Generating Linux audit reports

Generating Linux audit reports

Generating Linux audit reports Audit reports are very crucial whenever we want to catch / track an incident and user activity on Linux machine. All the audit logs are going to save in /var/log/audit/ directory, when we see them directly we may understand them in correct way and in required fashion in order read all the logs and generate an beautiful reports using aureport utility allows you to generate summary and columnar reports on the events recorded in audit log files. Generating Linux audit reports

  • Summary report of all the activities
  • Executable files report
  • Terminal activity reports
  • Authentication report
  • Commands run report
  • Config change report
  • Crypto report
  • Remote Host name report
  • Integrity event report
  • Login report
  • Modification to accounts report
  • Mandatory Access Control (MAC) report
  • Pid report
  • Syscall report
  • Log time range report
  • Report about tty keystrokes
  • Virtualization report
  • AVC Audit Events – These are generated by the AVC subsystem as a result of access denials, or where specific events have requested an audit message (i.e. where an auditallow rule has been used in the policy).

1. Summary audit report of given range

To generate a report fro logged events in the fast 10 days excluding the current example day, use the following command as mentioned in below

[root@TechTutorial ~]# aureport --start 01/04/2016 00:00:00 --end 01/28/2016 00:00:00

Summary Report
======================
Range of time in logs: 01/08/2016 22:47:49.346 - 01/27/2016 17:30:01.670
Selected time for report: 01/04/2016 00:00:00 - 01/28/2016 00:00:00
Number of changes in configuration: 6942
Number of changes to accounts, groups, or roles: 18
Number of logins: 36
Number of failed logins: 14
Number of authentications: 111
Number of failed authentications: 17
Number of users: 4
Number of terminals: 12
Number of host names: 4
Number of executables: 14
Number of commands: 68
Number of files: 1
Number of AVC's: 1
Number of MAC events: 36
Number of failed syscalls: 0
Number of anomaly events: 1
Number of responses to anomaly events: 0
Number of crypto events: 745
Number of integrity events: 0
Number of virt events: 0
Number of keys: 0
Number of process IDs: 1866
Number of events: 17019

in above command range is starting from Jan/4th/2016 ends with Jan/28th/2016

2. Executable file events

To generate a report of all executable file events, use the below command as shown

[root@TechTutorial ~]# aureport -x

Executable Report
====================================
# date time exe term host auid event
====================================
1. 01/08/2016 22:47:49 /usr/lib/systemd/systemd ? ? -1 6
2. 01/08/2016 22:47:49 /usr/lib/systemd/systemd-update-utmp ? ? -1 7
3. 01/08/2016 22:47:49 /usr/lib/systemd/systemd ? ? -1 8
4. 01/08/2016 22:47:49 /usr/lib/systemd/systemd ? ? -1 9
5. 01/08/2016 22:47:49 /usr/lib/systemd/systemd ? ? -1 10
6. 01/08/2016 22:47:49 /usr/lib/systemd/systemd ? ? -1 11
7. 01/08/2016 22:47:49 /usr/lib/systemd/systemd ? ? -1 12
8. 01/08/2016 22:47:49 /usr/lib/systemd/systemd ? ? -1 13
9. 01/08/2016 22:47:50 /usr/lib/systemd/systemd ? ? -1 14
10. 01/08/2016 22:47:50 /usr/lib/systemd/systemd ? ? -1 15

3. Executable file events summary report

As we see in above 2 step we can get all the executable file events the same if you want to see in summarized format use below command

[root@TechTutorial ~]# aureport -x --summary

Executable Summary Report
=================================
total  file
=================================
6992  /usr/sbin/xtables-multi
4932  /usr/sbin/crond
3267  /usr/lib/systemd/systemd
1129  /usr/sbin/sshd
240  /usr/bin/kmod
165  /usr/libexec/gdm-session-worker
73  /usr/bin/su
65  /usr/lib/systemd/systemd-update-utmp
16  /usr/bin/passwd
10  /usr/sbin/useradd
9  /usr/bin/sudo
3  /usr/sbin/usermod
2  /usr/bin/crontab
2  /usr/sbin/groupadd

4. Failed User Summary Report

To generate a summary report of failed events for all users, use the following command

[root@TechTutorial ~]# aureport -u --failed --summary -i

Failed User Summary Report
===========================
total  auid
===========================
68  unset
25  rankam
3  root

5. Failed login attempts report per each system user

Generate a summary of all failed login attempts per each system user, use the below command as shown in example

[root@TechTutorial ~]# aureport --login --summary -i
Login Summary Report
============================
total  auid
============================
176  root
12  unset
6  ravi
2  aavi

6. Search all file access events for particular user

generate a report from an ausearch query that searches all file access events for user 0 (root), use the following command as shown below

[root@TechTutorial ~]# ausearch --start today --loginuid 0 --raw | aureport -f --summary

File Summary Report
===========================
total  file
===========================
<no events of interest were found>

7. Log time range report

In order to know your current log available range use following command

[root@TechTutorial ~]# aureport -t

Log Time Range Report
=====================
/var/log/audit/audit.log: 01/08/2016 22:47:49.346 - 01/28/2016 17:20:01.265

