THE ADMIN's LAB : LINUX- 40 AUDIT (RHEL-7) P3

LINUX- 40 AUDIT (RHEL-7) P3

Other Posts under audit,
Auditd P1
Auditd P2
Auditd P4

HOW TO SEARCH AUDIT LOGS:

[root@rhel7-server ~]# ls -l /var/log/audit/audit.log

-rw-------. 1 root root 7523772 Sep 1 14:58 /var/log/audit/audit.log

There are three commands,

ausearch = to query audit logs, various criteria’s can be applied.

aureport = for summary report

autrace = to generate audit records from a specific process

All above commands can run by “root” only.

ausearch

Tool that can query the audit daemon logs based for events based on different search criteria.

-i to print in human readable format

[root@rhel7-server ~]# ausearch -i |tail -2

type=CWD msg=audit(09/01/2018 15:45:19.892:8479) : cwd=/root

type=SYSCALL msg=audit(09/01/2018 15:45:19.892:8479) : arch=x86_64 syscall=open success=yes exit=4 a0=0x7fd698df2d8a a1=O_RDONLY|O_CLOEXEC a2=0x1b6 a3=0x0 items=1 ppid=6500 pid=7140 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts1 ses=39 comm=ausearch exe=/usr/sbin/ausearch subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=passwd-file-change

[root@rhel7-server ~]# ausearch -i |grep userdel |tail -2

type=SYSCALL msg=audit(09/01/2018 16:42:06.843:9139) : arch=x86_64 syscall=unlink success=yes exit=0 a0=0x7fff564939e0 a1=0x7f72bf760661 a2=0x7fff564939f1 a3=0xc items=2 ppid=6500 pid=7846 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts1 ses=39 comm=userdel exe=/usr/sbin/userdel subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=passwd-file-change

-if to parse data from different file

[root@rhel7-server ~]# ausearch -if /var/log/audit/audit.log.1 |tail -2

type=SYSCALL msg=audit(1532254884.455:3983): arch=c000003e syscall=54 success=yes exit=0 a0=4 a1=29 a2=40 a3=1556750 items=0 ppid=1032 pid=8674 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="ip6tables" exe="/usr/sbin/xtables-multi" subj=system_u:system_r:iptables_t:s0 key=(null)

type=NETFILTER_CFG msg=audit(1532254884.455:3983): table=filter family=10 entries=56

-a

to grabs all records in the logs that are related to the audit event ID provided and displays them. This option cannot be combined with any other option.

Audit id is always in second field, considering above o/p,

type=SYSCALL msg=audit(1532254884.455:3983)

starts after “:” as marked in yellow above.

[root@rhel7-server ~]# ausearch -a 3983 |tail -1

type=USER_TTY msg=audit(1535277396.485:3983): pid=3378 uid=0 auid=0 ses=10 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 data=6175736561726368202D6D204C4F47494E202D2D737461727420746F646179202D69

-m to search for particular message type

[root@rhel7-server ~]# ausearch -m

Will show valid message types to be searched.

[root@rhel7-server ~]# ausearch -m DEL_USER -i |tail -2

----

type=DEL_USER msg=audit(05/01/2018 16:49:40.288:2103) : pid=45401 uid=root auid=root ses=160 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='op=deleting home directory id=unknown(1003) exe=/usr/sbin/userdel hostname=? addr=? terminal=pts/1 res=success'

-ul Search by Login ID

To view records associated with a particular login user ID,

[root@rhel7-server ~]# grep 1000 /etc/passwd

anurag:x:1000:1000:anurag:/home/anurag:/bin/bash

[root@rhel7-server ~]# ausearch -ul 1000 |tail -2

type=CWD msg=audit(1534338229.928:560): cwd="/"

type=SYSCALL msg=audit(1534338229.928:560): arch=c000003e syscall=2 success=yes exit=5 a0=7fc7e806ad8a a1=80000 a2=1b6 a3=0 items=1 ppid=2297 pid=3705 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=1000 fsgid=0 tty=(none) ses=13 comm="sshd" exe="/usr/sbin/sshd" subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 key="password-file"

-ua Search by User ID

-ue Search by Effective User ID

ua & ul both produce same result.

[root@rhel7-server ~]# ausearch -ul anurag |tail -2

type=CWD msg=audit(1534338229.928:560): cwd="/"

[root@rhel7-server ~]# ausearch -ua anurag |tail -2

type=CWD msg=audit(1534338229.928:560): cwd="/"

[root@rhel7-server ~]# ausearch -ue anurag |tail -2

[root@rhel7-server ~]# ausearch -ue 1000 |tail -2

[root@rhel7-server ~]# ausearch -ue 0 |tail -2

type=CWD msg=audit(1535798492.729:8791): cwd="/"

type=SYSCALL msg=audit(1535798492.729:8791): arch=c000003e syscall=2 success=yes exit=31 a0=7f82a14e8d8a a1=80000 a2=1b6 a3=7fff7398cd20 items=1 ppid=2461 pid=7449 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="smbd" exe="/usr/sbin/smbd" subj=system_u:system_r:smbd_t:s0 key="passwd-file-change"

-ga Search by Group ID

-c comm_name Search by Command Line Name

[root@rhel7-server ~]# ausearch -c reboot |tail -2

time->Sat Jul 21 17:13:13 2018

type=SERVICE_START msg=audit(1532173393.212:6242): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg=' comm="plymouth-reboot" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'

