Auditd : aureport के साथ सारांश लॉग प्रदर्शित करें2023/09/20 |
Audit पैकेज में शामिल [aureport] कमांड के साथ ऑडिट लॉग को संक्षेप में प्रदर्शित करना संभव है।
|
|
[1] | [aureport] कमांड का उपयोग इस प्रकार करें। |
# बिना तर्क के संपूर्ण सारांश प्रदर्शित करें root@dlp:~# aureport Summary Report ====================== Range of time in logs: 12/20/2022 11:29:48.328 - 12/20/2022 11:44:19.603 Selected time for report: 12/20/2022 11:29:48 - 12/20/2022 11:44:19.603 Number of changes in configuration: 4 Number of changes to accounts, groups, or roles: 5 Number of logins: 10 Number of failed logins: 3 Number of authentications: 14 Number of failed authentications: 7 Number of users: 4 Number of terminals: 6 Number of host names: 3 Number of executables: 10 Number of commands: 12 Number of files: 0 Number of AVC's: 0 Number of MAC events: 0 Number of failed syscalls: 0 Number of anomaly events: 0 Number of responses to anomaly events: 0 Number of crypto events: 0 Number of integrity events: 0 Number of virt events: 0 Number of keys: 0 Number of process IDs: 38 Number of events: 491 # प्रमाणीकरण लॉग के प्रकार प्रदर्शित करें root@dlp:~# aureport -au Authentication Report ============================================ # date time acct host term exe success event ============================================ 1. 12/20/2022 11:30:37 ubuntu dlp.srv.world /dev/ttyS0 /usr/bin/login yes 30 2. 12/20/2022 11:30:43 root dlp.srv.world /dev/ttyS0 /usr/bin/login yes 52 3. 12/20/2022 11:30:54 root dlp.srv.world ttyS0 /usr/bin/chfn yes 75 4. 12/20/2022 11:31:05 debian dlp.srv.world /dev/ttyS0 /usr/bin/login yes 84 5. 12/20/2022 11:31:11 root dlp.srv.world /dev/ttyS0 /usr/bin/login yes 104 6. 12/20/2022 11:31:20 debian dlp.srv.world /dev/ttyS0 /usr/bin/login yes 127 7. 12/20/2022 11:31:26 debian 127.0.0.1 ssh /usr/sbin/sshd no 141 8. 12/20/2022 11:31:30 debian 127.0.0.1 ssh /usr/sbin/sshd no 143 9. 12/20/2022 11:31:35 debian 127.0.0.1 ssh /usr/sbin/sshd no 145 ..... ..... # विफलता प्रमाणीकरण लॉग के प्रकार प्रदर्शित करें root@dlp:~# aureport -au --failed --summary Failed Authentication Summary Report ============================= total acct ============================= 3 debian 3 ubuntu 1 root # उपयोगकर्ता खातों के लॉग में संशोधन का प्रकार प्रदर्शित करें root@dlp:~# aureport -m -i Account Modifications Report ================================================= # date time auid addr term exe acct success event ================================================= 1. 12/20/2022 11:30:47 root dlp.srv.world ttyS0 /usr/sbin/groupadd ? yes 68 2. 12/20/2022 11:30:47 root dlp.srv.world ttyS0 /usr/sbin/groupadd ? yes 69 3. 12/20/2022 11:30:47 root dlp.srv.world ttyS0 /usr/sbin/groupadd ? yes 70 4. 12/20/2022 11:30:47 root dlp.srv.world ttyS0 /usr/sbin/useradd ? yes 71 5. 12/20/2022 11:30:54 root dlp.srv.world ttyS0 /usr/bin/passwd debian yes 74 # इस महीने से उपयोगकर्ता खातों के लॉग में विभिन्न प्रकार के संशोधन प्रदर्शित किए जा रहे हैं root@dlp:~# aureport -m -i --start this-month Account Modifications Report ================================================= # date time auid addr term exe acct success event ================================================= 1. 