Auditd : aureport でログをサマリー表示する2021/03/04 |
Audit パッケージに同梱されている [aureport] コマンドを利用することにより、[audit.log] に記録された膨大なログをサマリー出力することができます。
|
|
[1] | [aureport] コマンドの使用例です。 |
# 引数なしで全体のサマリーを表示 [root@dlp ~]# aureport Summary Report ====================== Range of time in logs: 02/18/2021 15:51:55.319 - 03/04/2021 17:08:55.178 Selected time for report: 02/18/2021 15:51:55 - 03/04/2021 17:08:55.178 Number of changes in configuration: 723 Number of changes to accounts, groups, or roles: 5 Number of logins: 19 Number of failed logins: 1 Number of authentications: 23 Number of failed authentications: 3 Number of users: 3 Number of terminals: 4 Number of host names: 5 Number of executables: 17 Number of commands: 19 Number of files: 1 Number of AVC's: 15 Number of MAC events: 53 Number of failed syscalls: 15 Number of anomaly events: 0 Number of responses to anomaly events: 0 Number of crypto events: 45 Number of integrity events: 0 Number of virt events: 0 Number of keys: 0 Number of process IDs: 303 Number of events: 3070 # 認証系の監査ログ表示 [root@dlp ~]# aureport -au Authentication Report ============================================ # date time acct host term exe success event ============================================ 1. 02/18/2021 15:52:50 root localhost.localdomain ttyS0 /usr/bin/login yes 58 2. 02/24/2021 14:21:48 root localhost.localdomain ttyS0 /usr/bin/login yes 52 3. 02/24/2021 14:33:49 root localhost.localdomain ttyS0 /usr/bin/login yes 78 4. 02/24/2021 15:27:54 root localhost.localdomain ttyS0 /usr/bin/login yes 80 5. 02/25/2021 11:45:03 root localhost.localdomain ttyS0 /usr/bin/login yes 82 6. 02/25/2021 11:46:04 root dlp.srv.world ttyS0 /usr/bin/login yes 78 7. 02/25/2021 12:00:00 cent dlp.srv.world ttyS0 /usr/bin/su yes 95 ..... ..... 24. 03/04/2021 15:57:09 cent dlp.srv.world /dev/ttyS0 /usr/bin/sudo no 182 25. 03/04/2021 15:57:14 cent dlp.srv.world /dev/ttyS0 /usr/bin/sudo no 183 26. 03/04/2021 16:04:34 root dlp.srv.world ttyS0 /usr/bin/login yes 195 # 認証系の監査ログを失敗のみに絞ってサマリー形式で表示 [root@dlp ~]# aureport -au --failed --summary Failed Authentication Summary Report ============================= total acct ============================= 3 cent 1 root # ユーザーアカウント操作ログを表示 (ユーザーID番号はユーザーID名で表示) [root@dlp ~]# aureport -m -i Account Modifications Report ================================================= # date time auid addr term exe acct success event ================================================= 1. 02/24/2021 19:26:45 root ? ? /usr/sbin/groupadd dbus no 77 2. 02/24/2021 19:26:45 root ? ? /usr/sbin/useradd dbus no 78 3. 02/25/2021 18:27:46 root ? ? /usr/sbin/groupadd ? yes 134 4. 02/25/2021 18:27:46 root ? ? /usr/sbin/groupadd ? yes 135 5. 02/25/2021 18:27:47 root ? ? /usr/sbin/useradd apache yes 136 6. 03/01/2021 21:02:29 root ? ? /usr/sbin/useradd testuser yes 137 # 今月以降のユーザーアカウント操作ログを表示 [root@dlp ~]# aureport -m -i --start this-month Account Modifications Report ================================================= # date time auid addr term exe acct success event ================================================= 1. 