CentOS 8
Sponsored Link

Auditd : aureport でログをサマリー表示する2019/09/28

 
Audit パッケージに同梱されている [aureport] コマンドを利用することにより、[audit.log] に記録された膨大なログをサマリー出力することができます。
[1] [aureport] コマンドの使用例です。
# 引数なしで全体のサマリーを表示

[root@dlp ~]#
aureport


Summary Report
======================
Range of time in logs: 01/01/1970 09:00:00.000 - 09/27/2019 15:39:22.828
Selected time for report: 01/01/1970 09:00:00 - 09/27/2019 19:39:22.828
Number of changes in configuration: 37
Number of changes to accounts, groups, or roles: 3
Number of logins: 7
Number of failed logins: 2
Number of authentications: 12
Number of failed authentications: 8
Number of users: 2
Number of terminals: 5
Number of host names: 6
Number of executables: 12
Number of commands: 7
Number of files: 0
Number of AVC's: 6
Number of MAC events: 20
Number of failed syscalls: 6
Number of anomaly events: 0
Number of responses to anomaly events: 0
Number of crypto events: 38
Number of integrity events: 0
Number of virt events: 0
Number of keys: 0
Number of process IDs: 72
Number of events: 978

# 認証系の監査ログ表示

[root@dlp ~]#
aureport -au


Authentication Report
============================================
# date time acct host term exe success event
============================================
1. 09/24/2019 01:12:14 root localhost.localdomain ttyS0 /usr/bin/login yes 58
2. 09/26/2019 01:40:27 root localhost.localdomain ttyS0 /usr/bin/login yes 45
3. 09/27/2019 18:35:55 root localhost.localdomain ttyS0 /usr/bin/login yes 52
4. 09/27/2019 19:25:28 root localhost.localdomain ttyS0 /usr/bin/login yes 50
5. 09/27/2019 19:28:44 root dlp.srv.world ttyS0 /usr/bin/login yes 48
.....
.....
16. 09/27/2019 19:32:19 cent 10.0.0.51 ssh /usr/sbin/sshd no 118
17. 09/27/2019 19:37:07 cent dlp.srv.world ttyS0 /usr/bin/su yes 128
18. 09/27/2019 19:37:12 cent dlp.srv.world /dev/ttyS0 /usr/bin/sudo no 133
19. 09/27/2019 19:37:15 cent dlp.srv.world /dev/ttyS0 /usr/bin/sudo no 134
20. 09/27/2019 19:37:19 cent dlp.srv.world /dev/ttyS0 /usr/bin/sudo no 135

# 認証系の監査ログを失敗のみに絞ってサマリー形式で表示

[root@dlp ~]#
aureport -au --failed --summary


Failed Authentication Summary Report
=============================
total  acct
=============================
6  cent
2  root

# ユーザーアカウント操作ログを表示 (ユーザーID番号はユーザーID名で表示)

[root@dlp ~]#
aureport -m -i


Account Modifications Report
=================================================
# date time auid addr term exe acct success event
=================================================
1. 09/26/2019 19:58:05 root ? ? /usr/sbin/groupadd ? yes 108
2. 09/26/2019 19:58:05 root ? ? /usr/sbin/groupadd ? yes 109
3. 09/26/2019 19:58:06 root ? ? /usr/sbin/useradd ? yes 110

# 今月以降のユーザーアカウント操作ログを表示

[root@dlp ~]#
aureport -m -i --start this-month


Account Modifications Report
=================================================
# date time auid addr term exe acct success event
=================================================
1. 09/26/2019 19:58:05 root ? ? /usr/sbin/groupadd ? yes 108
2. 09/26/2019 19:58:05 root ? ? /usr/sbin/groupadd ? yes 109
3. 09/26/2019 19:58:06 root ? ? /usr/sbin/useradd ? yes 110

