CentOS Stream 10
Sponsored Link

Auditd : aureport でログをサマリー表示する
2025/01/02
 

Audit パッケージに同梱されている [aureport] コマンドを利用することにより、[audit.log] に記録された膨大なログをサマリー出力することができます。

[1] [aureport] コマンドの使用例です。
# 引数なしで全体のサマリーを表示

[root@dlp ~]#
aureport


Summary Report
======================
Range of time in logs: 12/14/2024 18:39:51.079 - 01/02/2025 15:01:55.515
Selected time for report: 12/14/2024 18:39:51 - 01/02/2025 15:01:55.515
Number of changes in configuration: 70
Number of changes to accounts, groups, or roles: 3
Number of logins: 12
Number of failed logins: 2
Number of authentications: 19
Number of failed authentications: 4
Number of users: 3
Number of terminals: 7
Number of host names: 6
Number of executables: 17
Number of commands: 14
Number of files: 2
Number of AVC's: 8
Number of MAC events: 24
Number of failed syscalls: 7
Number of anomaly events: 0
Number of responses to anomaly events: 0
Number of crypto events: 10
Number of integrity events: 0
Number of virt events: 0
Number of keys: 0
Number of process IDs: 86
Number of events: 1853

# 認証系の監査ログ表示

[root@dlp ~]#
aureport -au


Authentication Report
============================================
# date time acct host term exe success event
============================================
1. 12/14/2024 18:40:57 root localhost.localdomain /dev/ttyS0 /usr/bin/login yes 71
2. 12/19/2024 10:43:22 root localhost.localdomain /dev/ttyS0 /usr/bin/login yes 54
3. 12/20/2024 09:42:08 root localhost.localdomain /dev/ttyS0 /usr/bin/login yes 64
4. 01/02/2025 13:23:34 root localhost.localdomain /dev/ttyS0 /usr/bin/login yes 67
5. 01/02/2025 13:24:33 root dlp.srv.world /dev/ttyS0 /usr/bin/login yes 58
.....
.....
20. 01/02/2025 14:58:19 root dlp.srv.world /dev/ttyS0 /usr/bin/login yes 244
21. 01/02/2025 14:59:15 cent node01.srv.world /dev/ttyS0 /usr/bin/login yes 154
22. 01/02/2025 14:59:22 root node01.srv.world /dev/ttyS0 /usr/bin/login yes 179
23. 01/02/2025 14:59:34 cent 10.0.0.30 ssh /usr/libexec/openssh/sshd-session yes 233

# 認証系の監査ログを失敗のみに絞ってサマリー形式で表示

[root@dlp ~]#
aureport -au --failed --summary


Failed Authentication Summary Report
=============================
total  acct
=============================
2  root
1  redhat
1  fedora

# ユーザーアカウント操作ログを表示
# ユーザー ID 番号はユーザー ID 名で表示

[root@dlp ~]#
aureport -m -i


Account Modifications Report
=================================================
# date time auid addr term exe acct success event
=================================================
1. 01/02/2025 13:25:21 root ? ? /usr/sbin/groupadd ? yes 112
2. 01/02/2025 13:25:21 root ? ? /usr/sbin/groupadd ? yes 113
3. 01/02/2025 13:25:21 root ? ? /usr/sbin/useradd apache yes 114
4. 01/02/2025 15:05:20 root ? ? /usr/sbin/groupadd ? yes 262
5. 01/02/2025 15:05:20 root ? ? /usr/sbin/groupadd ? yes 263
6. 01/02/2025 15:05:20 root ? ? /usr/sbin/useradd nginx yes 264

# 今月以降のユーザーアカウント操作ログを表示

[root@dlp ~]#
aureport -m -i --start this-month


Account Modifications Report
=================================================
# date time auid addr term exe acct success event
=================================================
1. 01/02/2025 13:25:21 root ? ? /usr/sbin/groupadd ? yes 112
2. 01/02/2025 13:25:21 root ? ? /usr/sbin/groupadd ? yes 113
3. 01/02/2025 13:25:21 root ? ? /usr/sbin/useradd apache yes 114
4. 01/02/2025 15:05:20 root ? ? /usr/sbin/groupadd ? yes 262
5. 01/02/2025 15:05:20 root ? ? /usr/sbin/groupadd ? yes 263
6. 01/02/2025 15:05:20 root ? ? /usr/sbin/useradd nginx yes 264

