LINUX-
41 AUDIT (RHEL-7) P4
HOW TO REPORT & TRACE
AUDIT LOGS:
There
are three commands,
ausearch = to query audit
logs, various criteria’s can be applied.
aureport = for summary
report
autrace = to generate audit records from a specific
process
All
above commands can run by “root” only.
aureport
tool that produces summary reports of the audit system logs from
/var/log/audit/audit.log
-if to refer report from another file
[root@rhel7-server
~]# aureport -l -if /var/log/audit/audit.log.1
[root@rhel7-server
~]# aureport -l -ts 00:00 -te 17:00
Login Report
============================================
# date time auid host term exe success
event
============================================
1.
09/01/2018 14:50:19
0 192.168.135.1 /dev/pts/0 /usr/sbin/sshd yes 7454
To get current audit statistics
[root@rhel7-server
~]# aureport
Summary Report
======================
Range of time in logs: 11/18/2017
22:53:28.063 - 09/01/2018 17:07:46.968
Selected time for report: 11/18/2017
22:53:28 - 09/01/2018 17:07:46.968
Number of changes in configuration:
111
Number of changes to accounts,
groups, or roles: 141
Number of logins: 112
Number of failed logins: 18
Number of authentications: 255
Number of failed authentications: 49
Number of users: 9
Number of terminals: 39
Number of host names: 7
Number of executables: 67
Number of files: 240
Number of AVC's: 17
Number of MAC events: 145
Number of failed syscalls: 190
Number of anomaly events: 12
Number of responses to anomaly
events: 0
Number of crypto events: 1699
Number of keys: 5
Number of process IDs: 12293
Number of events: 37642
Summary Report of Failed Events
[root@rhel7-server
~]# aureport -au -i –failed
Summary Report of Successful Events
[root@rhel7-server
~]# aureport -au -i --success
Particular Summary Report
For user login events,
[root@rhel7-server
~]# aureport -u -i --summary
User Summary Report
===========================
total
auid
===========================
26339
unset
10488
root
297
anurag
228
testuser1
101
xyz
83
user1
57
test1
50
abc
34
user2
For file summary report,
[root@rhel7-server
~]# aureport -f -i --summary
Create a Report of Events
[root@rhel7-server
~]# aureport -e -ts 13:00 -te 17:15 |tail -5
1898. 09/01/2018 17:14:30 9289
USER_TTY 0 unset
1899. 09/01/2018 17:14:30 9282 TTY 0
unset
1900. 09/01/2018 17:14:30 9284 TTY 0
unset
1901. 09/01/2018 17:14:30 9286 TTY 0
unset
1902. 09/01/2018 17:14:30 9288 TTY 0
unset
Create a Report from All Process
Events
[root@rhel7-server
~]# aureport -p |tail -5
37630. 09/01/2018 17:16:24 6500 ? 0 0
9305
37631. 09/01/2018 17:16:24 6500 ? 0 0
9302
37632. 09/01/2018 17:16:24 6500 ? 0 0
9304
37633. 09/01/2018 17:16:29 6500 ? 0 0
9307
37634. 09/01/2018 17:16:29 6500 ? 0 0
9306
Create a Report from All System Call
Events
[root@rhel7-server
~]# aureport -s |head -10
Syscall Report
=======================================
# date time syscall pid comm auid
event
=======================================
1. 11/18/2017 17:24:40 313 1170
modprobe -1 41
2. 11/18/2017 17:24:40 313 1173
modprobe -1 42
3. 11/18/2017 17:24:40 313 1176
modprobe -1 43
4. 11/18/2017 17:24:40 313 1179 modprobe
-1 44
5. 11/18/2017 17:24:40 313 1182
modprobe -1 46
[root@rhel7-server
~]# aureport -s |tail -5
23531. 09/01/2018 16:42:06 87 7846
userdel 0 9139
23532. 09/01/2018 16:52:26 2 1084
chronyd -1 9211
23533. 09/01/2018 16:52:26 2 1084
chronyd -1 9212
23534. 09/01/2018 16:52:26 2 1084
chronyd -1 9213
23535. 09/01/2018 16:52:26 2 1084
chronyd -1 9214
Create a Report from All Executable
Events
[root@rhel7-server
~]# aureport -x |tail -5
34224. 09/01/2018 17:10:01
/usr/sbin/crond cron ? -1 9258
34225. 09/01/2018 17:10:01
/usr/sbin/crond cron ? 0 9260
34226. 09/01/2018 17:10:01
/usr/sbin/crond cron ? 0 9261
34227. 09/01/2018 17:10:01
