Auditd : aureport でログをサマリー表示する2025/10/23 |
|
Audit パッケージに同梱されている [aureport] コマンドを利用することにより、[audit.log] に記録された膨大なログをサマリー出力することができます。 |
|
| [1] | [aureport] コマンドの使用例です。 |
|
# 引数なしで全体のサマリーを表示 dlp:~ # aureport Summary Report ====================== Range of time in logs: 10/09/25 14:06:02.534 - 10/23/25 09:39:06.197 Selected time for report: 10/09/25 14:06:02 - 10/23/25 09:39:06.197 Number of changes in configuration: 61 Number of changes to accounts, groups, or roles: 4 Number of logins: 10 Number of failed logins: 2 Number of authentications: 15 Number of failed authentications: 4 Number of users: 4 Number of terminals: 4 Number of host names: 5 Number of executables: 9 Number of commands: 3 Number of files: 0 Number of AVC's: 0 Number of MAC events: 33 Number of failed syscalls: 0 Number of anomaly events: 0 Number of responses to anomaly events: 0 Number of crypto events: 0 Number of integrity events: 0 Number of virt events: 0 Number of keys: 0 Number of process IDs: 56 Number of events: 1114 # 認証系の監査ログ表示 dlp:~ # aureport -au Authentication Report ============================================ # date time acct host term exe success event ============================================ 1. 10/09/25 14:06:24 root localhost /dev/ttyS0 /usr/bin/login yes 54 2. 10/09/25 14:22:20 root localhost /dev/ttyS0 /usr/bin/login yes 60 3. 10/13/25 11:37:45 root localhost /dev/ttyS0 /usr/bin/login yes 53 4. 10/23/25 09:19:21 root localhost /dev/ttyS0 /usr/bin/login yes 82 5. 10/23/25 09:20:56 root dlp.srv.world /dev/ttyS0 /usr/bin/login yes 58 6. 10/23/25 09:32:01 root node01.srv.world /dev/ttyS0 /usr/bin/login yes 53 7. 10/23/25 09:35:15 suse dlp.srv.world /dev/ttyS0 /usr/bin/login yes 161 8. 10/23/25 09:35:19 root dlp.srv.world /dev/ttyS0 /usr/bin/su yes 179 9. 10/23/25 09:35:24 root dlp.srv.world ttyS0 /usr/sbin/useradd yes 186 10. 10/23/25 09:35:42 leap dlp.srv.world /dev/ttyS0 /usr/bin/login yes 198 ..... ..... # 認証系の監査ログを失敗のみに絞ってサマリー形式で表示 dlp:~ # aureport -au --failed --summary Failed Authentication Summary Report ============================= total acct ============================= 2 root 1 leap 1 suse # ユーザーアカウント操作ログを表示 # ユーザー ID 番号はユーザー ID 名で表示 dlp:~ # aureport -m -i Account Modifications Report ================================================= # date time auid addr term exe acct success event ================================================= 1. 10/23/25 09:35:24 suse dlp.srv.world ttyS0 /usr/sbin/useradd leap yes 188 2. 10/23/25 09:35:24 suse dlp.srv.world ttyS0 /usr/sbin/useradd leap yes 189 3. 10/23/25 09:35:24 suse dlp.srv.world ttyS0 /usr/sbin/useradd ? yes 190 4. 10/23/25 09:35:34 suse dlp.srv.world ttyS0 /usr/bin/passwd leap yes 191 5. 10/23/25 09:45:00 root dlp.srv.world ttyS0 /usr/bin/passwd leap yes 402 ..... ..... # 今月以降のユーザーアカウント操作ログを表示 dlp:~ # aureport -m -i --start this-month Account Modifications Report ================================================= # date time auid addr term exe acct success event ================================================= 1. 10/23/25 09:35:24 suse dlp.srv.world ttyS0 /usr/sbin/useradd leap yes 188 2. 10/23/25 09:35:24 suse dlp.srv.world ttyS0 /usr/sbin/useradd leap yes 189 3. 