CentOS 7
 

Auditd : aureport でログをサマリー表示する
2016/02/21
 
Audit パッケージに同梱されている aureport コマンドを利用することにより、audit.log に記録された膨大なログをサマリー出力することができます。
[1] aureport コマンドの使用例です。
# 引数なしで全体のサマリーを表示

[root@dlp ~]#
aureport

Summary Report
======================
Range of time in logs: 08/08/2015 02:09:42.093 - 02/25/2016 17:01:01.950
Selected time for report: 08/08/2015 02:09:42 - 02/25/2016 17:01:01.950
Number of changes in configuration: 299
Number of changes to accounts, groups, or roles: 18
Number of logins: 18
Number of failed logins: 3
Number of authentications: 30
Number of failed authentications: 3
Number of users: 3
Number of terminals: 7
Number of host names: 3
Number of executables: 15
Number of commands: 41
Number of files: 0
Number of AVC's: 0
Number of MAC events: 2
Number of failed syscalls: 0
Number of anomaly events: 2
Number of responses to anomaly events: 0
Number of crypto events: 74
Number of integrity events: 0
Number of virt events: 0
Number of keys: 0
Number of process IDs: 407
Number of events: 1955

# 認証系の監査ログ表示

[root@dlp ~]#
aureport -au

Authentication Report
============================================
# date time acct host term exe success event
============================================
1. 08/08/2015 02:09:52 root ? ttyS0 /usr/bin/login yes 332
2. 08/08/2015 02:20:27 root ? ttyS0 /usr/bin/login yes 34
3. 08/17/2015 10:40:03 root ? ttyS0 /usr/bin/login yes 33
.....
.....
20. 02/23/2016 11:09:46 cent 10.0.0.20 ssh /usr/sbin/sshd yes 118
21. 02/23/2016 11:13:26 cent ? ttyS0 /usr/bin/login no 147

# 認証系の監査ログを失敗のみに絞ってサマリー形式で表示

[root@dlp ~]#
aureport -au --failed --summary

Failed Authentication Summary Report
=============================
total  acct
=============================
1  root
1  cent

# ユーザーアカウント操作ログを表示 (ユーザーID番号はユーザーID名で表示)

[root@dlp ~]#
aureport -m -i

Account Modifications Report
=================================================
# date time auid addr term exe acct success event
=================================================
1. 08/08/2015 02:10:21 root ? ttyS0 /usr/sbin/useradd cent no 342
2. 08/08/2015 02:19:25 root ? ? /usr/sbin/groupadd ? yes 370
3. 08/08/2015 02:19:26 root ? ? /usr/sbin/groupadd ? yes 371
.....
.....
17. 02/08/2016 11:12:41 root ? ? /usr/sbin/groupadd ntp no 45
18. 02/08/2016 11:12:41 root ? ? /usr/sbin/useradd ntp no 46

# 今月以降のユーザーアカウント操作ログを表示

[root@dlp ~]#
aureport -m -i --start this-month

Account Modifications Report
=================================================
# date time auid addr term exe acct success event
=================================================
1. 02/08/2016 11:12:41 root ? ? /usr/sbin/groupadd ntp no 45
2. 02/08/2016 11:12:41 root ? ? /usr/sbin/useradd ntp no 46

# プログラムの実行ログを表示

[root@dlp ~]#
aureport -x -i


Executable Report
====================================
# date time exe term host auid event
====================================
1. 08/08/2015 02:09:42 /usr/lib/systemd/systemd ? ? unset 6
2. 08/08/2015 02:09:42 /usr/lib/systemd/systemd-update-utmp ? ? unset 7
3. 08/08/2015 02:09:42 /usr/lib/systemd/systemd ? ? unset 8
.....
.....
1422. 02/23/2016 17:01:01 /usr/sbin/crond cron ? root 211
1423. 02/23/2016 17:01:01 /usr/sbin/crond cron ? root 212

# 2016/2/7 ~ 2016/2/21 間に発生したプログラムの実行ログを表示

[root@dlp ~]#
aureport -x -i --start 02/07/2016 --end 02/21/2016

Executable Report
====================================
# date time exe term host auid event
====================================
1. 02/08/2016 11:11:47 /usr/lib/systemd/systemd ? ? unset 5
2. 02/08/2016 11:11:47 /usr/lib/systemd/systemd-update-utmp ? ? unset 6
3. 02/08/2016 11:11:47 /usr/lib/systemd/systemd ? ? unset 7
.....
.....
87. 02/08/2016 11:14:08 /usr/lib/systemd/systemd ? ? unset 92
88. 02/08/2016 11:14:08 /usr/lib/systemd/systemd ? ? unset 93
[3] ausearch と組み合わせることで、検索した特定のログをサマリー表示できます。
# dlp.srv.world で発生した認証系のログを表示

[root@dlp ~]#
ausearch --node dlp.srv.world | aureport -au

Authentication Report
============================================
# date time acct host term exe success event
============================================
1. 02/25/2016 16:55:35 cent ? ttyS0 /usr/bin/su yes 103
2. 02/25/2016 16:55:44 cent ? /dev/ttyS0 /usr/bin/sudo yes 107
3. 02/26/2016 09:21:35 root ? ttyS0 /usr/bin/login yes 38
4. 02/26/2016 09:50:32 root ? ttyS0 /usr/bin/login yes 38

# ユーザーID 1000 のユーザーのプログラムの実行ログを表示

[root@dlp ~]#
ausearch -ui 1000 | aureport -x -i

Executable Report
====================================
# date time exe term host auid event
====================================
1. 02/23/2016 09:52:23 /usr/bin/sudo /dev/ttyS0 ? cent 49
2. 02/23/2016 09:52:23 /usr/bin/sudo /dev/ttyS0 ? cent 50
3. 02/23/2016 09:55:06 /usr/bin/su ttyS0 ? cent 80
.....
.....
15. 02/26/2016 09:48:50 /usr/bin/sudo /dev/ttyS0 ? cent 52
 
Tweet