Auditd : aureport でログをサマリー表示する2023/02/20 |
Audit パッケージに同梱されている [aureport] コマンドを利用することにより、[audit.log] に記録された膨大なログをサマリー出力することができます。
|
|
[1] | [aureport] コマンドの使用例です。 |
# 引数なしで全体のサマリーを表示 [root@dlp ~]# aureport Summary Report ====================== Range of time in logs: 11/25/2021 18:25:45.522 - 03/10/2022 23:26:12.211 Selected time for report: 11/25/2021 18:25:45 - 03/10/2022 23:26:12.211 Number of changes in configuration: 225 Number of changes to accounts, groups, or roles: 6 Number of logins: 23 Number of failed logins: 0 Number of authentications: 25 Number of failed authentications: 4 Number of users: 3 Number of terminals: 4 Number of host names: 5 Number of executables: 18 Number of commands: 14 Number of files: 1 Number of AVC's: 11 Number of MAC events: 64 Number of failed syscalls: 11 Number of anomaly events: 0 Number of responses to anomaly events: 0 Number of crypto events: 22 Number of integrity events: 0 Number of virt events: 0 Number of keys: 0 Number of process IDs: 171 Number of events: 3755 # 認証系の監査ログ表示 [root@dlp ~]# aureport -au Authentication Report ============================================ # date time acct host term exe success event ============================================ 1. 11/25/2021 18:26:50 root localhost.localdomain /dev/ttyS0 /usr/bin/login yes 69 2. 11/26/2021 01:22:54 root localhost.localdomain /dev/ttyS0 /usr/bin/login yes 61 3. 12/07/2021 22:31:29 root localhost.localdomain /dev/ttyS0 /usr/bin/login yes 64 4. 12/07/2021 22:36:31 root localhost.localdomain /dev/ttyS0 /usr/bin/login yes 50 5. 12/20/2021 18:55:21 root localhost.localdomain /dev/ttyS0 /usr/bin/login yes 64 ..... ..... 25. 03/10/2022 23:25:15 root dlp.srv.world /dev/ttyS0 /usr/bin/su no 406 26. 03/10/2022 23:25:26 alma dlp.srv.world /dev/ttyS0 /usr/bin/sudo no 410 27. 03/10/2022 23:25:30 alma dlp.srv.world /dev/ttyS0 /usr/bin/sudo no 411 28. 03/10/2022 23:25:33 alma dlp.srv.world /dev/ttyS0 /usr/bin/sudo no 412 29. 03/10/2022 23:25:41 root dlp.srv.world /dev/ttyS0 /usr/bin/login yes 422 # 認証系の監査ログを失敗のみに絞ってサマリー形式で表示 [root@dlp ~]# aureport -au --failed --summary Failed Authentication Summary Report ============================= total acct ============================= 3 alma 1 root # ユーザーアカウント操作ログを表示 # ユーザー ID 番号はユーザー ID 名で表示 [root@dlp ~]# aureport -m -i Account Modifications Report ================================================= # date time auid addr term exe acct success event ================================================= 1. 03/10/2022 22:04:12 root ? ? /usr/sbin/groupadd ? yes 146 2. 03/10/2022 22:04:12 root ? ? /usr/sbin/groupadd ? yes 147 3. 03/10/2022 22:04:12 root ? ? /usr/sbin/useradd apache yes 148 4. 03/10/2022 23:19:46 root ? ? /usr/sbin/groupadd ? yes 125 5. 03/10/2022 23:19:46 root ? ? /usr/sbin/groupadd ? yes 126 6. 03/10/2022 23:19:46 root ? ? /usr/sbin/useradd apache yes 127 # 今月以降のユーザーアカウント操作ログを表示 [root@dlp ~]# aureport -m -i --start this-month Account Modifications Report ================================================= # date time auid addr term exe acct success event ================================================= 1. 03/10/2022 22:04:12 root ? ? /usr/sbin/groupadd ? yes 146 2. 03/10/2022 22:04:12 root ? ? /usr/sbin/groupadd ? yes 147 3. 03/10/2022 22:04:12 root ? ? /usr/sbin/useradd apache yes 148 4. 