Ubuntu 22.04
Sponsored Link

Auditd : Search Logs with ausearch
2022/12/20
 
Some Audit rules are set by default like System Login, Modification of User Accounts, Sudo Actions and so on, there logs are recorded in [/var/log/audit/audit.log].
[1] The logs are text format, so it's possible to see logs directly.
root@dlp:~#
tail -5 /var/log/audit/audit.log

type=UNKNOWN[1420] msg=audit(1671503677.557:283): subj_apparmor=unconfined
type=USER_START msg=audit(1671503677.557:284): pid=2166 uid=1000 auid=1000 ses=21 subj=? msg='op=PAM:session_open grantors=pam_keyinit,pam_env,pam_env,pam_mail,pam_limits,pam_permit,pam_umask,pam_unix,pam_systemd acct="root" exe="/usr/bin/su" hostname=dlp.srv.world addr=? terminal=/dev/ttyS0 res=success'UID="ubuntu" AUID="ubuntu"
type=SYSCALL msg=audit(1671503677.557:284): arch=c000003e syscall=44 success=yes exit=228 a0=4 a1=7fff6da8e910 a2=e4 a3=0 items=0 ppid=2155 pid=2166 auid=1000 uid=1000 gid=1000 euid=0 suid=0 fsuid=0 egid=1000 sgid=1000 fsgid=1000 tty=ttyS0 ses=21 comm="su" exe="/usr/bin/su" subj=? key=(null)ARCH=x86_64 SYSCALL=sendto AUID="ubuntu" UID="ubuntu" GID="ubuntu" EUID="root" SUID="root" FSUID="root" EGID="ubuntu" SGID="ubuntu" FSGID="ubuntu"
type=PROCTITLE msg=audit(1671503677.557:284): proctitle=7375002D
type=UNKNOWN[1420] msg=audit(1671503677.557:284): subj_apparmor=unconfined
[2] Many logs are recorded in [audit.log] and they are complicated, so [ausearch] command is provided by Audit package to search specific logs.
# search USER_LOGIN related logs

root@dlp:~#
ausearch --message USER_LOGIN --interpret

----
type=USER_LOGIN msg=audit(12/20/2022 11:30:37.532:41) : pid=1408 uid=root auid=ubuntu ses=3 subj=? msg='op=login acct=ubuntu exe=/usr/bin/login hostname=dlp.srv.world addr=? terminal=/dev/ttyS0 res=success'
----
type=USER_LOGIN msg=audit(12/20/2022 11:30:43.588:67) : pid=1481 uid=root auid=root ses=5 subj=? msg='op=login acct=root exe=/usr/bin/login hostname=dlp.srv.world addr=? terminal=/dev/ttyS0 res=success'
----
type=USER_LOGIN msg=audit(12/20/2022 11:31:05.507:95) : pid=1581 uid=root auid=debian ses=7 subj=? msg='op=login acct=debian exe=/usr/bin/login hostname=dlp.srv.world addr=? terminal=/dev/ttyS0 res=success'
----
type=USER_LOGIN msg=audit(12/20/2022 11:31:12.087:119) : pid=1646 uid=root auid=root ses=9 subj=? msg='op=login acct=root exe=/usr/bin/login hostname=dlp.srv.world addr=? terminal=/dev/ttyS0 res=success'
.....
.....

