Auditd : aureport でログをサマリー表示する2023/02/20

	Audit パッケージに同梱されている [aureport] コマンドを利用することにより、[audit.log] に記録された膨大なログをサマリー出力することができます。
[1]	[aureport] コマンドの使用例です。

# 引数なしで全体のサマリーを表示

[root@dlp ~]#

aureport


Summary Report
======================
Range of time in logs: 11/25/2021 18:25:45.522 - 03/10/2022 23:26:12.211
Selected time for report: 11/25/2021 18:25:45 - 03/10/2022 23:26:12.211
Number of changes in configuration: 225
Number of changes to accounts, groups, or roles: 6
Number of logins: 23
Number of failed logins: 0
Number of authentications: 25
Number of failed authentications: 4
Number of users: 3
Number of terminals: 4
Number of host names: 5
Number of executables: 18
Number of commands: 14
Number of files: 1
Number of AVC's: 11
Number of MAC events: 64
Number of failed syscalls: 11
Number of anomaly events: 0
Number of responses to anomaly events: 0
Number of crypto events: 22
Number of integrity events: 0
Number of virt events: 0
Number of keys: 0
Number of process IDs: 171
Number of events: 3755

# 認証系の監査ログ表示

[root@dlp ~]#

aureport -au


Authentication Report
============================================
# date time acct host term exe success event
============================================
1. 11/25/2021 18:26:50 root localhost.localdomain /dev/ttyS0 /usr/bin/login yes 69
2. 11/26/2021 01:22:54 root localhost.localdomain /dev/ttyS0 /usr/bin/login yes 61
3. 12/07/2021 22:31:29 root localhost.localdomain /dev/ttyS0 /usr/bin/login yes 64
4. 12/07/2021 22:36:31 root localhost.localdomain /dev/ttyS0 /usr/bin/login yes 50
5. 12/20/2021 18:55:21 root localhost.localdomain /dev/ttyS0 /usr/bin/login yes 64
.....
.....
25. 03/10/2022 23:25:15 root dlp.srv.world /dev/ttyS0 /usr/bin/su no 406
26. 03/10/2022 23:25:26 alma dlp.srv.world /dev/ttyS0 /usr/bin/sudo no 410
27. 03/10/2022 23:25:30 alma dlp.srv.world /dev/ttyS0 /usr/bin/sudo no 411
28. 03/10/2022 23:25:33 alma dlp.srv.world /dev/ttyS0 /usr/bin/sudo no 412
29. 03/10/2022 23:25:41 root dlp.srv.world /dev/ttyS0 /usr/bin/login yes 422

# 認証系の監査ログを失敗のみに絞ってサマリー形式で表示

[root@dlp ~]#

aureport -au --failed --summary


Failed Authentication Summary Report
=============================
total  acct
=============================
3  alma
1  root

# ユーザーアカウント操作ログを表示
# ユーザー ID 番号はユーザー ID 名で表示

[root@dlp ~]#

aureport -m -i


Account Modifications Report
=================================================
# date time auid addr term exe acct success event
=================================================
1. 03/10/2022 22:04:12 root ? ? /usr/sbin/groupadd ? yes 146
2. 03/10/2022 22:04:12 root ? ? /usr/sbin/groupadd ? yes 147
3. 03/10/2022 22:04:12 root ? ? /usr/sbin/useradd apache yes 148
4. 03/10/2022 23:19:46 root ? ? /usr/sbin/groupadd ? yes 125
5. 03/10/2022 23:19:46 root ? ? /usr/sbin/groupadd ? yes 126
6. 03/10/2022 23:19:46 root ? ? /usr/sbin/useradd apache yes 127

# 今月以降のユーザーアカウント操作ログを表示

[root@dlp ~]#

aureport -m -i --start this-month


Account Modifications Report
=================================================
# date time auid addr term exe acct success event
=================================================
1. 03/10/2022 22:04:12 root ? ? /usr/sbin/groupadd ? yes 146
2. 03/10/2022 22:04:12 root ? ? /usr/sbin/groupadd ? yes 147
3. 03/10/2022 22:04:12 root ? ? /usr/sbin/useradd apache yes 148
4. 03/10/2022 23:19:46 root ? ? /usr/sbin/groupadd ? yes 125
5. 03/10/2022 23:19:46 root ? ? /usr/sbin/groupadd ? yes 126
6. 03/10/2022 23:19:46 root ? ? /usr/sbin/useradd apache yes 127

