[4] Generowanie raportów za pomocą aureport

6 marca 2022 Wyłączono przez Adam [zicherka] Nogły

Możliwe jest wyświetlenie zbiorcze dzienników audit za pomocą polecenia [aureport], które znajduje się w pakiecie audit.

[1] Oto jak używać polecenia [aureport].

# pokaż cały raport bez wprowadzania argumentów
[root@vlsr01 ~]# aureport
Summary Report
======================
Range of time in logs: 06.03.2022 09:48:57.070 - 06.03.2022 15:46:14.148
Selected time for report: 06.03.2022 09:48:57 - 06.03.2022 15:46:14.148
Number of changes in configuration: 112
Number of changes to accounts, groups, or roles: 1
Number of logins: 3
Number of failed logins: 1
Number of authentications: 8
Number of failed authentications: 9
Number of users: 3
Number of terminals: 7
Number of host names: 5
Number of executables: 12
Number of commands: 17
Number of files: 1
Number of AVC's: 4
Number of MAC events: 8
Number of failed syscalls: 4
Number of anomaly events: 0
Number of responses to anomaly events: 0
Number of crypto events: 91
Number of integrity events: 0
Number of virt events: 0
Number of keys: 0
Number of process IDs: 91
Number of events: 553

# pokaż dzienniki uwierzytelniania
[root@vlsr01 ~]# aureport -au
Authentication Report
============================================
# date time acct host term exe success event
============================================
1.06.03.2022 09:49:28 root 192.168.100.155 ssh /usr/sbin/sshd yes 80
2.06.03.2022 10:00:26 root 192.168.100.155 ssh /usr/sbin/sshd yes 73
3.06.03.2022 10:43:04 user01 vlsr02.zicher.lab pts/0 /usr/bin/su yes 171
4.06.03.2022 10:43:13 user01 ? /dev/pts/0 /usr/bin/sudo yes 175
5.06.03.2022 10:43:47 user01 vlsr02.zicher.lab pts/0 /usr/bin/su yes 184
6.06.03.2022 10:47:40 user01 vlsr01.zicher.lab pts/0 /usr/bin/su yes 120
7.06.03.2022 10:48:18 user01 vlsr01.zicher.lab pts/0 /usr/bin/su yes 134
8.06.03.2022 10:48:29 user01 ? /dev/pts/0 /usr/bin/sudo no 138
9.06.03.2022 10:48:34 user01 ? /dev/pts/0 /usr/bin/sudo no 139
10.06.03.2022 10:48:38 user01 ? /dev/pts/0 /usr/bin/sudo no 140
11.06.03.2022 10:49:22 user01 192.168.100.155 ssh /usr/sbin/sshd no 149
12.06.03.2022 10:49:28 user01 192.168.100.155 ssh /usr/sbin/sshd no 150
13.06.03.2022 10:49:32 user01 192.168.100.155 ssh /usr/sbin/sshd no 151
14.06.03.2022 10:49:36 user01 192.168.100.155 ssh /usr/sbin/sshd no 152
15.06.03.2022 11:08:22 user01 192.168.100.155 ssh /usr/sbin/sshd no 198
16.06.03.2022 11:08:34 user01 192.168.100.155 ssh /usr/sbin/sshd no 199
17.06.03.2022 11:09:14 user01 192.168.100.155 ssh /usr/sbin/sshd yes 201

# pokaż dzienniki uwierzytelniania zakończone niepowodzeniem
[root@vlsr01 ~]# aureport -au --failed --summary
Failed Authentication Summary Report
=============================
total  acct
=============================
9  user01

# wyświetl rodzaj modyfikacji logów kont użytkowników
[root@vlsr01 ~]# aureport -m -i
Account Modifications Report
=================================================
# date time auid addr term exe acct success event
=================================================
1.06.03.2022 11:09:07 root vlsr01.zicher.lab pts/0 /usr/bin/passwd user01 yes 200

# wyświetl rodzaj modyfikacji logów kont użytkowników od tego miesiąca
[root@vlsr01 ~]# aureport -m -i --start this-month
Account Modifications Report
=================================================
# date time auid addr term exe acct success event
=================================================
1.06.03.2022 11:09:07 root vlsr01.zicher.lab pts/0 /usr/bin/passwd user01 yes 200

# wyświetl rodzaj wykonywanych logów
[root@vlsr01 ~]# aureport -x -i
Executable Report
====================================
# date time exe term host auid event
====================================
1.06.03.2022 09:48:57 /usr/sbin/auditctl (none) ? unset 7
2.06.03.2022 09:48:57 /usr/sbin/auditctl (none) ? unset 8
3.06.03.2022 09:48:57 /usr/sbin/auditctl (none) ? unset 9
4.06.03.2022 09:48:57 /usr/lib/systemd/systemd ? ? unset 10
# wyświetl rodzaj wykonywanych logów od 05.03.2022 do 06.03.2022
[root@vlsr01 ~]# aureport -x -i --start 05.03.2022 --end 06.03.2022
Executable Report
====================================
# date time exe term host auid event
====================================
1.06.03.2022 09:48:57 /usr/sbin/auditctl (none) ? unset 7
2.06.03.2022 09:48:57 /usr/sbin/auditctl (none) ? unset 8

[2] Wyszukaj i pokaż logi za pomocą [ausearch] oraz [aureport].

# wyszukaj i pokaż logowania sudo dla użytkownika z ID 1000
[root@vlsr01 ~]# ausearch -x sudo -ua 1000 | aureport -au
Authentication Report
============================================
# date time acct host term exe success event
============================================
1.06.03.2022 10:43:13 user01 ? /dev/pts/0 /usr/bin/sudo yes 175
2.06.03.2022 10:48:29 user01 ? /dev/pts/0 /usr/bin/sudo no 138
3.06.03.2022 10:48:34 user01 ? /dev/pts/0 /usr/bin/sudo no 139
4.06.03.2022 10:48:38 user01 ? /dev/pts/0 /usr/bin/sudo no 140
# wyszukaj i pokaż wykonane logi dla UserID 1000
[root@vlsr01 ~]# ausearch -ui 1000 | aureport -x -i
Executable Report
====================================
# date time exe term host auid event
====================================
1.06.03.2022 10:43:13 /usr/bin/sudo /dev/pts/0 ? root 175
2.06.03.2022 10:43:13 /usr/bin/sudo /dev/pts/0 ? root 176
3.06.03.2022 10:43:13 /usr/bin/sudo pts/0 ? root 177
4. 06.03.2022 10:44:01 /usr/bin/sudo /dev/pts/0 ? root 188