Auditd : aureport でログをサマリー表示する2019/09/28 |
Audit パッケージに同梱されている [aureport] コマンドを利用することにより、[audit.log] に記録された膨大なログをサマリー出力することができます。
|
|
[1] | [aureport] コマンドの使用例です。 |
# 引数なしで全体のサマリーを表示 [root@dlp ~]# aureport Summary Report ====================== Range of time in logs: 01/01/1970 09:00:00.000 - 09/27/2019 15:39:22.828 Selected time for report: 01/01/1970 09:00:00 - 09/27/2019 19:39:22.828 Number of changes in configuration: 37 Number of changes to accounts, groups, or roles: 3 Number of logins: 7 Number of failed logins: 2 Number of authentications: 12 Number of failed authentications: 8 Number of users: 2 Number of terminals: 5 Number of host names: 6 Number of executables: 12 Number of commands: 7 Number of files: 0 Number of AVC's: 6 Number of MAC events: 20 Number of failed syscalls: 6 Number of anomaly events: 0 Number of responses to anomaly events: 0 Number of crypto events: 38 Number of integrity events: 0 Number of virt events: 0 Number of keys: 0 Number of process IDs: 72 Number of events: 978 # 認証系の監査ログ表示 [root@dlp ~]# aureport -au Authentication Report ============================================ # date time acct host term exe success event ============================================ 1. 09/24/2019 01:12:14 root localhost.localdomain ttyS0 /usr/bin/login yes 58 2. 09/26/2019 01:40:27 root localhost.localdomain ttyS0 /usr/bin/login yes 45 3. 09/27/2019 18:35:55 root localhost.localdomain ttyS0 /usr/bin/login yes 52 4. 09/27/2019 19:25:28 root localhost.localdomain ttyS0 /usr/bin/login yes 50 5. 09/27/2019 19:28:44 root dlp.srv.world ttyS0 /usr/bin/login yes 48 ..... ..... 16. 09/27/2019 19:32:19 cent 10.0.0.51 ssh /usr/sbin/sshd no 118 17. 09/27/2019 19:37:07 cent dlp.srv.world ttyS0 /usr/bin/su yes 128 18. 09/27/2019 19:37:12 cent dlp.srv.world /dev/ttyS0 /usr/bin/sudo no 133 19. 09/27/2019 19:37:15 cent dlp.srv.world /dev/ttyS0 /usr/bin/sudo no 134 20. 09/27/2019 19:37:19 cent dlp.srv.world /dev/ttyS0 /usr/bin/sudo no 135 # 認証系の監査ログを失敗のみに絞ってサマリー形式で表示 [root@dlp ~]# aureport -au --failed --summary Failed Authentication Summary Report ============================= total acct ============================= 6 cent 2 root # ユーザーアカウント操作ログを表示 (ユーザーID番号はユーザーID名で表示) [root@dlp ~]# aureport -m -i Account Modifications Report ================================================= # date time auid addr term exe acct success event ================================================= 1. 09/26/2019 19:58:05 root ? ? /usr/sbin/groupadd ? yes 108 2. 09/26/2019 19:58:05 root ? ? /usr/sbin/groupadd ? yes 109 3. 09/26/2019 19:58:06 root ? ? /usr/sbin/useradd ? yes 110 # 今月以降のユーザーアカウント操作ログを表示 [root@dlp ~]# aureport -m -i --start this-month Account Modifications Report ================================================= # date time auid addr term exe acct success event ================================================= 1. 09/26/2019 19:58:05 root ? ? /usr/sbin/groupadd ? yes 108 2. 09/26/2019 19:58:05 root ? ? /usr/sbin/groupadd ? yes 109 3. 