# プログラムの実行ログを表示

[root@dlp ~]#
aureport -x -i


Executable Report
====================================
# date time exe term host auid event
====================================
1. 09/24/2019 17:11:45 /usr/lib/systemd/systemd ? ? unset 8
2. 09/24/2019 17:11:45 /usr/lib/systemd/systemd-update-utmp ? ? unset 9
3. 09/24/2019 17:11:45 /usr/lib/systemd/systemd ? ? unset 10
4. 09/24/2019 17:11:45 /usr/lib/systemd/systemd ? ? unset 11
5. 09/24/2019 17:11:45 /usr/lib/systemd/systemd ? ? unset 12
.....
.....
908. 09/27/2019 15:37:19 /usr/bin/sudo /dev/ttyS0 dlp.srv.world root 135
909. 09/27/2019 15:37:22 /usr/bin/su ttyS0 dlp.srv.world root 137
910. 09/27/2019 15:37:22 /usr/bin/su ttyS0 dlp.srv.world root 138
911. 09/27/2019 15:37:41 /usr/lib/systemd/systemd ? ? unset 139
912. 09/27/2019 15:39:22 /usr/lib/systemd/systemd ? ? unset 74

# 2019/9/26 ~ 2019/9/28 間に発生したプログラムの実行ログを表示

[root@dlp ~]#
aureport -x -i --start 09/26/2019 --end 09/28/2019


Executable Report
====================================
# date time exe term host auid event
====================================
1. 09/26/2019 17:40:13 /usr/lib/systemd/systemd ? ? unset 8
2. 09/26/2019 17:40:14 /usr/lib/systemd/systemd-update-utmp ? ? unset 9
3. 09/26/2019 17:40:14 /usr/lib/systemd/systemd ? ? unset 10
4. 09/26/2019 17:40:14 /usr/lib/systemd/systemd ? ? unset 11
5. 09/26/2019 17:40:14 /usr/lib/systemd/systemd ? ? unset 12
.....
.....
758. 09/27/2019 15:37:19 /usr/bin/sudo /dev/ttyS0 dlp.srv.world root 135
759. 09/27/2019 15:37:22 /usr/bin/su ttyS0 dlp.srv.world root 137
760. 09/27/2019 15:37:22 /usr/bin/su ttyS0 dlp.srv.world root 138
761. 09/27/2019 15:37:41 /usr/lib/systemd/systemd ? ? unset 139
762. 09/27/2019 15:39:22 /usr/lib/systemd/systemd ? ? unset 74
[2] [ausearch] と組み合わせることで、検索した特定のログをサマリー表示できます。
# ユーザーID 1000 の sudo 実行履歴のログを表示

[root@dlp ~]#
ausearch -x sudo -ua 1000 | aureport -au


Authentication Report
============================================
# date time acct host term exe success event
============================================
1. 09/26/2019 19:30:33 cent dlp.srv.world /dev/ttyS0 /usr/bin/sudo yes 82
2. 09/26/2019 19:37:12 cent dlp.srv.world /dev/ttyS0 /usr/bin/sudo no 133
3. 09/26/2019 19:37:15 cent dlp.srv.world /dev/ttyS0 /usr/bin/sudo no 134
4. 09/26/2019 19:37:19 cent dlp.srv.world /dev/ttyS0 /usr/bin/sudo no 135

# ユーザーID 1000 のユーザーのプログラムの実行ログを表示

[root@dlp ~]#
ausearch -ui 1000 | aureport -x -i


Executable Report
====================================
# date time exe term host auid event
====================================
1. 09/26/2019 19:30:33 /usr/bin/sudo /dev/ttyS0 dlp.srv.world root 82
2. 09/26/2019 19:30:33 /usr/bin/sudo /dev/ttyS0 dlp.srv.world root 83
3. 09/26/2019 19:30:40 /usr/bin/sudo /dev/ttyS0 dlp.srv.world root 89
4. 09/26/2019 19:37:12 /usr/bin/sudo /dev/ttyS0 dlp.srv.world root 133
5. 09/26/2019 19:37:15 /usr/bin/sudo /dev/ttyS0 dlp.srv.world root 134
.....
.....
11. 09/26/2019 19:56:37 /usr/bin/su ttyS0 dlp.srv.world root 149
12. 09/26/2019 19:56:39 /usr/bin/su ttyS0 dlp.srv.world root 150
13. 09/26/2019 19:56:39 /usr/bin/su ttyS0 dlp.srv.world root 151
関連コンテンツ