10/23/25 09:35:24 suse dlp.srv.world ttyS0 /usr/sbin/useradd ? yes 190 4. 10/23/25 09:35:34 suse dlp.srv.world ttyS0 /usr/bin/passwd leap yes 191 5. 10/23/25 09:45:00 root dlp.srv.world ttyS0 /usr/bin/passwd leap yes 402 ..... ..... # プログラムの実行ログを表示 dlp:~ # aureport -x -i Executable Report ==================================== # date time exe term host auid event ==================================== 1. 10/09/25 14:06:02 /usr/lib/systemd/systemd ? ? unset 7 2. 10/09/25 14:06:02 /usr/lib/systemd/systemd ? ? unset 9 3. 10/09/25 14:06:02 /usr/lib/systemd/systemd ? ? unset 12 4. 10/09/25 14:06:02 /usr/lib/systemd/systemd ? ? unset 13 5. 10/09/25 14:06:02 /usr/lib/systemd/systemd ? ? unset 14 6. 10/09/25 14:06:02 /usr/lib/systemd/systemd ? ? unset 16 7. 10/09/25 14:06:02 /usr/bin/wtmpdb ? ? unset 17 8. 10/09/25 14:06:02 /usr/lib/systemd/systemd ? ? unset 21 9. 10/09/25 14:06:02 /usr/lib/systemd/systemd ? ? unset 22 10. 10/09/25 14:06:02 /usr/lib/systemd/systemd ? ? unset 23 ..... ..... # 2025/10/22 ~ 2025/10/23 間に発生したプログラムの実行ログを表示 dlp:~ # aureport -x -i --start 10/22/25 --end 10/23/25 Executable Report ==================================== # date time exe term host auid event ==================================== 1. 10/23/25 09:17:07 /usr/lib/systemd/systemd ? ? unset 7 2. 10/23/25 09:17:07 /usr/lib/systemd/systemd ? ? unset 9 3. 10/23/25 09:17:07 /usr/lib/systemd/systemd ? ? unset 12 4. 10/23/25 09:17:07 /usr/lib/systemd/systemd ? ? unset 13 5. 10/23/25 09:17:07 /usr/lib/systemd/systemd ? ? unset 14 6. 10/23/25 09:17:07 /usr/lib/systemd/systemd ? ? unset 16 7. 10/23/25 09:17:07 /usr/bin/wtmpdb ? ? unset 17 8. 10/23/25 09:17:07 /usr/lib/systemd/systemd ? ? unset 21 9. 10/23/25 09:17:07 /usr/lib/systemd/systemd ? ? unset 22 10. 10/23/25 09:17:07 /usr/lib/systemd/systemd ? ? unset 23 ..... ..... |
| [2] | [ausearch] と組み合わせることで、検索した特定のログをサマリー表示できます。 |
|
# ユーザー ID 1000 の sudo 実行履歴のログを表示 dlp:~ # ausearch -x sudo -ua 1000 | aureport -au Authentication Report ============================================ # date time acct host term exe success event ============================================ 1. 10/23/25 09:37:12 suse dlp.srv.world /dev/ttyS0 /usr/bin/sudo yes 275 2. 10/23/25 09:48:47 suse node01.srv.world /dev/ttyS0 /usr/bin/sudo yes 121 # ユーザー ID 1000 のユーザーのプログラムの実行ログを表示 dlp:~ # ausearch -ui 1000 | aureport -x -i Executable Report ==================================== # date time exe term host auid event ==================================== 1. 10/23/25 09:35:19 /usr/bin/su /dev/ttyS0 dlp.srv.world suse 179 2. 10/23/25 09:35:19 /usr/bin/su /dev/ttyS0 dlp.srv.world suse 180 3. 10/23/25 09:35:19 /usr/bin/su /dev/ttyS0 dlp.srv.world suse 181 4. 10/23/25 09:35:19 /usr/bin/su /dev/ttyS0 dlp.srv.world suse 182 5. 10/23/25 09:35:19 /usr/bin/su /dev/ttyS0 dlp.srv.world suse 183 6. 10/23/25 09:35:35 /usr/bin/su /dev/ttyS0 dlp.srv.world suse 192 7. 10/23/25 09:35:35 /usr/bin/su /dev/ttyS0 dlp.srv.world suse 193 8. 10/23/25 09:37:12 /usr/bin/sudo /dev/ttyS0 dlp.srv.world root 275 9. 10/23/25 09:37:12 /usr/bin/sudo /dev/ttyS0 dlp.srv.world root 276 10. 10/23/25 09:37:12 /usr/bin/sudo ttyS0 ? root 277 ..... ..... |
| Sponsored Link |
|
|