CentOS 8
Sponsored Link

Auditd : Display Summary Logs with aureport
2019/09/28
 
It's possible to display Audit logs summarily with [aureport] command that is included in Audit package.
[1] This is how to use [aureport] command.
# display whole summary without arguments

[root@dlp ~]#
aureport


Summary Report
======================
Range of time in logs: 01/01/1970 09:00:00.000 - 09/27/2019 15:39:22.828
Selected time for report: 01/01/1970 09:00:00 - 09/27/2019 19:39:22.828
Number of changes in configuration: 37
Number of changes to accounts, groups, or roles: 3
Number of logins: 7
Number of failed logins: 2
Number of authentications: 12
Number of failed authentications: 8
Number of users: 2
Number of terminals: 5
Number of host names: 6
Number of executables: 12
Number of commands: 7
Number of files: 0
Number of AVC's: 6
Number of MAC events: 20
Number of failed syscalls: 6
Number of anomaly events: 0
Number of responses to anomaly events: 0
Number of crypto events: 38
Number of integrity events: 0
Number of virt events: 0
Number of keys: 0
Number of process IDs: 72
Number of events: 978

# display kind of authentication logs

[root@dlp ~]#
aureport -au


Authentication Report
============================================
# date time acct host term exe success event
============================================
1. 09/24/2019 01:12:14 root localhost.localdomain ttyS0 /usr/bin/login yes 58
2. 09/26/2019 01:40:27 root localhost.localdomain ttyS0 /usr/bin/login yes 45
3. 09/27/2019 18:35:55 root localhost.localdomain ttyS0 /usr/bin/login yes 52
4. 09/27/2019 19:25:28 root localhost.localdomain ttyS0 /usr/bin/login yes 50
5. 09/27/2019 19:28:44 root dlp.srv.world ttyS0 /usr/bin/login yes 48
.....
.....
16. 09/27/2019 19:32:19 cent 10.0.0.51 ssh /usr/sbin/sshd no 118
17. 09/27/2019 19:37:07 cent dlp.srv.world ttyS0 /usr/bin/su yes 128
18. 09/27/2019 19:37:12 cent dlp.srv.world /dev/ttyS0 /usr/bin/sudo no 133
19. 09/27/2019 19:37:15 cent dlp.srv.world /dev/ttyS0 /usr/bin/sudo no 134
20. 09/27/2019 19:37:19 cent dlp.srv.world /dev/ttyS0 /usr/bin/sudo no 135

# display kind of failure authentication logs

[root@dlp ~]#
aureport -au --failed --summary


Failed Authentication Summary Report
=============================
total  acct
=============================
6  cent
2  root

# display kind of modification of user accounts logs

[root@dlp ~]#
aureport -m -i


Account Modifications Report
=================================================
# date time auid addr term exe acct success event
=================================================
1. 09/26/2019 19:58:05 root ? ? /usr/sbin/groupadd ? yes 108
2. 09/26/2019 19:58:05 root ? ? /usr/sbin/groupadd ? yes 109
3. 09/26/2019 19:58:06 root ? ? /usr/sbin/useradd ? yes 110

# display kind of modification of user accounts logs since this month

[root@dlp ~]#
aureport -m -i --start this-month


Account Modifications Report
=================================================
# date time auid addr term exe acct success event
=================================================
1. 09/26/2019 19:58:05 root ? ? /usr/sbin/groupadd ? yes 108
2. 09/26/2019 19:58:05 root ? ? /usr/sbin/groupadd ? yes 109
3. 09/26/2019 19:58:06 root ? ? /usr/sbin/useradd ? yes 110

