Rocky_Linux_8
Sponsored Link

Auditd : Search Logs with ausearch
2021/07/22
 
Some Audit rules are set by default like System Login, Modification of User Accounts, Sudo Actions and so on, there logs are recorded in [/var/log/audit/audit.log].
[1] The logs are text format, so it's possible to see logs directly.
[root@dlp ~]#
tail -3 /var/log/audit/audit.log

type=CRED_REFR msg=audit(1626925631.896:132): pid=25720 uid=0 auid=0 ses=3 subj=system_u:system_r:local_login_t:s0-s0:c0.c1023 msg='op=PAM:setcred grantors=pam_unix acct="root" exe="/usr/bin/login" hostname=node01.srv.world addr=? terminal=ttyS0 res=success'
type=USER_LOGIN msg=audit(1626925631.896:133): pid=25720 uid=0 auid=0 ses=3 subj=system_u:system_r:local_login_t:s0-s0:c0.c1023 msg='op=login id=0 exe="/usr/bin/login" hostname=node01.srv.world addr=? terminal=ttyS0 res=success'
type=SERVICE_STOP msg=audit(1626925658.317:134): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=fprintd comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
[2] Many logs are recorded in [audit.log] and they are complicated, so [ausearch] command is provided by Audit package to search specific logs.
# search USER_LOGIN related logs

[root@dlp ~]#
ausearch --message USER_LOGIN --interpret

----
type=USER_LOGIN msg=audit(02/18/2021 15:52:50.274:71) : pid=1186 uid=root auid=root ses=1 subj=system_u:system_r:local_login_t:s0-s0:c0.c1023 msg='op=login id=root exe=/usr/bin/login hostname=localhost.localdomain addr=? terminal=ttyS0 res=success'
----
type=USER_LOGIN msg=audit(02/24/2021 14:21:48.796:65) : pid=1149 uid=root auid=root ses=1 subj=system_u:system_r:local_login_t:s0-s0:c0.c1023 msg='op=login id=root exe=/usr/bin/login hostname=localhost.localdomain addr=? terminal=ttyS0 res=success'
----
type=USER_LOGIN msg=audit(02/24/2021 14:33:50.176:91) : pid=1132 uid=root auid=root ses=1 subj=system_u:system_r:local_login_t:s0-s0:c0.c1023 msg='op=login id=root exe=/usr/bin/login hostname=localhost.localdomain addr=? terminal=ttyS0 res=success'
.....
.....

# search sudo actions by userID 1000

[root@dlp ~]#
ausearch -x sudo -ua 1000

----
time->Thu Jul 22 12:56:12 2021
type=USER_AUTH msg=audit(1626926172.771:139): pid=2825 uid=1000 auid=0 ses=1 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='op=PAM:authentication grantors=pam_usertype,pam_localuser,pam_unix acct="rocky" exe="/usr/bin/sudo" hostname=dlp.srv.world addr=? terminal=/dev/ttyS0 res=success'
----
time->Thu Jul 22 12:56:12 2021
type=USER_ACCT msg=audit(1626926172.773:140): pid=2825 uid=1000 auid=0 ses=1 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='op=PAM:accounting grantors=pam_unix,pam_localuser acct="rocky" exe="/usr/bin/sudo" hostname=dlp.srv.world addr=? terminal=/dev/ttyS0 res=success'
----
time->Thu Jul 22 12:56:12 2021
type=USER_CMD msg=audit(1626926172.774:141): pid=2825 uid=1000 auid=0 ses=1 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='cwd="/home/rocky" cmd=636174202F6574632F736861646F77 exe="/usr/bin/sudo" terminal=ttyS0 res=success'
.....
.....

# search failure events on [dlp.srv.world]

[root@dlp ~]#
ausearch --host dlp.srv.world --success no

----
time->Thu Jul 22 10:40:19 2021
type=USER_END msg=audit(1626918019.871:106): pid=1127 uid=0 auid=0 ses=1 subj=system_u:system_r:local_login_t:s0-s0:c0.c1023 msg='op=PAM:session_close grantors=? acct="root" exe="/usr/bin/login" hostname=localhost.localdomain addr=? terminal=ttyS0 res=failed'
.....
.....

# search logs by a user who has login userID 1000 from 2021/7/21 to 2021/7/22

[root@dlp ~]#
ausearch --start 07/21/2021 --end 07/22/2021 -ul 1000

----
time->Thu Jul 22 12:59:23 2021
type=LOGIN msg=audit(1626926363.198:108): pid=1550 uid=0 subj=system_u:system_r:local_login_t:s0-s0:c0.c1023 old-auid=4294967295 auid=1000 tty=ttyS0 old-ses=4294967295 ses=3 res=1
----
time->Thu Jul 22 12:59:23 2021
type=PROCTITLE msg=audit(1626926363.198:108): proctitle=2F62696E2F6C6F67696E002D70002D2D002020202020
type=SYSCALL msg=audit(1626926363.198:108): arch=c000003e syscall=1 success=yes exit=4 a0=6 a1=7ffcc8053a00 a2=4 a3=0 items=0 ppid=1 pid=1550 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=ttyS0 ses=3 comm="login" exe="/usr/bin/login" subj=system_u:system_r:local_login_t:s0-s0:c0.c1023 key=(null)
.....
.....
Matched Content