|
Auditd : aureport でログをサマリー表示する
2025/01/02 |
|
Audit パッケージに同梱されている [aureport] コマンドを利用することにより、[audit.log] に記録された膨大なログをサマリー出力することができます。 |
|
| [1] | [aureport] コマンドの使用例です。 |
|
# 引数なしで全体のサマリーを表示 [root@dlp ~]# aureport Summary Report ====================== Range of time in logs: 12/14/2024 18:39:51.079 - 01/02/2025 15:01:55.515 Selected time for report: 12/14/2024 18:39:51 - 01/02/2025 15:01:55.515 Number of changes in configuration: 70 Number of changes to accounts, groups, or roles: 3 Number of logins: 12 Number of failed logins: 2 Number of authentications: 19 Number of failed authentications: 4 Number of users: 3 Number of terminals: 7 Number of host names: 6 Number of executables: 17 Number of commands: 14 Number of files: 2 Number of AVC's: 8 Number of MAC events: 24 Number of failed syscalls: 7 Number of anomaly events: 0 Number of responses to anomaly events: 0 Number of crypto events: 10 Number of integrity events: 0 Number of virt events: 0 Number of keys: 0 Number of process IDs: 86 Number of events: 1853 # 認証系の監査ログ表示 [root@dlp ~]# aureport -au Authentication Report ============================================ # date time acct host term exe success event ============================================ 1. 12/14/2024 18:40:57 root localhost.localdomain /dev/ttyS0 /usr/bin/login yes 71 2. 12/19/2024 10:43:22 root localhost.localdomain /dev/ttyS0 /usr/bin/login yes 54 3. 12/20/2024 09:42:08 root localhost.localdomain /dev/ttyS0 /usr/bin/login yes 64 4. 01/02/2025 13:23:34 root localhost.localdomain /dev/ttyS0 /usr/bin/login yes 67 5. 01/02/2025 13:24:33 root dlp.srv.world /dev/ttyS0 /usr/bin/login yes 58 ..... ..... 20. 01/02/2025 14:58:19 root dlp.srv.world /dev/ttyS0 /usr/bin/login yes 244 21. 01/02/2025 14:59:15 cent node01.srv.world /dev/ttyS0 /usr/bin/login yes 154 22. 01/02/2025 14:59:22 root node01.srv.world /dev/ttyS0 /usr/bin/login yes 179 23. 01/02/2025 14:59:34 cent 10.0.0.30 ssh /usr/libexec/openssh/sshd-session yes 233 # 認証系の監査ログを失敗のみに絞ってサマリー形式で表示 [root@dlp ~]# aureport -au --failed --summary Failed Authentication Summary Report ============================= total acct ============================= 2 root 1 redhat 1 fedora # ユーザーアカウント操作ログを表示 # ユーザー ID 番号はユーザー ID 名で表示 [root@dlp ~]# aureport -m -i Account Modifications Report ================================================= # date time auid addr term exe acct success event ================================================= 1. 01/02/2025 13:25:21 root ? ? /usr/sbin/groupadd ? yes 112 2. 01/02/2025 13:25:21 root ? ? /usr/sbin/groupadd ? yes 113 3. 01/02/2025 13:25:21 root ? ? /usr/sbin/useradd apache yes 114 4. 01/02/2025 15:05:20 root ? ? /usr/sbin/groupadd ? yes 262 5. 01/02/2025 15:05:20 root ? ? /usr/sbin/groupadd ? yes 263 6. 01/02/2025 15:05:20 root ? ? /usr/sbin/useradd nginx yes 264 # 今月以降のユーザーアカウント操作ログを表示 [root@dlp ~]# aureport -m -i --start this-month Account Modifications Report ================================================= # date time auid addr term exe acct success event ================================================= 1. 01/02/2025 13:25:21 root ? ? /usr/sbin/groupadd ? yes 112 2. 01/02/2025 13:25:21 root ? ? /usr/sbin/groupadd ? yes 113 3. 01/02/2025 13:25:21 root ? ? /usr/sbin/useradd apache yes 114 4. 01/02/2025 15:05:20 root ? ? /usr/sbin/groupadd ? yes 262 5. 