# search sudo actions by userID 1000

root@dlp:~#
ausearch -x sudo -ua 1000

----
time->Tue Dec 20 11:33:59 2022
type=USER_AUTH msg=audit(1671503639.397:255): pid=2079 uid=1001 auid=1001 ses=19 subj=? msg='op=PAM:authentication grantors=? acct="root" exe="/usr/bin/su" hostname=dlp.srv.world addr=? terminal=/dev/ttyS0 res=failed'
----
time->Tue Dec 20 11:34:22 2022
type=USER_AUTH msg=audit(1671503662.857:277): pid=2165 uid=1000 auid=1000 ses=21 subj=? msg='op=PAM:authentication grantors=? acct="ubuntu" exe="/usr/bin/sudo" hostname=dlp.srv.world addr=? terminal=/dev/ttyS0 res=failed'
----
time->Tue Dec 20 11:34:26 2022
type=USER_AUTH msg=audit(1671503666.009:278): pid=2165 uid=1000 auid=1000 ses=21 subj=? msg='op=PAM:authentication grantors=? acct="ubuntu" exe="/usr/bin/sudo" hostname=dlp.srv.world addr=? terminal=/dev/ttyS0 res=failed'
.....
.....

# search failure events on [dlp.srv.world]

root@dlp:~#
ausearch --host dlp.srv.world --success no

----
time->Thu Mar 10 23:25:15 2022
type=USER_AUTH msg=audit(1646976315.473:406): pid=3329 uid=1000 auid=1000 ses=12 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='op=PAM:authentication grantors=? acct="root" exe="/usr/bin/su" hostname=dlp.srv.world addr=? terminal=/dev/ttyS0 res=failed'
----
time->Thu Mar 10 23:25:26 2022
type=USER_AUTH msg=audit(1646976326.418:410): pid=3333 uid=1000 auid=1000 ses=12 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='op=PAM:authentication grantors=? acct="cent" exe="/usr/bin/sudo" hostname=dlp.srv.world addr=? terminal=/dev/ttyS0 res=failed'
----
time->Thu Mar 10 23:25:30 2022
type=USER_AUTH msg=audit(1646976330.290:411): pid=3333 uid=1000 auid=1000 ses=12 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='op=PAM:authentication grantors=? acct="cent" exe="/usr/bin/sudo" hostname=dlp.srv.world addr=? terminal=/dev/ttyS0 res=failed'
.....
.....

# search logs by a user who has login userID 1000 from 2022/12/19 to 2022/12/20

root@dlp:~#
ausearch --start 12/19/2022 --end 12/20/2022 -ul 1001

----
time->Tue Dec 20 11:31:05 2022
type=UNKNOWN[1420] msg=audit(1671503465.379:86): subj_apparmor=unconfined
type=PROCTITLE msg=audit(1671503465.379:86): proctitle=2F62696E2F6C6F67696E002D70002D2D
type=SYSCALL msg=audit(1671503465.379:86): arch=c000003e syscall=1 success=yes exit=4 a0=3 a1=7ffcff0f0ff0 a2=4 a3=0 items=0 ppid=1 pid=1581 auid=1001 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=ttyS0 ses=7 comm="login" exe="/usr/bin/login" subj=? key=(null)
type=LOGIN msg=audit(1671503465.379:86): pid=1581 uid=0 subj=? old-auid=4294967295 auid=1001 tty=ttyS0 old-ses=4294967295 ses=7 res=1
type=UNKNOWN[1420] msg=audit(1671503465.379:86): subj_apparmor=unconfined
----
time->Tue Dec 20 11:31:05 2022
type=UNKNOWN[1420] msg=audit(1671503465.431:90): subj_apparmor=unconfined
type=PROCTITLE msg=audit(1671503465.431:90): proctitle="(systemd)"
type=SYSCALL msg=audit(1671503465.431:90): arch=c000003e syscall=1 success=yes exit=4 a0=7 a1=7fffc09c3420 a2=4 a3=0 items=0 ppid=1 pid=1628 auid=1001 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=8 comm="(systemd)" exe="/usr/lib/systemd/systemd" subj=? key=(null)
type=LOGIN msg=audit(1671503465.431:90): pid=1628 uid=0 subj=? old-auid=4294967295 auid=1001 tty=(none) old-ses=4294967295 ses=8 res=1
type=UNKNOWN[1420] msg=audit(1671503465.431:90): subj_apparmor=unconfined
.....
.....
Matched Content