# プログラムの実行ログを表示

[root@dlp ~]#

aureport -x -i


Executable Report
====================================
# date time exe term host auid event
====================================
1. 11/25/2021 18:25:45 /usr/sbin/auditctl (none) ? unset 5
2. 11/25/2021 18:25:45 /usr/sbin/auditctl (none) ? unset 6
3. 11/25/2021 18:25:45 /usr/sbin/auditctl (none) ? unset 7
4. 11/25/2021 18:25:45 /usr/lib/systemd/systemd ? ? unset 8
5. 11/25/2021 18:25:45 /usr/lib/systemd/systemd-update-utmp ? ? unset 9
.....
.....
2694. 03/10/2022 23:25:47 /usr/lib/systemd/systemd ? ? unset 441
2695. 03/10/2022 23:25:47 /usr/lib/systemd/systemd ? ? unset 442
2696. 03/10/2022 23:26:04 /usr/lib/systemd/systemd ? ? unset 162
2697. 03/10/2022 23:26:04 /usr/lib/systemd/systemd ? ? unset 163
2698. 03/10/2022 23:26:12 /usr/lib/systemd/systemd ? ? unset 443

# 2022/3/10 ～ 2022/3/11 間に発生したプログラムの実行ログを表示

[root@dlp ~]#

aureport -x -i --start 03/10/2022 --end 03/11/2022


Executable Report
====================================
# date time exe term host auid event
====================================
1. 03/10/2022 18:59:36 /usr/sbin/auditctl (none) ? unset 5
2. 03/10/2022 18:59:36 /usr/sbin/auditctl (none) ? unset 6
3. 03/10/2022 18:59:36 /usr/sbin/auditctl (none) ? unset 7
4. 03/10/2022 18:59:36 /usr/lib/systemd/systemd ? ? unset 8
5. 03/10/2022 18:59:36 /usr/lib/systemd/systemd-update-utmp ? ? unset 9
.....
.....
903. 03/10/2022 23:25:47 /usr/lib/systemd/systemd ? ? unset 441
904. 03/10/2022 23:25:47 /usr/lib/systemd/systemd ? ? unset 442
905. 03/10/2022 23:26:04 /usr/lib/systemd/systemd ? ? unset 162
906. 03/10/2022 23:26:04 /usr/lib/systemd/systemd ? ? unset 163
907. 03/10/2022 23:26:12 /usr/lib/systemd/systemd ? ? unset 443

[2]	[ausearch] と組み合わせることで、検索した特定のログをサマリー表示できます。

# ユーザー ID 1000 の sudo 実行履歴のログを表示

[root@dlp ~]#

ausearch -x sudo -ua 1000 | aureport -au


Authentication Report
============================================
# date time acct host term exe success event
============================================
1. 03/10/2022 23:21:54 alma dlp.srv.world /dev/ttyS0 /usr/bin/sudo yes 341
2. 03/10/2022 23:25:26 alma dlp.srv.world /dev/ttyS0 /usr/bin/sudo no 410
3. 03/10/2022 23:25:30 alma dlp.srv.world /dev/ttyS0 /usr/bin/sudo no 411
4. 03/10/2022 23:25:33 alma dlp.srv.world /dev/ttyS0 /usr/bin/sudo no 412

# ユーザー ID 1000 のユーザーのプログラムの実行ログを表示

[root@dlp ~]#

ausearch -ui 1000 | aureport -x -i


Executable Report
====================================
# date time exe term host auid event
====================================
1. 03/10/2022 23:21:19 /usr/bin/su /dev/ttyS0 dlp.srv.world alma 280
2. 03/10/2022 23:21:19 /usr/bin/su /dev/ttyS0 dlp.srv.world alma 281
3. 03/10/2022 23:21:19 /usr/bin/su /dev/ttyS0 dlp.srv.world alma 282
4. 03/10/2022 23:21:19 /usr/bin/su /dev/ttyS0 dlp.srv.world alma 283
5. 03/10/2022 23:21:32 /usr/bin/su /dev/ttyS0 dlp.srv.world alma 284
.....
.....
15. 03/10/2022 23:25:26 /usr/bin/sudo /dev/ttyS0 dlp.srv.world alma 410
16. 03/10/2022 23:25:30 /usr/bin/sudo /dev/ttyS0 dlp.srv.world alma 411
17. 03/10/2022 23:25:33 /usr/bin/sudo /dev/ttyS0 dlp.srv.world alma 412
18. 03/10/2022 23:25:35 /usr/bin/sudo ttyS0 ? alma 413