/usr/sbin/crond cron ? 0 9262
34228. 09/01/2018 17:10:01 /usr/sbin/crond
cron ? 0 9263
Create a Report about Files
[root@rhel7-server
~]# aureport -f |tail -5
7301. 09/01/2018 16:42:06 /etc/ 87
yes /usr/sbin/userdel 0 9139
7302. 09/01/2018 16:52:26 /etc/hosts
2 yes /usr/sbin/chronyd -1 9211
7303. 09/01/2018 16:52:26 /etc/hosts
2 yes /usr/sbin/chronyd -1 9212
7304. 09/01/2018 16:52:26 /etc/hosts
2 yes /usr/sbin/chronyd -1 9213
7305. 09/01/2018 16:52:26 /etc/hosts
2 yes /usr/sbin/chronyd -1 9214
Create a Report about Users
[root@rhel7-server
~]# aureport -u |head -10
User ID Report
====================================
# date time auid term host exe event
====================================
1. 11/18/2017 22:53:28 -1 ? ?
/usr/lib/systemd/systemd 6
2. 11/18/2017 22:53:28 -1 ? ?
/usr/lib/systemd/systemd-update-utmp 7
3. 11/18/2017 22:53:28 -1 ? ?
/usr/lib/systemd/systemd 8
4. 11/18/2017 22:53:28 -1 ? ? /usr/lib/systemd/systemd
9
5. 11/18/2017 22:53:28 -1 ? ?
/usr/lib/systemd/systemd 10
[root@rhel7-server
~]# aureport -u |tail -5
37639. 09/01/2018 17:19:46 1001 ssh
192.168.135.1 /usr/sbin/sshd 9371
37640. 09/01/2018 17:19:46 1001
/dev/pts/4 192.168.135.1 /usr/sbin/sshd 9372
37641. 09/01/2018 17:19:46 1001
/dev/pts/4 192.168.135.1 /usr/sbin/sshd 9373
37642. 09/01/2018 17:19:56 0 ? ? ?
9375
37643. 09/01/2018 17:19:56 0 ? ? ?
9374
Create a Report about Logins
[root@rhel7-server
~]# aureport -l -i |head -10
Login Report
============================================
# date time auid host term exe
success event
============================================
1. 11/19/2017 17:29:16 root ? ?
/usr/libexec/gdm-session-worker yes 416
2. 11/19/2017 17:31:22 root
192.168.135.1 /dev/pts/1 /usr/sbin/sshd yes 446
3. 11/25/2017 16:19:56 root ? ?
/usr/libexec/gdm-session-worker yes 361
4. 11/25/2017 16:22:01 (unknown user)
192.168.135.1 ssh /usr/sbin/sshd no 396
5. 11/25/2017 16:23:43 (unknown user)
192.168.135.1 ssh /usr/sbin/sshd no 404
Create an Authentication Report
[root@rhel7-server
~]# aureport -au -i |head -10
Authentication Report
============================================
# date time acct host term exe
success event
============================================
1. 11/18/2017 17:27:37 gdm ? :0
/usr/libexec/gdm-session-worker yes 351
2. 11/19/2017 17:29:16 root ? :0
/usr/libexec/gdm-session-worker yes 410
3. 11/19/2017 17:31:22 root
192.168.135.1 ssh /usr/sbin/sshd yes 438
4. 11/19/2017 17:31:22 root
192.168.135.1 ssh /usr/sbin/sshd yes 441
5. 11/25/2017 16:16:56 gdm ? :0
/usr/libexec/gdm-session-worker yes 316
Limit a Report to a Certain Time
Frame
To see the rotated log files,
[root@rhel7-server
~]# aureport -t
Log Time Range Report
=====================
/var/log/audit/audit.log.1:
11/18/2017 22:53:28.063 - 07/22/2018 15:50:01.058
/var/log/audit/audit.log: 07/22/2018
15:51:23.806 - 09/01/2018 17:44:38.977
To filter the report based on date/time,
[root@rhel7-server ~]# aureport -ts 09/01/2018 13:00 -te 09/01/2018 18:00
Summary Report
======================
Range of time in logs: 09/01/2018
14:49:53.004 - 09/01/2018 17:45:45.770
Selected time for report: 09/01/2018
13:00:00 - 09/01/2018 18:00:00
Number of changes in configuration: 4
Number of changes to accounts,
groups, or roles: 11
Number of logins: 3
Number of failed logins: 0
Number of authentications: 7
Number of failed authentications: 0
Number of users: 4
Number of terminals: 11
Number of host names: 2
Number of executables: 26
Number of files: 29
Number of AVC's: 1
Number of MAC events: 3
Number of failed syscalls: 0
Number of anomaly events: 0
Number of responses to anomaly
events: 0
Number of crypto events: 37
Number of keys: 2
Number of process IDs: 104
Number of events: 2208
autrace
Dedicated audit of individual
processes.
