Rocky Linux 8
Sponsored Link

Auditd : aureport でログをサマリー表示する2021/07/22
 
Audit パッケージに同梱されている [aureport] コマンドを利用することにより、[audit.log] に記録された膨大なログをサマリー出力することができます。
[1] [aureport] コマンドの使用例です。
# 引数なしで全体のサマリーを表示

[root@dlp ~]#
aureport 


Summary Report
======================
Range of time in logs: 07/16/2021 09:16:40.877 - 07/22/2021 12:59:49.371
Selected time for report: 07/16/2021 09:16:40 - 07/22/2021 12:59:49.371
Number of changes in configuration: 287
Number of changes to accounts, groups, or roles: 3
Number of logins: 8
Number of failed logins: 0
Number of authentications: 11
Number of failed authentications: 0
Number of users: 3
Number of terminals: 4
Number of host names: 5
Number of executables: 14
Number of commands: 17
Number of files: 1
Number of AVC's: 16
Number of MAC events: 22
Number of failed syscalls: 16
Number of anomaly events: 0
Number of responses to anomaly events: 0
Number of crypto events: 18
Number of integrity events: 0
Number of virt events: 0
Number of keys: 0
Number of process IDs: 177
Number of events: 1043
# 認証系の監査ログ表示

[root@dlp ~]#
aureport -au 


Authentication Report
============================================
# date time acct host term exe success event
============================================
1. 07/16/2021 09:18:07 root localhost.localdomain ttyS0 /usr/bin/login yes 87
2. 07/16/2021 14:20:27 root localhost.localdomain ttyS0 /usr/bin/login yes 78
3. 07/22/2021 10:39:39 root localhost.localdomain ttyS0 /usr/bin/login yes 81
4. 07/22/2021 10:44:22 root dlp.srv.world ttyS0 /usr/bin/login yes 77
5. 07/22/2021 11:34:26 root dlp.srv.world ttyS0 /usr/bin/login yes 75
6. 07/22/2021 12:47:11 root node01.srv.world ttyS0 /usr/bin/login yes 120
7. 07/22/2021 12:56:03 rocky dlp.srv.world ttyS0 /usr/bin/su yes 134
8. 07/22/2021 12:56:12 rocky dlp.srv.world /dev/ttyS0 /usr/bin/sudo yes 139
9. 07/22/2021 12:57:32 root dlp.srv.world ttyS0 /usr/bin/login yes 76
10. 07/22/2021 12:59:23 rocky dlp.srv.world ttyS0 /usr/bin/login yes 105
11. 07/22/2021 12:59:28 root dlp.srv.world ttyS0 /usr/bin/su yes 119
# 認証系の監査ログを失敗のみに絞ってサマリー形式で表示

[root@dlp ~]#
aureport -au --failed --summary 


Failed Authentication Summary Report
=============================
total  acct
=============================
2  rocky
1  root
# ユーザーアカウント操作ログを表示

# ユーザー ID 番号はユーザー ID 名で表示

[root@dlp ~]#
aureport -m -i 


Account Modifications Report
=================================================
# date time auid addr term exe acct success event
=================================================
1. 07/22/2021 11:06:46 root ? ? /usr/sbin/groupadd ? yes 96
2. 07/22/2021 11:06:46 root ? ? /usr/sbin/groupadd ? yes 97
3. 07/22/2021 11:06:46 root ? ? /usr/sbin/useradd apache yes 98
4. 07/22/2021 13:03:35 root dlp.srv.world ttyS0 /usr/sbin/useradd redhat yes 164
5. 07/22/2021 13:03:35 root dlp.srv.world ttyS0 /usr/sbin/useradd redhat yes 165
6. 07/22/2021 13:03:36 root dlp.srv.world ttyS0 /usr/sbin/useradd ? yes 166
7. 07/22/2021 13:03:47 root dlp.srv.world ttyS0 /usr/bin/passwd redhat yes 167
8. 07/22/2021 13:04:02 root node01.srv.world ttyS0 /usr/sbin/useradd ubuntu yes 139
9. 07/22/2021 13:04:02 root node01.srv.world ttyS0 /usr/sbin/useradd ubuntu yes 140
10. 07/22/2021 13:04:03 root node01.srv.world ttyS0 /usr/sbin/useradd ? yes 141
11. 07/22/2021 13:04:13 root node01.srv.world ttyS0 /usr/bin/passwd ubuntu yes 142
# 今月以降のユーザーアカウント操作ログを表示

[root@dlp ~]#
aureport -m -i --start this-month 


Account Modifications Report
=================================================
# date time auid addr term exe acct success event
=================================================
1. 07/22/2021 11:06:46 root ? ? /usr/sbin/groupadd ? yes 96
2. 07/22/2021 11:06:46 root ? ? /usr/sbin/groupadd ? yes 97
3. 07/22/2021 11:06:46 root ? ? /usr/sbin/useradd apache yes 98
4. 07/22/2021 13:03:35 root dlp.srv.world ttyS0 /usr/sbin/useradd redhat yes 164
5. 07/22/2021 13:03:35 root dlp.srv.world ttyS0 /usr/sbin/useradd redhat yes 165
6. 07/22/2021 13:03:36 root dlp.srv.world ttyS0 /usr/sbin/useradd ? yes 166
7. 07/22/2021 13:03:47 root dlp.srv.world ttyS0 /usr/bin/passwd redhat yes 167
8. 07/22/2021 13:04:02 root node01.srv.world ttyS0 /usr/sbin/useradd ubuntu yes 139
9. 07/22/2021 13:04:02 root node01.srv.world ttyS0 /usr/sbin/useradd ubuntu yes 140
10. 07/22/2021 13:04:03 root node01.srv.world ttyS0 /usr/sbin/useradd ? yes 141
11. 07/22/2021 13:04:13 root node01.srv.world ttyS0 /usr/bin/passwd ubuntu yes 142
# プログラムの実行ログを表示

[root@dlp ~]#
aureport -x -i 


Executable Report
====================================
# date time exe term host auid event
====================================
1. 07/16/2021 09:16:40 /usr/sbin/auditctl (none) ? unset 5
2. 07/16/2021 09:16:40 /usr/sbin/auditctl (none) ? unset 6
3. 07/16/2021 09:16:40 /usr/sbin/auditctl (none) ? unset 7
4. 07/16/2021 09:16:40 /usr/lib/systemd/systemd ? ? unset 8
5. 07/16/2021 09:16:40 /usr/lib/systemd/systemd-update-utmp ? ? unset 9

.....
.....