12/20/2022 11:30:47 root dlp.srv.world ttyS0 /usr/sbin/groupadd ? yes 68 2. 12/20/2022 11:30:47 root dlp.srv.world ttyS0 /usr/sbin/groupadd ? yes 69 3. 12/20/2022 11:30:47 root dlp.srv.world ttyS0 /usr/sbin/groupadd ? yes 70 4. 12/20/2022 11:30:47 root dlp.srv.world ttyS0 /usr/sbin/useradd ? yes 71 5. 12/20/2022 11:30:54 root dlp.srv.world ttyS0 /usr/bin/passwd debian yes 74 # निष्पादन लॉग के प्रकार प्रदर्शित करें root@dlp:~# aureport -x -i Executable Report ==================================== # date time exe term host auid event ==================================== 1. 12/20/2022 11:29:48 /usr/sbin/auditctl (none) ? unset 17 2. 12/20/2022 11:29:48 /usr/sbin/auditctl (none) ? unset 18 3. 12/20/2022 11:29:48 /usr/sbin/auditctl (none) ? unset 19 4. 12/20/2022 11:29:48 /usr/lib/systemd/systemd ? ? unset 20 5. 12/20/2022 11:30:29 /usr/bin/login /dev/ttyS0 dlp.srv.world root 23 6. 12/20/2022 11:30:29 /usr/lib/systemd/systemd ? ? unset 26 7. 12/20/2022 11:30:29 /usr/lib/systemd/systemd (none) ? unset 26 8. 12/20/2022 11:30:29 /usr/lib/systemd/systemd ? ? unset 27 9. 12/20/2022 11:30:29 /usr/lib/systemd/systemd (none) ? unset 27 10. 12/20/2022 11:30:29 /usr/lib/systemd/systemd ? ? unset 28 ..... ..... # 2022/12/19 से 2022/12/20 तक निष्पादित लॉग के प्रकार प्रदर्शित करें root@dlp:~# aureport -x -i --start 12/19/2022 --end 12/20/2022 Executable Report ==================================== # date time exe term host auid event ==================================== 1. 12/20/2022 11:29:48 /usr/sbin/auditctl (none) ? unset 17 2. 12/20/2022 11:29:48 /usr/sbin/auditctl (none) ? unset 18 3. 12/20/2022 11:29:48 /usr/sbin/auditctl (none) ? unset 19 4. 12/20/2022 11:29:48 /usr/lib/systemd/systemd ? ? unset 20 5. 12/20/2022 11:30:29 /usr/bin/login /dev/ttyS0 dlp.srv.world root 23 ..... ..... |
[2] | [ausearch] और [aureport] के साथ लॉग खोजें और प्रदर्शित करें। |
# UserID 1000 द्वारा sudo लॉग खोजें और प्रदर्शित करें root@dlp:~# ausearch -x sudo -ua 1000 | aureport -au Authentication Report ============================================ # date time acct host term exe success event ============================================ 1. 12/20/2022 11:32:39 ubuntu dlp.srv.world /dev/ttyS0 /usr/bin/sudo yes 191 2. 12/20/2022 11:34:22 ubuntu dlp.srv.world /dev/ttyS0 /usr/bin/sudo no 277 3. 12/20/2022 11:34:26 ubuntu dlp.srv.world /dev/ttyS0 /usr/bin/sudo no 278 4. 12/20/2022 11:34:28 ubuntu dlp.srv.world /dev/ttyS0 /usr/bin/sudo no 279 # उपयोगकर्ताआईडी 1001 द्वारा निष्पादन लॉग खोजें और प्रदर्शित करें root@dlp:~# ausearch -ui 1001 | aureport -x -i Executable Report ==================================== # date time exe term host auid event ==================================== 1. 12/20/2022 11:33:56 /usr/bin/sudo /dev/ttyS0 dlp.srv.world debian 252 2. 12/20/2022 11:33:56 /usr/bin/sudo ttyS0 ? debian 252 3. 12/20/2022 11:33:56 /usr/bin/sudo /dev/ttyS0 dlp.srv.world debian 253 4. 12/20/2022 11:33:56 /usr/bin/sudo ttyS0 ? debian 253 5. 12/20/2022 11:33:56 /usr/bin/sudo ttyS0 ? debian 254 6. 12/20/2022 11:33:56 /usr/bin/sudo ttyS0 ? debian 254 7. 12/20/2022 11:33:59 /usr/bin/su /dev/ttyS0 dlp.srv.world debian 255 8. 12/20/2022 11:33:59 /usr/bin/su ttyS0 ? debian 255 ..... ..... |
Sponsored Link |