Generating Linux audit reports
Generating Linux audit reports
Generating Linux audit reports Audit reports are very crucial whenever we want to catch / track an incident and user activity on Linux machine. All the audit logs are going to save in /var/log/audit/ directory, when we see them directly we may understand them in correct way and in required fashion in order read all the logs and generate an beautiful reports using aureport utility allows you to generate summary and columnar reports on the events recorded in audit log files. Generating Linux audit reports
- Summary report of all the activities
- Executable files report
- Terminal activity reports
- Authentication report
- Commands run report
- Config change report
- Crypto report
- Remote Host name report
- Integrity event report
- Login report
- Modification to accounts report
- Mandatory Access Control (MAC) report
- Pid report
- Syscall report
- Log time range report
- Report about tty keystrokes
- Virtualization report
- AVC Audit Events – These are generated by the AVC subsystem as a result of access denials, or where specific events have requested an audit message (i.e. where an auditallow rule has been used in the policy).
1. Summary audit report of given range
To generate a report fro logged events in the fast 10 days excluding the current example day, use the following command as mentioned in below
[root@TechTutorial ~]# aureport --start 01/04/2016 00:00:00 --end 01/28/2016 00:00:00
Summary Report
======================
Range of time in logs: 01/08/2016 22:47:49.346 - 01/27/2016 17:30:01.670
Selected time for report: 01/04/2016 00:00:00 - 01/28/2016 00:00:00
Number of changes in configuration: 6942
Number of changes to accounts, groups, or roles: 18
Number of logins: 36
Number of failed logins: 14
Number of authentications: 111
Number of failed authentications: 17
Number of users: 4
Number of terminals: 12
Number of host names: 4
Number of executables: 14
Number of commands: 68
Number of files: 1
Number of AVC's: 1
Number of MAC events: 36
Number of failed syscalls: 0
Number of anomaly events: 1
Number of responses to anomaly events: 0
Number of crypto events: 745
Number of integrity events: 0
Number of virt events: 0
Number of keys: 0
Number of process IDs: 1866
Number of events: 17019
in above command range is starting from Jan/4th/2016 ends with Jan/28th/2016
2. Executable file events
To generate a report of all executable file events, use the below command as shown
[root@TechTutorial ~]# aureport -x
Executable Report
====================================
# date time exe term host auid event
====================================
1. 01/08/2016 22:47:49 /usr/lib/systemd/systemd ? ? -1 6
2. 01/08/2016 22:47:49 /usr/lib/systemd/systemd-update-utmp ? ? -1 7
3. 01/08/2016 22:47:49 /usr/lib/systemd/systemd ? ? -1 8
4. 01/08/2016 22:47:49 /usr/lib/systemd/systemd ? ? -1 9
5. 01/08/2016 22:47:49 /usr/lib/systemd/systemd ? ? -1 10
6. 01/08/2016 22:47:49 /usr/lib/systemd/systemd ? ? -1 11
7. 01/08/2016 22:47:49 /usr/lib/systemd/systemd ? ? -1 12
8. 01/08/2016 22:47:49 /usr/lib/systemd/systemd ? ? -1 13
9. 01/08/2016 22:47:50 /usr/lib/systemd/systemd ? ? -1 14
10. 01/08/2016 22:47:50 /usr/lib/systemd/systemd ? ? -1 15
3. Executable file events summary report
As we see in above 2 step we can get all the executable file events the same if you want to see in summarized format use below command
[root@TechTutorial ~]# aureport -x --summary
Executable Summary Report
=================================
total file
=================================
6992 /usr/sbin/xtables-multi
4932 /usr/sbin/crond
3267 /usr/lib/systemd/systemd
1129 /usr/sbin/sshd
240 /usr/bin/kmod
165 /usr/libexec/gdm-session-worker
73 /usr/bin/su
65 /usr/lib/systemd/systemd-update-utmp
16 /usr/bin/passwd
10 /usr/sbin/useradd
9 /usr/bin/sudo
3 /usr/sbin/usermod
2 /usr/bin/crontab
2 /usr/sbin/groupadd
4. Failed User Summary Report
To generate a summary report of failed events for all users, use the following command
[root@TechTutorial ~]# aureport -u --failed --summary -i
Failed User Summary Report
===========================
total auid
===========================
68 unset
25 rankam
3 root
5. Failed login attempts report per each system user
Generate a summary of all failed login attempts per each system user, use the below command as shown in example
[root@TechTutorial ~]# aureport --login --summary -i
Login Summary Report
============================
total auid
============================
176 root
12 unset
6 ravi
2 aavi
6. Search all file access events for particular user
generate a report from an ausearch query that searches all file access events for user 0 (root), use the following command as shown below
[root@TechTutorial ~]# ausearch --start today --loginuid 0 --raw | aureport -f --summary
File Summary Report
===========================
total file
===========================
<no events of interest were found>
7. Log time range report
In order to know your current log available range use following command
[root@TechTutorial ~]# aureport -t
Log Time Range Report
=====================
/var/log/audit/audit.log: 01/08/2016 22:47:49.346 - 01/28/2016 17:20:01.265
8. Modifications to accounts report