1049. 07/22/2021 13:02:33 /usr/bin/login ttyS0 dlp.srv.world root 162
1050. 07/22/2021 13:02:36 /usr/lib/systemd/systemd ? ? unset 163
1051. 07/22/2021 13:03:35 /usr/sbin/useradd ttyS0 dlp.srv.world root 164
1052. 07/22/2021 13:03:35 /usr/sbin/useradd ttyS0 dlp.srv.world root 165
1053. 07/22/2021 13:03:36 /usr/sbin/useradd ttyS0 dlp.srv.world root 166
1054. 07/22/2021 13:03:47 /usr/bin/passwd ttyS0 dlp.srv.world root 167
1055. 07/22/2021 13:04:02 /usr/sbin/useradd ttyS0 node01.srv.world root 139
1056. 07/22/2021 13:04:02 /usr/sbin/useradd ttyS0 node01.srv.world root 140
1057. 07/22/2021 13:04:03 /usr/sbin/useradd ttyS0 node01.srv.world root 141
1058. 07/22/2021 13:04:13 /usr/bin/passwd ttyS0 node01.srv.world root 142
# 2021/7/21 ~ 2021/7/22 間に発生したプログラムの実行ログを表示

[root@dlp ~]#
aureport -x -i --start 07/21/2021 --end 07/22/2021 


Executable Report
====================================
# date time exe term host auid event
====================================
1. 07/22/2021 10:34:07 /usr/sbin/auditctl (none) ? unset 5
2. 07/22/2021 10:34:07 /usr/sbin/auditctl (none) ? unset 6
3. 07/22/2021 10:34:07 /usr/sbin/auditctl (none) ? unset 7
4. 07/22/2021 10:34:07 /usr/lib/systemd/systemd ? ? unset 8
5. 07/22/2021 10:34:07 /usr/lib/systemd/systemd-update-utmp ? ? unset 9

.....
.....

754. 07/22/2021 13:02:33 /usr/bin/login ttyS0 dlp.srv.world root 162
755. 07/22/2021 13:02:36 /usr/lib/systemd/systemd ? ? unset 163
756. 07/22/2021 13:03:35 /usr/sbin/useradd ttyS0 dlp.srv.world root 164
757. 07/22/2021 13:03:35 /usr/sbin/useradd ttyS0 dlp.srv.world root 165
758. 07/22/2021 13:03:36 /usr/sbin/useradd ttyS0 dlp.srv.world root 166
759. 07/22/2021 13:03:47 /usr/bin/passwd ttyS0 dlp.srv.world root 167
760. 07/22/2021 13:04:02 /usr/sbin/useradd ttyS0 node01.srv.world root 139
761. 07/22/2021 13:04:02 /usr/sbin/useradd ttyS0 node01.srv.world root 140
762. 07/22/2021 13:04:03 /usr/sbin/useradd ttyS0 node01.srv.world root 141
763. 07/22/2021 13:04:13 /usr/bin/passwd ttyS0 node01.srv.world root 142
[2] [ausearch] と組み合わせることで、検索した特定のログをサマリー表示できます。
# ユーザーID 1000 の sudo 実行履歴のログを表示

[root@dlp ~]#
ausearch -x sudo -ua 1000 | aureport -au 


Authentication Report
============================================
# date time acct host term exe success event
============================================
1. 07/22/2021 12:56:12 rocky dlp.srv.world /dev/ttyS0 /usr/bin/sudo yes 139
# ユーザーID 1000 のユーザーのプログラムの実行ログを表示

[root@dlp ~]#
ausearch -ui 1000 | aureport -x -i 


Executable Report
====================================
# date time exe term host auid event
====================================
1. 07/22/2021 12:56:12 /usr/bin/sudo /dev/ttyS0 dlp.srv.world root 139
2. 07/22/2021 12:56:12 /usr/bin/sudo /dev/ttyS0 dlp.srv.world root 140
3. 07/22/2021 12:56:12 /usr/bin/sudo ttyS0 ? root 141
4. 07/22/2021 12:56:19 /usr/bin/sudo /dev/ttyS0 dlp.srv.world root 146
5. 07/22/2021 12:56:19 /usr/bin/sudo ttyS0 ? root 147
6. 07/22/2021 12:59:28 /usr/bin/su ttyS0 dlp.srv.world rocky 119
7. 07/22/2021 12:59:28 /usr/bin/su ttyS0 dlp.srv.world rocky 120
8. 07/22/2021 12:59:28 /usr/bin/su ttyS0 dlp.srv.world rocky 121
9. 07/22/2021 12:59:28 /usr/bin/su ttyS0 dlp.srv.world rocky 122
10. 07/22/2021 13:01:59 /usr/bin/su ttyS0 dlp.srv.world rocky 124
11. 07/22/2021 13:01:59 /usr/bin/su ttyS0 dlp.srv.world rocky 125
関連コンテンツ