CentOS Stream 8
Sponsored Link

Auditd : aureport でログをサマリー表示する
2021/03/04
 
Audit パッケージに同梱されている [aureport] コマンドを利用することにより、[audit.log] に記録された膨大なログをサマリー出力することができます。
[1] [aureport] コマンドの使用例です。
# 引数なしで全体のサマリーを表示

[root@dlp ~]#
aureport


Summary Report
======================
Range of time in logs: 02/18/2021 15:51:55.319 - 03/04/2021 17:08:55.178
Selected time for report: 02/18/2021 15:51:55 - 03/04/2021 17:08:55.178
Number of changes in configuration: 723
Number of changes to accounts, groups, or roles: 5
Number of logins: 19
Number of failed logins: 1
Number of authentications: 23
Number of failed authentications: 3
Number of users: 3
Number of terminals: 4
Number of host names: 5
Number of executables: 17
Number of commands: 19
Number of files: 1
Number of AVC's: 15
Number of MAC events: 53
Number of failed syscalls: 15
Number of anomaly events: 0
Number of responses to anomaly events: 0
Number of crypto events: 45
Number of integrity events: 0
Number of virt events: 0
Number of keys: 0
Number of process IDs: 303
Number of events: 3070

# 認証系の監査ログ表示

[root@dlp ~]#
aureport -au


Authentication Report
============================================
# date time acct host term exe success event
============================================
1. 02/18/2021 15:52:50 root localhost.localdomain ttyS0 /usr/bin/login yes 58
2. 02/24/2021 14:21:48 root localhost.localdomain ttyS0 /usr/bin/login yes 52
3. 02/24/2021 14:33:49 root localhost.localdomain ttyS0 /usr/bin/login yes 78
4. 02/24/2021 15:27:54 root localhost.localdomain ttyS0 /usr/bin/login yes 80
5. 02/25/2021 11:45:03 root localhost.localdomain ttyS0 /usr/bin/login yes 82
6. 02/25/2021 11:46:04 root dlp.srv.world ttyS0 /usr/bin/login yes 78
7. 02/25/2021 12:00:00 cent dlp.srv.world ttyS0 /usr/bin/su yes 95
.....
.....
24. 03/04/2021 15:57:09 cent dlp.srv.world /dev/ttyS0 /usr/bin/sudo no 182
25. 03/04/2021 15:57:14 cent dlp.srv.world /dev/ttyS0 /usr/bin/sudo no 183
26. 03/04/2021 16:04:34 root dlp.srv.world ttyS0 /usr/bin/login yes 195

# 認証系の監査ログを失敗のみに絞ってサマリー形式で表示

[root@dlp ~]#
aureport -au --failed --summary


Failed Authentication Summary Report
=============================
total  acct
=============================
3  cent
1  root

# ユーザーアカウント操作ログを表示 (ユーザーID番号はユーザーID名で表示)

[root@dlp ~]#
aureport -m -i


Account Modifications Report
=================================================
# date time auid addr term exe acct success event
=================================================
1. 02/24/2021 19:26:45 root ? ? /usr/sbin/groupadd dbus no 77
2. 02/24/2021 19:26:45 root ? ? /usr/sbin/useradd dbus no 78
3. 02/25/2021 18:27:46 root ? ? /usr/sbin/groupadd ? yes 134
4. 02/25/2021 18:27:46 root ? ? /usr/sbin/groupadd ? yes 135
5. 02/25/2021 18:27:47 root ? ? /usr/sbin/useradd apache yes 136
6. 03/01/2021 21:02:29 root ? ? /usr/sbin/useradd testuser yes 137

# 今月以降のユーザーアカウント操作ログを表示

[root@dlp ~]#
aureport -m -i --start this-month


Account Modifications Report
=================================================
# date time auid addr term exe acct success event
=================================================
1. 03/01/2021 21:02:29 root ? ? /usr/sbin/useradd testuser yes 137

# プログラムの実行ログを表示

[root@dlp ~]#
aureport -x -i


Executable Report
====================================
# date time exe term host auid event
====================================
1. 02/18/2021 15:51:55 /usr/sbin/auditctl (none) ? unset 5
2. 02/18/2021 15:51:55 /usr/sbin/auditctl (none) ? unset 6
3. 02/18/2021 15:51:55 /usr/sbin/auditctl (none) ? unset 7
4. 02/18/2021 15:51:55 /usr/lib/systemd/systemd ? ? unset 8
5. 02/18/2021 15:51:55 /usr/lib/systemd/systemd-update-utmp ? ? unset 9

.....
.....