03/01/2021 21:02:29 root ? ? /usr/sbin/useradd testuser yes 137 # プログラムの実行ログを表示 [root@dlp ~]# aureport -x -i Executable Report ==================================== # date time exe term host auid event ==================================== 1. 02/18/2021 15:51:55 /usr/sbin/auditctl (none) ? unset 5 2. 02/18/2021 15:51:55 /usr/sbin/auditctl (none) ? unset 6 3. 02/18/2021 15:51:55 /usr/sbin/auditctl (none) ? unset 7 4. 02/18/2021 15:51:55 /usr/lib/systemd/systemd ? ? unset 8 5. 02/18/2021 15:51:55 /usr/lib/systemd/systemd-update-utmp ? ? unset 9 ..... ..... 3012. 03/04/2021 17:16:39 /usr/lib/systemd/systemd ? ? unset 233 3013. 03/04/2021 17:16:39 /usr/bin/login ttyS0 dlp.srv.world root 234 3014. 03/04/2021 17:16:39 /usr/bin/login ttyS0 dlp.srv.world root 235 3015. 03/04/2021 17:16:39 /usr/bin/login ttyS0 dlp.srv.world root 236 3016. 03/04/2021 17:17:00 /usr/lib/systemd/systemd ? ? unset 237 # 2021/3/1 ~ 2021/3/2 間に発生したプログラムの実行ログを表示 [root@dlp ~]# aureport -x -i --start 03/01/2021 --end 03/02/2021 Executable Report ==================================== # date time exe term host auid event ==================================== 1. 03/02/2021 15:00:42 /usr/sbin/auditctl (none) ? unset 5 2. 03/02/2021 15:00:42 /usr/sbin/auditctl (none) ? unset 6 3. 03/02/2021 15:00:42 /usr/sbin/auditctl (none) ? unset 7 4. 03/02/2021 15:00:42 /usr/lib/systemd/systemd ? ? unset 8 5. 03/02/2021 15:00:43 /usr/lib/systemd/systemd-update-utmp ? ? unset 9 ..... ..... 754. 03/02/2021 16:02:46 /usr/lib/systemd/systemd ? ? unset 106 755. 03/02/2021 16:02:46 /usr/lib/systemd/systemd ? ? unset 107 756. 03/02/2021 16:02:46 /usr/lib/systemd/systemd ? ? unset 108 757. 03/02/2021 16:30:19 /usr/lib/systemd/systemd ? ? unset 109 758. 03/02/2021 16:30:19 /usr/lib/systemd/systemd ? ? unset 110 |
[2] | [ausearch] と組み合わせることで、検索した特定のログをサマリー表示できます。 |
# ユーザーID 1000 の sudo 実行履歴のログを表示 [root@dlp ~]# ausearch -x sudo -ua 1000 | aureport -au Authentication Report ============================================ # date time acct host term exe success event ============================================ 1. 03/04/2021 19:54:46 cent dlp.srv.world /dev/ttyS0 /usr/bin/sudo yes 133 2. 03/04/2021 19:57:09 cent dlp.srv.world /dev/ttyS0 /usr/bin/sudo no 182 3. 03/04/2021 19:57:14 cent dlp.srv.world /dev/ttyS0 /usr/bin/sudo no 183 # ユーザーID 1000 のユーザーのプログラムの実行ログを表示 [root@dlp ~]# ausearch -ui 1000 | aureport -x -i Executable Report ==================================== # date time exe term host auid event ==================================== 1. 03/04/2021 15:49:30 /usr/bin/su ttyS0 node01.srv.world cent 135 2. 03/04/2021 15:49:30 /usr/bin/su ttyS0 node01.srv.world cent 136 3. 03/04/2021 15:49:30 /usr/bin/su ttyS0 node01.srv.world cent 137 4. 03/04/2021 15:49:30 /usr/bin/su ttyS0 node01.srv.world cent 138 5. 03/04/2021 15:54:46 /usr/bin/sudo /dev/ttyS0 dlp.srv.world root 133 ..... ..... 12. 03/04/2021 15:57:09 /usr/bin/sudo /dev/ttyS0 dlp.srv.world cent 182 13. 03/04/2021 15:57:14 /usr/bin/sudo /dev/ttyS0 dlp.srv.world cent 183 14. 03/04/2021 15:57:15 /usr/bin/sudo ttyS0 ? cent 184 |
Sponsored Link |
|