It is a program that will add the audit rules to trace a process to
gather information on events related to one particular process
When performing an autrace on a process, make sure that any audit rules
are purged from the queue to avoid these rules clashing with the ones autrace
adds itself. Delete the audit rules with the auditctl -D command.
[root@rhel7-server
~]# auditctl -D
No rules
[root@rhel7-server
~]# autrace /sbin/fdisk
Waiting to execute: /sbin/fdisk
Usage:
fdisk [options] <disk> change partition table
fdisk [options] -l <disk> list partition
table(s)
fdisk -s <partition> give partition size(s) in blocks
Options:
-b <size> sector size (512, 1024, 2048 or
4096)
-c[=<mode>] compatible mode: 'dos' or 'nondos'
(default)
-h print this help text
-u[=<unit>] display units: 'cylinders' or
'sectors' (default)
-v print program version
-C <number> specify the number of cylinders
-H <number> specify the number of heads
-S <number> specify the number of sectors per
track
Cleaning up...
Trace complete. You can locate the
records with 'ausearch -i -p 9038'
To get the details we need help of “ausearch” & “aureport”
[root@rhel7-server
~]# ausearch -i -p 9038 |aureport -p -i
Process ID Report
======================================
# date time pid exe syscall auid
event
======================================
1. 01/01/1970 05:30:07 9038 ? ? root
0
2. 01/01/1970 05:30:09 9038 ? ? root
0
[root@rhel7-server
~]# ausearch -p 9038 |aureport -f -i
File Report
===============================================
# date time file syscall success exe
auid event
===============================================
1. 09/01/2018 17:55:41 (null) execve
yes /usr/sbin/fdisk root 28098
2. 09/01/2018 17:55:42
/etc/ld.so.preload access no /usr/sbin/fdisk root 28101
3. 09/01/2018 17:55:42
/etc/ld.so.cache open yes /usr/sbin/fdisk root 28102
4. 09/01/2018 17:55:42
/lib64/libblkid.so.1 open yes /usr/sbin/fdisk root 28106
5. 09/01/2018 17:55:42
/lib64/libuuid.so.1 open yes /usr/sbin/fdisk root 28114
6. 09/01/2018 17:55:42
/lib64/libc.so.6 open yes /usr/sbin/fdisk root 28121
7. 09/01/2018 17:55:42
/usr/lib/locale/locale-archive open yes /usr/sbin/fdisk root 28142
8. 09/01/2018 17:55:42
/usr/share/locale/locale.alias open yes /usr/sbin/fdisk root 28146
9. 09/01/2018 17:55:42
/usr/share/locale/en_US.UTF-8/LC_MESSAGES/util-linux.mo open no /usr/sbin/fdisk
root 28153
10. 09/01/2018 17:55:42
/usr/share/locale/en_US.utf8/LC_MESSAGES/util-linux.mo open no /usr/sbin/fdisk
root 28154
11. 09/01/2018 17:55:42
/usr/share/locale/en_US/LC_MESSAGES/util-linux.mo open no /usr/sbin/fdisk root
28155
12. 09/01/2018 17:55:42
/usr/share/locale/en.UTF-8/LC_MESSAGES/util-linux.mo open no /usr/sbin/fdisk
root 28156
13. 09/01/2018 17:55:42
/usr/share/locale/en.utf8/LC_MESSAGES/util-linux.mo open no /usr/sbin/fdisk
root 28157
14. 09/01/2018 17:55:42
/usr/share/locale/en/LC_MESSAGES/util-linux.mo open no /usr/sbin/fdisk root
28158
[root@rhel7-server
~]# ausearch -p 9038 |aureport -f --summary
File Summary Report