[root@rhel7-server ~]# ausearch -c userdel |tail -5

time->Sat Sep 1 16:22:10 2018

type=PATH msg=audit(1535799130.644:8944): item=1 name="/etc/gshadow.lock" inode=36642110 dev=fd:00 mode=0100600 ouid=0 ogid=0 rdev=00:00 obj=unconfined_u:object_r:etc_t:s0 objtype=DELETE

type=PATH msg=audit(1535799130.644:8944): item=0 name="/etc/" inode=33595521 dev=fd:00 mode=040755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:etc_t:s0 objtype=PARENT

type=CWD msg=audit(1535799130.644:8944): cwd="/root"

type=SYSCALL msg=audit(1535799130.644:8944): arch=c000003e syscall=87 success=yes exit=0 a0=7fff7d0857f0 a1=7f30ea030661 a2=7fff7d085801 a3=c items=2 ppid=6500 pid=7575 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=39 comm="userdel" exe="/usr/sbin/userdel" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key="passwd-file-change"

-x Search by Executable Name

[root@rhel7-server ~]# ausearch -x su |tail -5

time->Sat Sep 1 16:24:07 2018

type=USER_END msg=audit(1535799247.471:8982): pid=7598 uid=0 auid=0 ses=39 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='op=PAM:session_close acct="xyz" exe="/usr/bin/su" hostname=? addr=? terminal=pts/1 res=success'

----

time->Sat Sep 1 16:24:07 2018

type=CRED_DISP msg=audit(1535799247.471:8983): pid=7598 uid=0 auid=0 ses=39 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='op=PAM:setcred acct="xyz" exe="/usr/bin/su" hostname=? addr=? terminal=pts/1 res=success'

-p Search by Process ID

[root@rhel7-server ~]# ausearch -p 7661 |tail -5

----

time->Sun Jul 22 15:41:56 2018

type=SYSCALL msg=audit(1532254316.311:3107): arch=c000003e syscall=54 success=yes exit=0 a0=4 a1=29 a2=40 a3=2687380 items=0 ppid=1032 pid=7661 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="ip6tables" exe="/usr/sbin/xtables-multi" subj=system_u:system_r:iptables_t:s0 key=(null)

type=NETFILTER_CFG msg=audit(1532254316.311:3107): table=filter family=10 entries=128

[root@rhel7-server ~]# ausearch -p 6451 |tail -5

time->Sat Sep 1 15:50:12 2018

type=CRYPTO_KEY_USER msg=audit(1535797212.518:8532): pid=6451 uid=0 auid=0 ses=39 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='op=destroy kind=session fp=? direction=from-client spid=6451 suid=0 rport=2168 laddr=192.168.135.134 lport=22 exe="/usr/sbin/sshd" hostname=? addr=192.168.135.1 terminal=? res=success'

----

time->Sat Sep 1 15:50:12 2018

type=CRYPTO_KEY_USER msg=audit(1535797212.724:8533): pid=6451 uid=0 auid=0 ses=39 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='op=destroy kind=session fp=? direction=from-server spid=6451 suid=0 rport=2168 laddr=192.168.135.134 lport=22 exe="/usr/sbin/sshd" hostname=? addr=192.168.135.1 terminal=? res=success'

-tm Search by Terminal

ausearch -tm ssh to view all records related to events on the SSH terminal and

ausearch -tm tty to view all events related to the console.

[root@rhel7-server ~]# ausearch -tm ssh |tail -5

time->Sat Sep 1 14:50:19 2018

type=USER_START msg=audit(1535793619.429:7451): pid=6451 uid=0 auid=0 ses=39 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=PAM:session_open acct="root" exe="/usr/sbin/sshd" hostname=192.168.135.1 addr=192.168.135.1 terminal=ssh res=success'

----

time->Sat Sep 1 14:50:19 2018

type=CRED_REFR msg=audit(1535793619.442:7458): pid=6457 uid=0 auid=0 ses=39 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='op=PAM:setcred acct="root" exe="/usr/sbin/sshd" hostname=192.168.135.1 addr=192.168.135.1 terminal=ssh res=success'

-k Search by Key Field

[root@rhel7-server ~]# ausearch -k passwd |tail -5

time->Sat Sep 1 16:22:10 2018

type=PATH msg=audit(1535799130.644:8944): item=1 name="/etc/gshadow.lock" inode=36642110 dev=fd:00 mode=0100600 ouid=0 ogid=0 rdev=00:00 obj=unconfined_u:object_r:etc_t:s0 objtype=DELETE

type=PATH msg=audit(1535799130.644:8944): item=0 name="/etc/" inode=33595521 dev=fd:00 mode=040755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:etc_t:s0 objtype=PARENT

type=CWD msg=audit(1535799130.644:8944): cwd="/root"

-ts for time/date start

-te for time/date end

We can club these with any above commands

[root@rhel7-server ~]# ausearch -k passwd -ts yesterday -te now

[root@rhel7-server ~]# ausearch -tm ssh -ts yesterday -te now

[root@rhel7-server ~]# ausearch -tm ssh -ts this-week

[root@rhel7-server ~]# ausearch -tm ssh -ts this

Invalid start date (this). Month, Day, and Year are required.

[root@rhel7-server ~]# ausearch -tm ssh -te this

Invalid end date (this). Month, Day, and Year are required.

THE ADMIN's LAB

Saturday, 1 September 2018

LINUX- 40 AUDIT (RHEL-7) P3

No comments:

Post a Comment

Labels

WAREHOUSE

Total Pageviews