03/10/2022 23:19:46 root ? ? /usr/sbin/groupadd ? yes 125 5. 03/10/2022 23:19:46 root ? ? /usr/sbin/groupadd ? yes 126 6. 03/10/2022 23:19:46 root ? ? /usr/sbin/useradd apache yes 127 # プログラムの実行ログを表示 [root@dlp ~]# aureport -x -i Executable Report ==================================== # date time exe term host auid event ==================================== 1. 11/25/2021 18:25:45 /usr/sbin/auditctl (none) ? unset 5 2. 11/25/2021 18:25:45 /usr/sbin/auditctl (none) ? unset 6 3. 11/25/2021 18:25:45 /usr/sbin/auditctl (none) ? unset 7 4. 11/25/2021 18:25:45 /usr/lib/systemd/systemd ? ? unset 8 5. 11/25/2021 18:25:45 /usr/lib/systemd/systemd-update-utmp ? ? unset 9 ..... ..... 2694. 03/10/2022 23:25:47 /usr/lib/systemd/systemd ? ? unset 441 2695. 03/10/2022 23:25:47 /usr/lib/systemd/systemd ? ? unset 442 2696. 03/10/2022 23:26:04 /usr/lib/systemd/systemd ? ? unset 162 2697. 03/10/2022 23:26:04 /usr/lib/systemd/systemd ? ? unset 163 2698. 03/10/2022 23:26:12 /usr/lib/systemd/systemd ? ? unset 443 # 2022/3/10 ~ 2022/3/11 間に発生したプログラムの実行ログを表示 [root@dlp ~]# aureport -x -i --start 03/10/2022 --end 03/11/2022 Executable Report ==================================== # date time exe term host auid event ==================================== 1. 03/10/2022 18:59:36 /usr/sbin/auditctl (none) ? unset 5 2. 03/10/2022 18:59:36 /usr/sbin/auditctl (none) ? unset 6 3. 03/10/2022 18:59:36 /usr/sbin/auditctl (none) ? unset 7 4. 03/10/2022 18:59:36 /usr/lib/systemd/systemd ? ? unset 8 5. 03/10/2022 18:59:36 /usr/lib/systemd/systemd-update-utmp ? ? unset 9 ..... ..... 903. 03/10/2022 23:25:47 /usr/lib/systemd/systemd ? ? unset 441 904. 03/10/2022 23:25:47 /usr/lib/systemd/systemd ? ? unset 442 905. 03/10/2022 23:26:04 /usr/lib/systemd/systemd ? ? unset 162 906. 03/10/2022 23:26:04 /usr/lib/systemd/systemd ? ? unset 163 907. 03/10/2022 23:26:12 /usr/lib/systemd/systemd ? ? unset 443 |
[2] | [ausearch] と組み合わせることで、検索した特定のログをサマリー表示できます。 |
# ユーザー ID 1000 の sudo 実行履歴のログを表示 [root@dlp ~]# ausearch -x sudo -ua 1000 | aureport -au Authentication Report ============================================ # date time acct host term exe success event ============================================ 1. 03/10/2022 23:21:54 alma dlp.srv.world /dev/ttyS0 /usr/bin/sudo yes 341 2. 03/10/2022 23:25:26 alma dlp.srv.world /dev/ttyS0 /usr/bin/sudo no 410 3. 03/10/2022 23:25:30 alma dlp.srv.world /dev/ttyS0 /usr/bin/sudo no 411 4. 03/10/2022 23:25:33 alma dlp.srv.world /dev/ttyS0 /usr/bin/sudo no 412 # ユーザー ID 1000 のユーザーのプログラムの実行ログを表示 [root@dlp ~]# ausearch -ui 1000 | aureport -x -i Executable Report ==================================== # date time exe term host auid event ==================================== 1. 03/10/2022 23:21:19 /usr/bin/su /dev/ttyS0 dlp.srv.world alma 280 2. 03/10/2022 23:21:19 /usr/bin/su /dev/ttyS0 dlp.srv.world alma 281 3. 03/10/2022 23:21:19 /usr/bin/su /dev/ttyS0 dlp.srv.world alma 282 4. 03/10/2022 23:21:19 /usr/bin/su /dev/ttyS0 dlp.srv.world alma 283 5. 03/10/2022 23:21:32 /usr/bin/su /dev/ttyS0 dlp.srv.world alma 284 ..... ..... 15. 03/10/2022 23:25:26 /usr/bin/sudo /dev/ttyS0 dlp.srv.world alma 410 16. 03/10/2022 23:25:30 /usr/bin/sudo /dev/ttyS0 dlp.srv.world alma 411 17. 03/10/2022 23:25:33 /usr/bin/sudo /dev/ttyS0 dlp.srv.world alma 412 18. 03/10/2022 23:25:35 /usr/bin/sudo ttyS0 ? alma 413 |
Sponsored Link |