09/26/2019 19:58:06 root ? ? /usr/sbin/useradd ? yes 110 # プログラムの実行ログを表示 [root@dlp ~]# aureport -x -i Executable Report ==================================== # date time exe term host auid event ==================================== 1. 09/24/2019 17:11:45 /usr/lib/systemd/systemd ? ? unset 8 2. 09/24/2019 17:11:45 /usr/lib/systemd/systemd-update-utmp ? ? unset 9 3. 09/24/2019 17:11:45 /usr/lib/systemd/systemd ? ? unset 10 4. 09/24/2019 17:11:45 /usr/lib/systemd/systemd ? ? unset 11 5. 09/24/2019 17:11:45 /usr/lib/systemd/systemd ? ? unset 12 ..... ..... 908. 09/27/2019 15:37:19 /usr/bin/sudo /dev/ttyS0 dlp.srv.world root 135 909. 09/27/2019 15:37:22 /usr/bin/su ttyS0 dlp.srv.world root 137 910. 09/27/2019 15:37:22 /usr/bin/su ttyS0 dlp.srv.world root 138 911. 09/27/2019 15:37:41 /usr/lib/systemd/systemd ? ? unset 139 912. 09/27/2019 15:39:22 /usr/lib/systemd/systemd ? ? unset 74 # 2019/9/26 ~ 2019/9/28 間に発生したプログラムの実行ログを表示 [root@dlp ~]# aureport -x -i --start 09/26/2019 --end 09/28/2019 Executable Report ==================================== # date time exe term host auid event ==================================== 1. 09/26/2019 17:40:13 /usr/lib/systemd/systemd ? ? unset 8 2. 09/26/2019 17:40:14 /usr/lib/systemd/systemd-update-utmp ? ? unset 9 3. 09/26/2019 17:40:14 /usr/lib/systemd/systemd ? ? unset 10 4. 09/26/2019 17:40:14 /usr/lib/systemd/systemd ? ? unset 11 5. 09/26/2019 17:40:14 /usr/lib/systemd/systemd ? ? unset 12 ..... ..... 758. 09/27/2019 15:37:19 /usr/bin/sudo /dev/ttyS0 dlp.srv.world root 135 759. 09/27/2019 15:37:22 /usr/bin/su ttyS0 dlp.srv.world root 137 760. 09/27/2019 15:37:22 /usr/bin/su ttyS0 dlp.srv.world root 138 761. 09/27/2019 15:37:41 /usr/lib/systemd/systemd ? ? unset 139 762. 09/27/2019 15:39:22 /usr/lib/systemd/systemd ? ? unset 74 |
[2] | [ausearch] と組み合わせることで、検索した特定のログをサマリー表示できます。 |
# ユーザーID 1000 の sudo 実行履歴のログを表示 [root@dlp ~]# ausearch -x sudo -ua 1000 | aureport -au Authentication Report ============================================ # date time acct host term exe success event ============================================ 1. 09/26/2019 19:30:33 cent dlp.srv.world /dev/ttyS0 /usr/bin/sudo yes 82 2. 09/26/2019 19:37:12 cent dlp.srv.world /dev/ttyS0 /usr/bin/sudo no 133 3. 09/26/2019 19:37:15 cent dlp.srv.world /dev/ttyS0 /usr/bin/sudo no 134 4. 09/26/2019 19:37:19 cent dlp.srv.world /dev/ttyS0 /usr/bin/sudo no 135 # ユーザーID 1000 のユーザーのプログラムの実行ログを表示 [root@dlp ~]# ausearch -ui 1000 | aureport -x -i Executable Report ==================================== # date time exe term host auid event ==================================== 1. 09/26/2019 19:30:33 /usr/bin/sudo /dev/ttyS0 dlp.srv.world root 82 2. 09/26/2019 19:30:33 /usr/bin/sudo /dev/ttyS0 dlp.srv.world root 83 3. 09/26/2019 19:30:40 /usr/bin/sudo /dev/ttyS0 dlp.srv.world root 89 4. 09/26/2019 19:37:12 /usr/bin/sudo /dev/ttyS0 dlp.srv.world root 133 5. 09/26/2019 19:37:15 /usr/bin/sudo /dev/ttyS0 dlp.srv.world root 134 ..... ..... 11. 09/26/2019 19:56:37 /usr/bin/su ttyS0 dlp.srv.world root 149 12. 09/26/2019 19:56:39 /usr/bin/su ttyS0 dlp.srv.world root 150 13. 09/26/2019 19:56:39 /usr/bin/su ttyS0 dlp.srv.world root 151 |
Sponsored Link |