Auditd : aureport でログをサマリー表示する2023/07/13 |
|
Audit パッケージに同梱されている [aureport] コマンドを利用することにより、[audit.log] に記録された膨大なログをサマリー出力することができます。
|
|
| [1] | [aureport] コマンドの使用例です。 |
|
# 引数なしで全体のサマリーを表示 root@dlp:~# aureport Summary Report ====================== Range of time in logs: 07/12/2023 20:56:08.983 - 07/12/2023 21:03:37.912 Selected time for report: 07/12/2023 20:56:08 - 07/12/2023 21:03:37.912 Number of changes in configuration: 6 Number of changes to accounts, groups, or roles: 5 Number of logins: 6 Number of failed logins: 1 Number of authentications: 10 Number of failed authentications: 1 Number of users: 4 Number of terminals: 4 Number of host names: 2 Number of executables: 11 Number of commands: 5 Number of files: 0 Number of AVC's: 0 Number of MAC events: 0 Number of failed syscalls: 0 Number of anomaly events: 0 Number of responses to anomaly events: 0 Number of crypto events: 0 Number of integrity events: 0 Number of virt events: 0 Number of keys: 0 Number of process IDs: 32 Number of events: 241 # 認証系の監査ログ表示 root@dlp:~# aureport -au Authentication Report ============================================ # date time acct host term exe success event ============================================ 1. 07/12/2023 20:57:56 root dlp.srv.world /dev/ttyS0 /usr/bin/login no 37 2. 07/12/2023 20:58:03 root dlp.srv.world /dev/ttyS0 /usr/bin/login yes 39 3. 07/12/2023 20:59:04 debian dlp.srv.world /dev/ttyS0 /usr/bin/login yes 61 4. 07/12/2023 20:59:09 root dlp.srv.world /dev/ttyS0 /usr/bin/su yes 75 5. 07/12/2023 20:59:51 debian dlp.srv.world /dev/ttyS0 /usr/bin/sudo yes 81 6. 07/12/2023 21:00:27 root dlp.srv.world /dev/ttyS0 /usr/bin/login yes 111 7. 07/12/2023 21:02:55 root dlp.srv.world ttyS0 /usr/bin/chfn yes 134 8. 07/12/2023 21:03:05 bookworm dlp.srv.world /dev/ttyS0 /usr/bin/login yes 142 9. 07/12/2023 21:03:18 debian dlp.srv.world /dev/ttyS0 /usr/bin/login yes 161 10. 07/12/2023 21:03:25 bookworm dlp.srv.world /dev/ttyS0 /usr/bin/su yes 175 11. 07/12/2023 21:03:32 root dlp.srv.world /dev/ttyS0 /usr/bin/login yes 186 ..... ..... # 認証系の監査ログを失敗のみに絞ってサマリー形式で表示 root@dlp:~# aureport -au --failed --summary Failed Authentication Summary Report ============================= total acct ============================= 4 debian 3 bookworm 1 root # ユーザーアカウント操作ログを表示 # ユーザー ID 番号はユーザー ID 名で表示 root@dlp:~# aureport -m -i Account Modifications Report ================================================= # date time auid addr term exe acct success event ================================================= 1. 07/12/2023 21:02:51 root dlp.srv.world ttyS0 /usr/sbin/groupadd ? yes 129 2. 07/12/2023 21:02:51 root dlp.srv.world ttyS0 /usr/sbin/groupadd ? yes 130 3. 07/12/2023 21:02:51 root dlp.srv.world ttyS0 /usr/sbin/groupadd ? yes 131 4. 07/12/2023 21:02:51 root dlp.srv.world ttyS0 /usr/sbin/useradd ? yes 132 5. 