# プログラムの実行ログを表示

[root@dlp ~]#
aureport -x -i


Executable Report
====================================
# date time exe term host auid event
====================================
1. 12/14/2024 18:39:51 /usr/lib/systemd/systemd ? ? unset 5
2. 12/14/2024 18:39:51 /usr/lib/systemd/systemd-update-utmp ? ? unset 6
3. 12/14/2024 18:39:51 /usr/lib/systemd/systemd ? ? unset 7
4. 12/14/2024 18:39:51 /usr/lib/systemd/systemd ? ? unset 9
5. 12/14/2024 18:39:51 /usr/lib/systemd/systemd ? ? unset 14
.....
.....
1370. 01/02/2025 15:05:21 /usr/bin/python3.12 ttyS0 dlp.srv.world root 295
1371. 01/02/2025 15:05:21 /usr/bin/python3.12 ttyS0 dlp.srv.world root 296
1372. 01/02/2025 15:05:21 /usr/lib/systemd/systemd ? ? unset 297
1373. 01/02/2025 15:05:22 /usr/lib/systemd/systemd ? ? unset 298
1374. 01/02/2025 15:05:22 /usr/lib/systemd/systemd ? ? unset 299
1375. 01/02/2025 15:05:22 /usr/lib/systemd/systemd ? ? unset 300

# 2025/1/1 ~ 2025/1/2 間に発生したプログラムの実行ログを表示

[root@dlp ~]#
aureport -x -i --start 01/01/2025 --end 01/02/2025


Executable Report
====================================
# date time exe term host auid event
====================================
1. 01/02/2025 13:20:02 /usr/lib/systemd/systemd ? ? unset 5
2. 01/02/2025 13:20:02 /usr/lib/systemd/systemd-update-utmp ? ? unset 6
3. 01/02/2025 13:20:02 /usr/lib/systemd/systemd ? ? unset 7
4. 01/02/2025 13:20:02 /usr/lib/systemd/systemd ? ? unset 9
5. 01/02/2025 13:20:02 /usr/lib/systemd/systemd ? ? unset 14
.....
.....
870. 01/02/2025 15:05:21 /usr/bin/python3.12 ttyS0 dlp.srv.world root 296
871. 01/02/2025 15:05:21 /usr/lib/systemd/systemd ? ? unset 297
872. 01/02/2025 15:05:22 /usr/lib/systemd/systemd ? ? unset 298
873. 01/02/2025 15:05:22 /usr/lib/systemd/systemd ? ? unset 299
874. 01/02/2025 15:05:22 /usr/lib/systemd/systemd ? ? unset 300
[2] [ausearch] と組み合わせることで、検索した特定のログをサマリー表示できます。
# ユーザー ID 1000 の sudo 実行履歴のログを表示

[root@dlp ~]#
ausearch -x sudo -ua 1000 | aureport -au


Authentication Report
============================================
# date time acct host term exe success event
============================================
1. 01/02/2025 14:55:20 cent dlp.srv.world /dev/ttyS0 /usr/bin/sudo yes 144
2. 01/02/2025 14:56:08 cent node01.srv.world /dev/ttyS0 /usr/bin/sudo yes 127

# ユーザー ID 1000 のユーザーのプログラムの実行ログを表示

[root@dlp ~]#
ausearch -ui 1000 | aureport -x -i


Executable Report
====================================
# date time exe term host auid event
====================================
1. 01/02/2025 14:55:20 /usr/bin/sudo /dev/ttyS0 dlp.srv.world root 144
2. 01/02/2025 14:55:20 /usr/bin/sudo /dev/ttyS0 dlp.srv.world root 145
3. 01/02/2025 14:55:20 /usr/bin/sudo ttyS0 ? root 146
4. 01/02/2025 14:55:20 /usr/bin/sudo /dev/ttyS0 dlp.srv.world root 147
5. 01/02/2025 14:55:20 /usr/bin/sudo /dev/ttyS0 dlp.srv.world root 148
.....
.....
25. 01/02/2025 14:56:29 /usr/bin/sudo /dev/ttyS0 node01.srv.world root 142
26. 01/02/2025 14:56:29 /usr/bin/sudo /dev/ttyS0 node01.srv.world root 143
27. 01/02/2025 14:57:56 /usr/bin/su /dev/ttyS0 dlp.srv.world root 230
28. 01/02/2025 14:58:03 /usr/bin/su /dev/ttyS0 dlp.srv.world root 231
関連コンテンツ