8. Modifications to accounts report

This below command will give us the report about modified user accounts

[root@TechTutorial ~]# aureport -m

Account Modifications Report
=================================================
# date time auid addr term exe acct success event
=================================================
1. 01/09/2016 17:31:20 0 ? pts/1 /usr/sbin/useradd ravi yes 570
2. 01/09/2016 17:31:20 0 ? pts/1 /usr/sbin/useradd ? yes 571
3. 01/09/2016 17:31:20 0 ? pts/1 /usr/sbin/useradd ? yes 572
4. 01/09/2016 17:31:28 0 ? pts/1 /usr/bin/passwd ravi yes 573
5. 01/09/2016 17:31:28 0 ? pts/1 /usr/bin/passwd ? yes 574
6. 01/13/2016 15:13:02 0 ? pts/0 /usr/sbin/groupadd ? yes 443
7. 01/13/2016 15:13:02 0 ? pts/0 /usr/sbin/groupadd ? yes 444
8. 01/13/2016 15:14:41 0 ? pts/0 /usr/sbin/useradd ? yes 445
9. 01/13/2016 15:14:41 0 ? pts/0 /usr/sbin/useradd ? yes 446
10. 01/14/2016 14:38:36 0 ? pts/0 /usr/sbin/useradd ? yes 536

9. Reports about process ID’s

below report will gives you the date and time when the process has been run

[root@TechTutorial ~]# aureport --pid

Process ID Report
======================================
# date time pid exe syscall auid event
======================================
1. 01/08/2016 22:47:49 614 ? 0 -1 6513
2. 01/08/2016 22:47:49 1 /usr/lib/systemd/systemd 0 -1 6
3. 01/08/2016 22:47:49 638 /usr/lib/systemd/systemd-update-utmp 0 -1 7
4. 01/08/2016 22:47:49 1 /usr/lib/systemd/systemd 0 -1 8
5. 01/08/2016 22:47:49 1 /usr/lib/systemd/systemd 0 -1 9
6. 01/08/2016 22:47:49 1 /usr/lib/systemd/systemd 0 -1 10
7. 01/08/2016 22:47:49 1 /usr/lib/systemd/systemd 0 -1 11
8. 01/08/2016 22:47:49 1 /usr/lib/systemd/systemd 0 -1 12
9. 01/08/2016 22:47:49 1 /usr/lib/systemd/systemd 0 -1 13
10. 01/08/2016 22:47:50 1 /usr/lib/systemd/systemd 0 -1 14

10. Host report

[root@TechTutorial ~]# aureport -h |less

Host Report
===================================
# date time host syscall auid event
===================================
1. 01/08/2016 22:47:49 ? 0 -1 6
2. 01/08/2016 22:47:49 ? 0 -1 7
3. 01/08/2016 22:47:49 ? 0 -1 8
4. 01/08/2016 22:47:49 ? 0 -1 9
5. 01/08/2016 22:47:49 ? 0 -1 10
6. 01/08/2016 22:47:49 ? 0 -1 11
7. 01/08/2016 22:47:49 ? 0 -1 12
8. 01/08/2016 22:47:49 ? 0 -1 13
9. 01/08/2016 22:47:50 ? 0 -1 14
10. 01/08/2016 22:47:50 ? 0 -1 15

11. Reports about configuration changes

if you want to track your system wide configuration changes you can go ahead and generate below type of report

[root@TechTutorial ~]# aureport --config 

Config Change Report
===================================
# date time type auid success event
===================================
1. 01/08/2016 22:47:49 CONFIG_CHANGE -1 yes 5
2. 01/08/2016 23:05:02 NETFILTER_CFG -1 yes 35
3. 01/08/2016 23:05:02 NETFILTER_CFG -1 yes 36
4. 01/08/2016 23:05:02 NETFILTER_CFG -1 yes 37
5. 01/08/2016 23:05:02 NETFILTER_CFG -1 yes 38
6. 01/08/2016 23:05:02 NETFILTER_CFG -1 yes 40
7. 01/08/2016 23:05:02 NETFILTER_CFG -1 yes 41
8. 01/08/2016 23:05:02 NETFILTER_CFG -1 yes 42
9. 01/08/2016 23:05:02 NETFILTER_CFG -1 yes 43
10. 01/08/2016 23:05:02 NETFILTER_CFG -1 yes 44

12. Keystroke report

The audit.log file contains all keystrokes entered by the specified user, including backspaces, delete and return keys, the control key and others. Although the contents of audit.log are human-readable it might be easier to use the aureport utility, which provides a TTY report in a format which is easy to read. You can use the following command as root:

[root@TechTutorial ~]# aureport --tty

TTY Report
===============================================
# date time event auid term sess comm data
===============================================
<no events of interest were found>

We can generate lot many reports using this aureport command below are the options Generating Linux audit reports Generating Linux audit reports Generating Linux audit reports

       -a,–avc                       Avc report
       -au,–auth                     Authentication report
       –comm                         Commands run report
       -c,–config                     Config change report
       -cr,–crypto                   Crypto report
       -e,–event                     Event report
       -f,–file                       File name report
       –failed                       only failed events in report
       -h,–host                       Remote Host name report
       –help                         help
       -i,–interpret                 Interpretive mode
       -if,–input <Input File name>   use this file as input
       –input-logs                   Use the logs even if stdin is a pipe
       –integrity                     Integrity event report
       -l,–login                     Login report
       -k,–key                       Key report
       -m,–mods                       Modification to accounts report
       -ma,–mac                       Mandatory Access Control (MAC) report
       -n,–anomaly                   anomaly report
       -nc,–no-config                 Don’t include config events
       –node <node name>             Only events from a specific node
       -p,–pid                       PID report
       -r,–response                   Response to anomaly report
       -s,–syscall                   Syscall report
       –success                       only success events in report
       –summary                       sorted totals for main object in report
       -t,–log                       Log time range report
       -te,–end [end date] [end time] ending date & time for reports
       -tm,–terminal                 Terminal name report
       -ts,–start [start date] [start time]   starting data & time for reports
       –tty                           Report about tty keystrokes
       -u,–user                       User name report
       -v,–version                   Version
       –virt                         Virtualization report
       -x,–executable                 executable name report
       If no report is given, the summary report will be displayed

Please provide your valuable feedback…

 

Thanks for your wonderful Support and Encouragement