07/12/2023 21:02:55 root dlp.srv.world ttyS0 /usr/bin/passwd bookworm yes 133 ..... ..... # 今月以降のユーザーアカウント操作ログを表示 root@dlp:~# aureport -m -i --start this-month Account Modifications Report ================================================= # date time auid addr term exe acct success event ================================================= 1. 07/12/2023 21:02:51 root dlp.srv.world ttyS0 /usr/sbin/groupadd ? yes 129 2. 07/12/2023 21:02:51 root dlp.srv.world ttyS0 /usr/sbin/groupadd ? yes 130 3. 07/12/2023 21:02:51 root dlp.srv.world ttyS0 /usr/sbin/groupadd ? yes 131 4. 07/12/2023 21:02:51 root dlp.srv.world ttyS0 /usr/sbin/useradd ? yes 132 5. 07/12/2023 21:02:55 root dlp.srv.world ttyS0 /usr/bin/passwd bookworm yes 133 ..... ..... # プログラムの実行ログを表示 root@dlp:~# aureport -x -i Executable Report ==================================== # date time exe term host auid event ==================================== 1. 07/12/2023 20:56:08 /usr/sbin/auditctl (none) ? unset 13 2. 07/12/2023 20:56:08 /usr/sbin/auditctl (none) ? unset 14 3. 07/12/2023 20:56:08 /usr/sbin/auditctl (none) ? unset 15 4. 07/12/2023 20:56:08 /usr/lib/systemd/systemd ? ? unset 16 5. 07/12/2023 20:57:11 /usr/lib/systemd/systemd ? ? unset 20 6. 07/12/2023 20:57:26 /usr/lib/systemd/systemd ? ? unset 21 7. 07/12/2023 20:57:26 /usr/lib/systemd/systemd ? ? unset 22 ..... ..... # 2023/07/11 ~ 2023/07/12 間に発生したプログラムの実行ログを表示 root@dlp:~# aureport -x -i --start 07/11/2023 --end 07/12/2023 Executable Report ==================================== # date time exe term host auid event ==================================== 1. 07/12/2023 20:56:08 /usr/sbin/auditctl (none) ? unset 13 2. 07/12/2023 20:56:08 /usr/sbin/auditctl (none) ? unset 14 3. 07/12/2023 20:56:08 /usr/sbin/auditctl (none) ? unset 15 4. 07/12/2023 20:56:08 /usr/lib/systemd/systemd ? ? unset 16 5. 07/12/2023 20:57:11 /usr/lib/systemd/systemd ? ? unset 20 6. 07/12/2023 20:57:26 /usr/lib/systemd/systemd ? ? unset 21 7. 07/12/2023 20:57:26 /usr/lib/systemd/systemd ? ? unset 22 ..... ..... |
| [2] | [ausearch] と組み合わせることで、検索した特定のログをサマリー表示できます。 |
|
# ユーザー ID 1000 の sudo 実行履歴のログを表示 root@dlp:~# ausearch -x sudo -ua 1000 | aureport -au Authentication Report ============================================ # date time acct host term exe success event ============================================ 1. 07/12/2023 20:59:51 debian dlp.srv.world /dev/ttyS0 /usr/bin/sudo yes 81 2. 07/12/2023 21:12:19 debian dlp.srv.world /dev/ttyS0 /usr/bin/sudo yes 264 # ユーザー ID 1001 のユーザーのプログラムの実行ログを表示 root@dlp:~# ausearch -ui 1001 | aureport -x -i Executable Report ==================================== # date time exe term host auid event ==================================== 1. 07/12/2023 21:12:49 /usr/bin/su /dev/ttyS0 dlp.srv.world root 285 2. 07/12/2023 21:12:49 /usr/bin/su /dev/ttyS0 dlp.srv.world root 286 3. 07/12/2023 21:12:49 /usr/bin/su /dev/ttyS0 dlp.srv.world root 287 4. 07/12/2023 21:12:49 /usr/bin/su /dev/ttyS0 dlp.srv.world root 288 5. 07/12/2023 21:12:50 /usr/bin/su /dev/ttyS0 dlp.srv.world root 289 ..... ..... |
| Sponsored Link |