिन्न प्रकार के संशोधन प्रदर्शित किए जा रहे हैं

root@dlp:~#
aureport -m -i --start this-month


Account Modifications Report
=================================================
# date time auid addr term exe acct success event
=================================================
1. 12/20/2022 11:30:47 root dlp.srv.world ttyS0 /usr/sbin/groupadd ? yes 68
2. 12/20/2022 11:30:47 root dlp.srv.world ttyS0 /usr/sbin/groupadd ? yes 69
3. 12/20/2022 11:30:47 root dlp.srv.world ttyS0 /usr/sbin/groupadd ? yes 70
4. 12/20/2022 11:30:47 root dlp.srv.world ttyS0 /usr/sbin/useradd ? yes 71
5. 12/20/2022 11:30:54 root dlp.srv.world ttyS0 /usr/bin/passwd debian yes 74

# निष्पादन लॉग के प्रकार प्रदर्शित करें

root@dlp:~#
aureport -x -i


Executable Report
====================================
# date time exe term host auid event
====================================
1. 12/20/2022 11:29:48 /usr/sbin/auditctl (none) ? unset 17
2. 12/20/2022 11:29:48 /usr/sbin/auditctl (none) ? unset 18
3. 12/20/2022 11:29:48 /usr/sbin/auditctl (none) ? unset 19
4. 12/20/2022 11:29:48 /usr/lib/systemd/systemd ? ? unset 20
5. 12/20/2022 11:30:29 /usr/bin/login /dev/ttyS0 dlp.srv.world root 23
6. 12/20/2022 11:30:29 /usr/lib/systemd/systemd ? ? unset 26
7. 12/20/2022 11:30:29 /usr/lib/systemd/systemd (none) ? unset 26
8. 12/20/2022 11:30:29 /usr/lib/systemd/systemd ? ? unset 27
9. 12/20/2022 11:30:29 /usr/lib/systemd/systemd (none) ? unset 27
10. 12/20/2022 11:30:29 /usr/lib/systemd/systemd ? ? unset 28
.....
.....

# 2022/12/19 से 2022/12/20 तक निष्पादित लॉग के प्रकार प्रदर्शित करें

root@dlp:~#
aureport -x -i --start 12/19/2022 --end 12/20/2022


Executable Report
====================================
# date time exe term host auid event
====================================
1. 12/20/2022 11:29:48 /usr/sbin/auditctl (none) ? unset 17
2. 12/20/2022 11:29:48 /usr/sbin/auditctl (none) ? unset 18
3. 12/20/2022 11:29:48 /usr/sbin/auditctl (none) ? unset 19
4. 12/20/2022 11:29:48 /usr/lib/systemd/systemd ? ? unset 20
5. 12/20/2022 11:30:29 /usr/bin/login /dev/ttyS0 dlp.srv.world root 23
.....
.....
[2] [ausearch] और [aureport] के साथ लॉग खोजें और प्रदर्शित करें।
# UserID 1000 द्वारा sudo लॉग खोजें और प्रदर्शित करें

root@dlp:~#
ausearch -x sudo -ua 1000 | aureport -au


Authentication Report
============================================
# date time acct host term exe success event
============================================
1. 12/20/2022 11:32:39 ubuntu dlp.srv.world /dev/ttyS0 /usr/bin/sudo yes 191
2. 12/20/2022 11:34:22 ubuntu dlp.srv.world /dev/ttyS0 /usr/bin/sudo no 277
3. 12/20/2022 11:34:26 ubuntu dlp.srv.world /dev/ttyS0 /usr/bin/sudo no 278
4. 12/20/2022 11:34:28 ubuntu dlp.srv.world /dev/ttyS0 /usr/bin/sudo no 279

# उपयोगकर्ताआईडी 1001 द्वारा निष्पादन लॉग खोजें और प्रदर्शित करें

root@dlp:~#
ausearch -ui 1001 | aureport -x -i


Executable Report
====================================
# date time exe term host auid event
====================================
1. 12/20/2022 11:33:56 /usr/bin/sudo /dev/ttyS0 dlp.srv.world debian 252
2. 12/20/2022 11:33:56 /usr/bin/sudo ttyS0 ? debian 252
3. 12/20/2022 11:33:56 /usr/bin/sudo /dev/ttyS0 dlp.srv.world debian 253
4. 12/20/2022 11:33:56 /usr/bin/sudo ttyS0 ? debian 253
5. 12/20/2022 11:33:56 /usr/bin/sudo ttyS0 ? debian 254
6. 12/20/2022 11:33:56 /usr/bin/sudo ttyS0 ? debian 254
7. 12/20/2022 11:33:59 /usr/bin/su /dev/ttyS0 dlp.srv.world debian 255
8. 12/20/2022 11:33:59 /usr/bin/su ttyS0 ? debian 255
.....
.....
मिलान सामग्री