3012. 03/04/2021 17:16:39 /usr/lib/systemd/systemd ? ? unset 233
3013. 03/04/2021 17:16:39 /usr/bin/login ttyS0 dlp.srv.world root 234
3014. 03/04/2021 17:16:39 /usr/bin/login ttyS0 dlp.srv.world root 235
3015. 03/04/2021 17:16:39 /usr/bin/login ttyS0 dlp.srv.world root 236
3016. 03/04/2021 17:17:00 /usr/lib/systemd/systemd ? ? unset 237

# 2021/3/1 ~ 2021/3/2 間に発生したプログラムの実行ログを表示

[root@dlp ~]#
aureport -x -i --start 03/01/2021 --end 03/02/2021


Executable Report
====================================
# date time exe term host auid event
====================================
1. 03/02/2021 15:00:42 /usr/sbin/auditctl (none) ? unset 5
2. 03/02/2021 15:00:42 /usr/sbin/auditctl (none) ? unset 6
3. 03/02/2021 15:00:42 /usr/sbin/auditctl (none) ? unset 7
4. 03/02/2021 15:00:42 /usr/lib/systemd/systemd ? ? unset 8
5. 03/02/2021 15:00:43 /usr/lib/systemd/systemd-update-utmp ? ? unset 9

.....
.....

754. 03/02/2021 16:02:46 /usr/lib/systemd/systemd ? ? unset 106
755. 03/02/2021 16:02:46 /usr/lib/systemd/systemd ? ? unset 107
756. 03/02/2021 16:02:46 /usr/lib/systemd/systemd ? ? unset 108
757. 03/02/2021 16:30:19 /usr/lib/systemd/systemd ? ? unset 109
758. 03/02/2021 16:30:19 /usr/lib/systemd/systemd ? ? unset 110
[2] [ausearch] と組み合わせることで、検索した特定のログをサマリー表示できます。
# ユーザーID 1000 の sudo 実行履歴のログを表示

[root@dlp ~]#
ausearch -x sudo -ua 1000 | aureport -au


Authentication Report
============================================
# date time acct host term exe success event
============================================
1. 03/04/2021 19:54:46 cent dlp.srv.world /dev/ttyS0 /usr/bin/sudo yes 133
2. 03/04/2021 19:57:09 cent dlp.srv.world /dev/ttyS0 /usr/bin/sudo no 182
3. 03/04/2021 19:57:14 cent dlp.srv.world /dev/ttyS0 /usr/bin/sudo no 183

# ユーザーID 1000 のユーザーのプログラムの実行ログを表示

[root@dlp ~]#
ausearch -ui 1000 | aureport -x -i


Executable Report
====================================
# date time exe term host auid event
====================================
1. 03/04/2021 15:49:30 /usr/bin/su ttyS0 node01.srv.world cent 135
2. 03/04/2021 15:49:30 /usr/bin/su ttyS0 node01.srv.world cent 136
3. 03/04/2021 15:49:30 /usr/bin/su ttyS0 node01.srv.world cent 137
4. 03/04/2021 15:49:30 /usr/bin/su ttyS0 node01.srv.world cent 138
5. 03/04/2021 15:54:46 /usr/bin/sudo /dev/ttyS0 dlp.srv.world root 133

.....
.....

12. 03/04/2021 15:57:09 /usr/bin/sudo /dev/ttyS0 dlp.srv.world cent 182
13. 03/04/2021 15:57:14 /usr/bin/sudo /dev/ttyS0 dlp.srv.world cent 183
14. 03/04/2021 15:57:15 /usr/bin/sudo ttyS0 ? cent 184
関連コンテンツ