01/02/2025 15:05:20 root ? ? /usr/sbin/groupadd ? yes 263 6. 01/02/2025 15:05:20 root ? ? /usr/sbin/useradd nginx yes 264 # プログラムの実行ログを表示 [root@dlp ~]# aureport -x -i Executable Report ==================================== # date time exe term host auid event ==================================== 1. 12/14/2024 18:39:51 /usr/lib/systemd/systemd ? ? unset 5 2. 12/14/2024 18:39:51 /usr/lib/systemd/systemd-update-utmp ? ? unset 6 3. 12/14/2024 18:39:51 /usr/lib/systemd/systemd ? ? unset 7 4. 12/14/2024 18:39:51 /usr/lib/systemd/systemd ? ? unset 9 5. 12/14/2024 18:39:51 /usr/lib/systemd/systemd ? ? unset 14 ..... ..... 1370. 01/02/2025 15:05:21 /usr/bin/python3.12 ttyS0 dlp.srv.world root 295 1371. 01/02/2025 15:05:21 /usr/bin/python3.12 ttyS0 dlp.srv.world root 296 1372. 01/02/2025 15:05:21 /usr/lib/systemd/systemd ? ? unset 297 1373. 01/02/2025 15:05:22 /usr/lib/systemd/systemd ? ? unset 298 1374. 01/02/2025 15:05:22 /usr/lib/systemd/systemd ? ? unset 299 1375. 01/02/2025 15:05:22 /usr/lib/systemd/systemd ? ? unset 300 # 2025/1/1 ~ 2025/1/2 間に発生したプログラムの実行ログを表示 [root@dlp ~]# aureport -x -i --start 01/01/2025 --end 01/02/2025 Executable Report ==================================== # date time exe term host auid event ==================================== 1. 01/02/2025 13:20:02 /usr/lib/systemd/systemd ? ? unset 5 2. 01/02/2025 13:20:02 /usr/lib/systemd/systemd-update-utmp ? ? unset 6 3. 01/02/2025 13:20:02 /usr/lib/systemd/systemd ? ? unset 7 4. 01/02/2025 13:20:02 /usr/lib/systemd/systemd ? ? unset 9 5. 01/02/2025 13:20:02 /usr/lib/systemd/systemd ? ? unset 14 ..... ..... 870. 01/02/2025 15:05:21 /usr/bin/python3.12 ttyS0 dlp.srv.world root 296 871. 01/02/2025 15:05:21 /usr/lib/systemd/systemd ? ? unset 297 872. 01/02/2025 15:05:22 /usr/lib/systemd/systemd ? ? unset 298 873. 01/02/2025 15:05:22 /usr/lib/systemd/systemd ? ? unset 299 874. 01/02/2025 15:05:22 /usr/lib/systemd/systemd ? ? unset 300 |
| [2] | [ausearch] と組み合わせることで、検索した特定のログをサマリー表示できます。 |
|
# ユーザー ID 1000 の sudo 実行履歴のログを表示 [root@dlp ~]# ausearch -x sudo -ua 1000 | aureport -au Authentication Report ============================================ # date time acct host term exe success event ============================================ 1. 01/02/2025 14:55:20 cent dlp.srv.world /dev/ttyS0 /usr/bin/sudo yes 144 2. 01/02/2025 14:56:08 cent node01.srv.world /dev/ttyS0 /usr/bin/sudo yes 127 # ユーザー ID 1000 のユーザーのプログラムの実行ログを表示 [root@dlp ~]# ausearch -ui 1000 | aureport -x -i Executable Report ==================================== # date time exe term host auid event ==================================== 1. 01/02/2025 14:55:20 /usr/bin/sudo /dev/ttyS0 dlp.srv.world root 144 2. 01/02/2025 14:55:20 /usr/bin/sudo /dev/ttyS0 dlp.srv.world root 145 3. 01/02/2025 14:55:20 /usr/bin/sudo ttyS0 ? root 146 4. 01/02/2025 14:55:20 /usr/bin/sudo /dev/ttyS0 dlp.srv.world root 147 5. 01/02/2025 14:55:20 /usr/bin/sudo /dev/ttyS0 dlp.srv.world root 148 ..... ..... 25. 01/02/2025 14:56:29 /usr/bin/sudo /dev/ttyS0 node01.srv.world root 142 26. 01/02/2025 14:56:29 /usr/bin/sudo /dev/ttyS0 node01.srv.world root 143 27. 01/02/2025 14:57:56 /usr/bin/su /dev/ttyS0 dlp.srv.world root 230 28. 01/02/2025 14:58:03 /usr/bin/su /dev/ttyS0 dlp.srv.world root 231 |
| Sponsored Link |
|
|