Auditd : aureport でログをサマリー表示する2016/02/21 |
|
Audit パッケージに同梱されている aureport コマンドを利用することにより、audit.log に記録された膨大なログをサマリー出力することができます。
|
|
| [1] | aureport コマンドの使用例です。 |
|
# 引数なしで全体のサマリーを表示 [root@dlp ~]# aureport Summary Report ====================== Range of time in logs: 08/08/2015 02:09:42.093 - 02/25/2016 17:01:01.950 Selected time for report: 08/08/2015 02:09:42 - 02/25/2016 17:01:01.950 Number of changes in configuration: 299 Number of changes to accounts, groups, or roles: 18 Number of logins: 18 Number of failed logins: 3 Number of authentications: 30 Number of failed authentications: 3 Number of users: 3 Number of terminals: 7 Number of host names: 3 Number of executables: 15 Number of commands: 41 Number of files: 0 Number of AVC's: 0 Number of MAC events: 2 Number of failed syscalls: 0 Number of anomaly events: 2 Number of responses to anomaly events: 0 Number of crypto events: 74 Number of integrity events: 0 Number of virt events: 0 Number of keys: 0 Number of process IDs: 407 Number of events: 1955 # 認証系の監査ログ表示 [root@dlp ~]# aureport -au Authentication Report ============================================ # date time acct host term exe success event ============================================ 1. 08/08/2015 02:09:52 root ? ttyS0 /usr/bin/login yes 332 2. 08/08/2015 02:20:27 root ? ttyS0 /usr/bin/login yes 34 3. 08/17/2015 10:40:03 root ? ttyS0 /usr/bin/login yes 33 ..... ..... 20. 02/23/2016 11:09:46 cent 10.0.0.20 ssh /usr/sbin/sshd yes 118 21. 02/23/2016 11:13:26 cent ? ttyS0 /usr/bin/login no 147 # 認証系の監査ログを失敗のみに絞ってサマリー形式で表示 [root@dlp ~]# aureport -au --failed --summary Failed Authentication Summary Report ============================= total acct ============================= 1 root 1 cent # ユーザーアカウント操作ログを表示 (ユーザーID番号はユーザーID名で表示) [root@dlp ~]# aureport -m -i Account Modifications Report ================================================= # date time auid addr term exe acct success event ================================================= 1. 08/08/2015 02:10:21 root ? ttyS0 /usr/sbin/useradd cent no 342 2. 08/08/2015 02:19:25 root ? ? /usr/sbin/groupadd ? yes 370 3. 08/08/2015 02:19:26 root ? ? /usr/sbin/groupadd ? yes 371 ..... ..... 17. 02/08/2016 11:12:41 root ? ? /usr/sbin/groupadd ntp no 45 18. 02/08/2016 11:12:41 root ? ? /usr/sbin/useradd ntp no 46 # 今月以降のユーザーアカウント操作ログを表示 [root@dlp ~]# aureport -m -i --start this-month Account Modifications Report ================================================= # date time auid addr term exe acct success event ================================================= 1. 02/08/2016 11:12:41 root ? ? /usr/sbin/groupadd ntp no 45 2. 02/08/2016 11:12:41 root ? ? /usr/sbin/useradd ntp no 46 # プログラムの実行ログを表示 [root@dlp ~]# aureport -x -i Executable Report ==================================== # date time exe term host auid event ==================================== 1. 08/08/2015 02:09:42 /usr/lib/systemd/systemd ? ? unset 6 2. 08/08/2015 02:09:42 /usr/lib/systemd/systemd-update-utmp ? ? unset 7 3. 08/08/2015 02:09:42 /usr/lib/systemd/systemd ? ? unset 8 ..... ..... 1422. 02/23/2016 17:01:01 /usr/sbin/crond cron ? root 211 1423. 02/23/2016 17:01:01 /usr/sbin/crond cron ? root 212 # 2016/2/7 ~ 2016/2/21 間に発生したプログラムの実行ログを表示 [root@dlp ~]# aureport -x -i --start 02/07/2016 --end 02/21/2016 Executable Report ==================================== # date time exe term host auid event ==================================== 1. 02/08/2016 11:11:47 /usr/lib/systemd/systemd ? ? unset 5 2. 02/08/2016 11:11:47 /usr/lib/systemd/systemd-update-utmp ? ? unset 6 3. 02/08/2016 11:11:47 /usr/lib/systemd/systemd ? ? unset 7 ..... ..... 87. 02/08/2016 11:14:08 /usr/lib/systemd/systemd ? ? unset 92 88. 02/08/2016 11:14:08 /usr/lib/systemd/systemd ? ? unset 93 |
| [3] | ausearch と組み合わせることで、検索した特定のログをサマリー表示できます。 |
|
# dlp.srv.world で発生した認証系のログを表示 [root@dlp ~]# ausearch --node dlp.srv.world | aureport -au Authentication Report ============================================ # date time acct host term exe success event ============================================ 1. 02/25/2016 16:55:35 cent ? ttyS0 /usr/bin/su yes 103 2. 02/25/2016 16:55:44 cent ? /dev/ttyS0 /usr/bin/sudo yes 107 3. 02/26/2016 09:21:35 root ? ttyS0 /usr/bin/login yes 38 4. 02/26/2016 09:50:32 root ? ttyS0 /usr/bin/login yes 38 # ユーザーID 1000 のユーザーのプログラムの実行ログを表示 [root@dlp ~]# ausearch -ui 1000 | aureport -x -i Executable Report ==================================== # date time exe term host auid event ==================================== 1. 02/23/2016 09:52:23 /usr/bin/sudo /dev/ttyS0 ? cent 49 2. 02/23/2016 09:52:23 /usr/bin/sudo /dev/ttyS0 ? cent 50 3. 02/23/2016 09:55:06 /usr/bin/su ttyS0 ? cent 80 ..... ..... 15. 02/26/2016 09:48:50 /usr/bin/sudo /dev/ttyS0 ? cent 52 |
| Sponsored Link |