This below command will give us the report about modified user accounts
[root@TechTutorial ~]# aureport -m
Account Modifications Report
=================================================
# date time auid addr term exe acct success event
=================================================
1. 01/09/2016 17:31:20 0 ? pts/1 /usr/sbin/useradd ravi yes 570
2. 01/09/2016 17:31:20 0 ? pts/1 /usr/sbin/useradd ? yes 571
3. 01/09/2016 17:31:20 0 ? pts/1 /usr/sbin/useradd ? yes 572
4. 01/09/2016 17:31:28 0 ? pts/1 /usr/bin/passwd ravi yes 573
5. 01/09/2016 17:31:28 0 ? pts/1 /usr/bin/passwd ? yes 574
6. 01/13/2016 15:13:02 0 ? pts/0 /usr/sbin/groupadd ? yes 443
7. 01/13/2016 15:13:02 0 ? pts/0 /usr/sbin/groupadd ? yes 444
8. 01/13/2016 15:14:41 0 ? pts/0 /usr/sbin/useradd ? yes 445
9. 01/13/2016 15:14:41 0 ? pts/0 /usr/sbin/useradd ? yes 446
10. 01/14/2016 14:38:36 0 ? pts/0 /usr/sbin/useradd ? yes 536
9. Reports about process ID’s
below report will gives you the date and time when the process has been run
[root@TechTutorial ~]# aureport --pid
Process ID Report
======================================
# date time pid exe syscall auid event
======================================
1. 01/08/2016 22:47:49 614 ? 0 -1 6513
2. 01/08/2016 22:47:49 1 /usr/lib/systemd/systemd 0 -1 6
3. 01/08/2016 22:47:49 638 /usr/lib/systemd/systemd-update-utmp 0 -1 7
4. 01/08/2016 22:47:49 1 /usr/lib/systemd/systemd 0 -1 8
5. 01/08/2016 22:47:49 1 /usr/lib/systemd/systemd 0 -1 9
6. 01/08/2016 22:47:49 1 /usr/lib/systemd/systemd 0 -1 10
7. 01/08/2016 22:47:49 1 /usr/lib/systemd/systemd 0 -1 11
8. 01/08/2016 22:47:49 1 /usr/lib/systemd/systemd 0 -1 12
9. 01/08/2016 22:47:49 1 /usr/lib/systemd/systemd 0 -1 13
10. 01/08/2016 22:47:50 1 /usr/lib/systemd/systemd 0 -1 14
10. Host report
[root@TechTutorial ~]# aureport -h |less
Host Report
===================================
# date time host syscall auid event
===================================
1. 01/08/2016 22:47:49 ? 0 -1 6
2. 01/08/2016 22:47:49 ? 0 -1 7
3. 01/08/2016 22:47:49 ? 0 -1 8
4. 01/08/2016 22:47:49 ? 0 -1 9
5. 01/08/2016 22:47:49 ? 0 -1 10
6. 01/08/2016 22:47:49 ? 0 -1 11
7. 01/08/2016 22:47:49 ? 0 -1 12
8. 01/08/2016 22:47:49 ? 0 -1 13
9. 01/08/2016 22:47:50 ? 0 -1 14
10. 01/08/2016 22:47:50 ? 0 -1 15
11. Reports about configuration changes
if you want to track your system wide configuration changes you can go ahead and generate below type of report
[root@TechTutorial ~]# aureport --config
Config Change Report
===================================
# date time type auid success event
===================================
1. 01/08/2016 22:47:49 CONFIG_CHANGE -1 yes 5
2. 01/08/2016 23:05:02 NETFILTER_CFG -1 yes 35
3. 01/08/2016 23:05:02 NETFILTER_CFG -1 yes 36
4. 01/08/2016 23:05:02 NETFILTER_CFG -1 yes 37
5. 01/08/2016 23:05:02 NETFILTER_CFG -1 yes 38
6. 01/08/2016 23:05:02 NETFILTER_CFG -1 yes 40
7. 01/08/2016 23:05:02 NETFILTER_CFG -1 yes 41
8. 01/08/2016 23:05:02 NETFILTER_CFG -1 yes 42
9. 01/08/2016 23:05:02 NETFILTER_CFG -1 yes 43
10. 01/08/2016 23:05:02 NETFILTER_CFG -1 yes 44
12. Keystroke report
The audit.log file contains all keystrokes entered by the specified user, including backspaces, delete and return keys, the control key and others. Although the contents of audit.log are human-readable it might be easier to use the aureport utility, which provides a TTY report in a format which is easy to read. You can use the following command as root:
[root@TechTutorial ~]# aureport --tty
TTY Report
===============================================
# date time event auid term sess comm data
===============================================
<no events of interest were found>
We can generate lot many reports using this aureport command below are the options Generating Linux audit reports Generating Linux audit reports Generating Linux audit reports
-a,–avc Avc report |
-au,–auth Authentication report |
–comm Commands run report |
-c,–config Config change report |
-cr,–crypto Crypto report |
-e,–event Event report |
-f,–file File name report |
–failed only failed events in report |
-h,–host Remote Host name report |
–help help |
-i,–interpret Interpretive mode |
-if,–input <Input File name> use this file as input |
–input-logs Use the logs even if stdin is a pipe |
–integrity Integrity event report |
-l,–login Login report |
-k,–key Key report |
-m,–mods Modification to accounts report |
-ma,–mac Mandatory Access Control (MAC) report |
-n,–anomaly anomaly report |
-nc,–no-config Don’t include config events |
–node <node name> Only events from a specific node |
-p,–pid PID report |
-r,–response Response to anomaly report |
-s,–syscall Syscall report |
–success only success events in report |
–summary sorted totals for main object in report |
-t,–log Log time range report |
-te,–end [end date] [end time] ending date & time for reports |
-tm,–terminal Terminal name report |
-ts,–start [start date] [start time] starting data & time for reports |
–tty Report about tty keystrokes |
-u,–user User name report |
-v,–version Version |
–virt Virtualization report |
-x,–executable executable name report |
If no report is given, the summary report will be displayed |
Please provide your valuable feedback…
Thanks for your wonderful Support and Encouragement