Auditd : Search Logs with ausearch2025/08/17 |
|
Some Audit rules are set by default like System Login, Modification of User Accounts, Sudo Actions and so on, there logs are recorded in [/var/log/audit/audit.log]. |
|
| [1] | The logs are text format, so it's possible to see logs directly. |
|
root@dlp:~# tail -5 /var/log/audit/audit.log type=PROCTITLE msg=audit(1755232568.452:163): proctitle="(systemd)" type=SERVICE_START msg=audit(1755232568.544:164): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=unconfined msg='unit=user@0 comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'UID="root" AUID="unset" type=USER_START msg=audit(1755232568.544:165): pid=736 uid=0 auid=0 ses=1 subj=unconfined msg='op=PAM:session_open grantors=pam_selinux,pam_loginuid,pam_selinux,pam_env,pam_env,pam_limits,pam_mail,pam_keyinit,pam_permit,pam_umask,pam_unix,pam_wtmpdb,pam_systemd acct="root" exe="/usr/bin/login" hostname=dlp.srv.world addr=? terminal=/dev/ttyS0 res=success'UID="root" AUID="root" type=CRED_REFR msg=audit(1755232568.544:166): pid=736 uid=0 auid=0 ses=1 subj=unconfined msg='op=PAM:setcred grantors=pam_permit acct="root" exe="/usr/bin/login" hostname=dlp.srv.world addr=? terminal=/dev/ttyS0 res=success'UID="root" AUID="root" type=USER_LOGIN msg=audit(1755232568.544:167): pid=736 uid=0 auid=0 ses=1 subj=unconfined msg='op=login id=0 exe="/usr/bin/login" hostname=dlp.srv.world addr=? terminal=ttyS0 res=success'UID="root" AUID="root" ID="root" |
| [2] | Many logs are recorded in [audit.log] and they are complicated, so [ausearch] command is provided by Audit package to search specific logs. |
|
# search USER_LOGIN related logs root@dlp:~# ausearch --message USER_LOGIN --interpret ---- type=USER_LOGIN msg=audit(08/15/2025 13:35:24.572:125) : pid=956 uid=root auid=debian ses=3 subj=unconfined msg='op=login id=debian exe=/usr/bin/login hostname=dlp.srv.world addr=? terminal=ttyS0 res=success' ---- type=USER_LOGIN msg=audit(08/15/2025 13:35:40.500:184) : pid=1005 uid=root auid=root ses=5 subj=unconfined msg='op=login id=root exe=/usr/bin/login hostname=dlp.srv.world addr=? terminal=ttyS0 res=success' ---- type=USER_LOGIN msg=audit(08/15/2025 13:36:08.544:167) : pid=736 uid=root auid=root ses=1 subj=unconfined msg='op=login id=root exe=/usr/bin/login hostname=dlp.srv.world addr=? terminal=ttyS0 res=success' ..... ..... # search sudo actions by userID 1000 root@dlp:~# ausearch -x sudo -ua 1000 ---- time->Fri Aug 15 13:37:50 2025 type=USER_START msg=audit(1755232670.064:188): pid=871 uid=1000 auid=0 ses=1 subj=unconfined msg='op=PAM:session_open grantors=pam_limits,pam_permit,pam_umask,pam_unix acct="root" exe="/usr/bin/sudo" hostname=dlp.srv.world addr=? terminal=/dev/ttyS0 res=success' ---- time->Fri Aug 15 13:37:50 2025 type=USER_END msg=audit(1755232670.068:189): pid=871 uid=1000 auid=0 ses=1 subj=unconfined msg='op=PAM:session_close grantors=pam_limits,pam_permit,pam_umask,pam_unix acct="root" exe="/usr/bin/sudo" hostname=dlp.srv.world addr=? terminal=/dev/ttyS0 res=success' ---- time->Fri Aug 15 13:37:50 2025 type=CRED_DISP msg=audit(1755232670.068:190): pid=871 uid=1000 auid=0 ses=1 subj=unconfined msg='op=PAM:setcred grantors=pam_permit acct="root" exe="/usr/bin/sudo" hostname=dlp.srv.world addr=? terminal=/dev/ttyS0 res=success' ..... ..... # search failure events on [dlp.srv.world] root@dlp:~# ausearch --host dlp.srv.world --success no ---- time->Fri Aug 15 13:39:17 2025 type=USER_AUTH msg=audit(1755232757.049:227): pid=890 uid=0 auid=4294967295 ses=4294967295 subj=unconfined msg='op=PAM:authentication grantors=? acct="debian" exe="/usr/bin/login" hostname=dlp.srv.world addr=? terminal=/dev/ttyS0 res=failed' ---- time->Fri Aug 15 13:39:19 2025 type=USER_LOGIN msg=audit(1755232759.573:228): pid=890 uid=0 auid=4294967295 ses=4294967295 subj=unconfined msg='op=login id=1000 exe="/usr/bin/login" hostname=dlp.srv.world addr=? terminal=ttyS0 res=failed' ---- time->Fri Aug 15 13:39:26 2025 type=USER_AUTH msg=audit(1755232766.621:244): pid=926 uid=1000 auid=1000 ses=3 subj=unconfined msg='op=PAM:authentication grantors=? acct="root" exe="/usr/bin/su" hostname=dlp.srv.world addr=? terminal=/dev/ttyS0 res=failed' ..... ..... # search logs by a user who has login userID 1000 from 2025/08/14 to 2025/08/15 root@dlp:~# ausearch --start 08/14/2025 --end 08/15/2025 -ul 1001 ---- time->Fri Aug 15 13:41:25 2025 type=PROCTITLE msg=audit(1755232885.588:318): proctitle=2F62696E2F6C6F67696E002D2D type=SYSCALL msg=audit(1755232885.588:318): arch=c000003e syscall=1 success=yes exit=4 a0=3 a1=7fffaacc6800 a2=4 a3=0 items=0 ppid=1 pid=1017 auid=1001 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=1001 fsgid=0 tty=ttyS0 ses=7 comm="login" exe="/usr/bin/login" subj=unconfined key=(null) type=LOGIN msg=audit(1755232885.588:318): pid=1017 uid=0 subj=unconfined old-auid=4294967295 auid=1001 tty=ttyS0 old-ses=4294967295 ses=7 res=1 ---- time->Fri Aug 15 13:41:25 2025 type=PROCTITLE msg=audit(1755232885.648:322): proctitle="(systemd)" type=SYSCALL msg=audit(1755232885.648:322): arch=c000003e syscall=1 success=yes exit=4 a0=7 a1=7ffc3c210d30 a2=4 a3=0 items=0 ppid=1 pid=1028 auid=1001 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=8 comm="(systemd)" exe="/usr/lib/systemd/systemd-executor" subj=unconfined key=(null) type=LOGIN msg=audit(1755232885.648:322): pid=1028 uid=0 subj=unconfined old-auid=4294967295 auid=1001 tty=(none) old-ses=4294967295 ses=8 res=1 ---- time->Fri Aug 15 13:41:25 2025 type=USER_START msg=audit(1755232885.648:323): pid=1028 uid=0 auid=1001 ses=8 subj=unconfined msg='op=PAM:session_open grantors=pam_selinux,pam_selinux,pam_loginuid,pam_limits,pam_permit,pam_umask,pam_unix,pam_keyinit,pam_systemd acct="trixie" exe="/usr/lib/systemd/systemd-executor" hostname=? addr=? terminal=? res=success' ..... ..... |
| Sponsored Link |
|
|