# display kind of executing logs

[root@dlp ~]#
aureport -x -i


Executable Report
====================================
# date time exe term host auid event
====================================
1. 09/24/2019 17:11:45 /usr/lib/systemd/systemd ? ? unset 8
2. 09/24/2019 17:11:45 /usr/lib/systemd/systemd-update-utmp ? ? unset 9
3. 09/24/2019 17:11:45 /usr/lib/systemd/systemd ? ? unset 10
4. 09/24/2019 17:11:45 /usr/lib/systemd/systemd ? ? unset 11
5. 09/24/2019 17:11:45 /usr/lib/systemd/systemd ? ? unset 12
.....
.....
908. 09/27/2019 15:37:19 /usr/bin/sudo /dev/ttyS0 dlp.srv.world root 135
909. 09/27/2019 15:37:22 /usr/bin/su ttyS0 dlp.srv.world root 137
910. 09/27/2019 15:37:22 /usr/bin/su ttyS0 dlp.srv.world root 138
911. 09/27/2019 15:37:41 /usr/lib/systemd/systemd ? ? unset 139
912. 09/27/2019 15:39:22 /usr/lib/systemd/systemd ? ? unset 74

# display kind of executing logs from 2019/9/26 to 2019/9/28

[root@dlp ~]#
aureport -x -i --start 09/26/2019 --end 09/28/2019


Executable Report
====================================
# date time exe term host auid event
====================================
1. 09/26/2019 17:40:13 /usr/lib/systemd/systemd ? ? unset 8
2. 09/26/2019 17:40:14 /usr/lib/systemd/systemd-update-utmp ? ? unset 9
3. 09/26/2019 17:40:14 /usr/lib/systemd/systemd ? ? unset 10
4. 09/26/2019 17:40:14 /usr/lib/systemd/systemd ? ? unset 11
5. 09/26/2019 17:40:14 /usr/lib/systemd/systemd ? ? unset 12
.....
.....
758. 09/27/2019 15:37:19 /usr/bin/sudo /dev/ttyS0 dlp.srv.world root 135
759. 09/27/2019 15:37:22 /usr/bin/su ttyS0 dlp.srv.world root 137
760. 09/27/2019 15:37:22 /usr/bin/su ttyS0 dlp.srv.world root 138
761. 09/27/2019 15:37:41 /usr/lib/systemd/systemd ? ? unset 139
762. 09/27/2019 15:39:22 /usr/lib/systemd/systemd ? ? unset 74
[2] Search and Display logs with [ausearch] and [aureport] like follows.
# search and display sudo logs by UserID 1000

[root@dlp ~]#
ausearch -x sudo -ua 1000 | aureport -au


Authentication Report
============================================
# date time acct host term exe success event
============================================
1. 09/26/2019 19:30:33 cent dlp.srv.world /dev/ttyS0 /usr/bin/sudo yes 82
2. 09/26/2019 19:37:12 cent dlp.srv.world /dev/ttyS0 /usr/bin/sudo no 133
3. 09/26/2019 19:37:15 cent dlp.srv.world /dev/ttyS0 /usr/bin/sudo no 134
4. 09/26/2019 19:37:19 cent dlp.srv.world /dev/ttyS0 /usr/bin/sudo no 135

# search and display executing logs by UserID 1000

[root@dlp ~]#
ausearch -ui 1000 | aureport -x -i


Executable Report
====================================
# date time exe term host auid event
====================================
1. 09/26/2019 19:30:33 /usr/bin/sudo /dev/ttyS0 dlp.srv.world root 82
2. 09/26/2019 19:30:33 /usr/bin/sudo /dev/ttyS0 dlp.srv.world root 83
3. 09/26/2019 19:30:40 /usr/bin/sudo /dev/ttyS0 dlp.srv.world root 89
4. 09/26/2019 19:37:12 /usr/bin/sudo /dev/ttyS0 dlp.srv.world root 133
5. 09/26/2019 19:37:15 /usr/bin/sudo /dev/ttyS0 dlp.srv.world root 134
.....
.....
11. 09/26/2019 19:56:37 /usr/bin/su ttyS0 dlp.srv.world root 149
12. 09/26/2019 19:56:39 /usr/bin/su ttyS0 dlp.srv.world root 150
13. 09/26/2019 19:56:39 /usr/bin/su ttyS0 dlp.srv.world root 151
Matched Content