===========================
total
file
===========================
1
(null)
1
/sbin/fdisk
1
/etc/ld.so.preload
1
/etc/ld.so.cache
1
/lib64/libblkid.so.1
1
/lib64/libuuid.so.1
1
/lib64/libc.so.6
1
/usr/lib/locale/locale-archive
1
/usr/share/locale/locale.alias
1
/usr/share/locale/en_US.UTF-8/LC_MESSAGES/util-linux.mo
1
/usr/share/locale/en_US.utf8/LC_MESSAGES/util-linux.mo
1
/usr/share/locale/en_US/LC_MESSAGES/util-linux.mo
1
/usr/share/locale/en.UTF-8/LC_MESSAGES/util-linux.mo
1
/usr/share/locale/en.utf8/LC_MESSAGES/util-linux.mo
1
/usr/share/locale/en/LC_MESSAGES/util-linux.mo
====Another Example=====
[root@rhel7-server
~]# autrace -r /bin/pwd
Waiting to execute: /bin/pwd
/root
Cleaning up...
Trace complete. You can locate the
records with 'ausearch -i -p 9667'
-r Limit syscalls
collected to ones needed for analyzing resource usage. This could help people
doing threat modeling. This saves space in logs.
[root@rhel7-server
~]# ausearch -p 9667 |aureport -u -i
User ID Report
====================================
# date time auid term host exe event
====================================
1. 09/01/2018 18:21:55 root pts3 ?
/usr/bin/pwd 32563
2. 09/01/2018 18:21:55 root pts3 ?
/usr/bin/pwd 32564
3. 09/01/2018 18:21:55 root pts3 ?
/usr/bin/pwd 32565
4. 09/01/2018 18:21:55 root pts3 ?
/usr/bin/pwd 32566
[root@rhel7-server
~]# ausearch -p 9667 |aureport -f -i
File Report
===============================================
# date time file syscall success exe
auid event
===============================================
1. 09/01/2018 18:21:55 (null) execve
yes /usr/bin/pwd root 32563
2. 09/01/2018 18:21:55
/etc/ld.so.cache open yes /usr/bin/pwd root 32564
3. 09/01/2018 18:21:55
/lib64/libc.so.6 open yes /usr/bin/pwd root 32565
4. 09/01/2018 18:21:55
/usr/lib/locale/locale-archive open yes /usr/bin/pwd root 32566
[root@rhel7-server
~]# ausearch -p 9667 |aureport --summary
Summary Report
======================
Range of time in logs: 09/01/2018
18:21:55.832 - 09/01/2018 18:21:55.851
Selected time for report: 09/01/2018
18:21:55 - 09/01/2018 18:21:55.851
Number of changes in configuration: 0
Number of changes to accounts,
groups, or roles: 0
Number of logins: 0
Number of failed logins: 0
Number of authentications: 0
Number of failed authentications: 0
Number of users: 1
Number of terminals: 1
Number of host names: 0
Number of executables: 1
Number of files: 5
Number of AVC's: 0
Number of MAC events: 0
Number of failed syscalls: 0
Number of anomaly events: 0
Number of responses to anomaly
events: 0
Number of crypto events: 0
Number of keys: 0
Number of process IDs: 1
Number of events: 4
[root@rhel7-server
~]# ausearch -p 9667 |aureport -f --summary
File Summary Report
===========================
total
file
===========================
1
(null)
1
/bin/pwd
1
/etc/ld.so.cache
1
/lib64/libc.so.6
1
/usr/lib/locale/locale-archive
To restore the audit system to use the audit rule set again, just restart
the audit daemon with service auditd restart.
[root@rhel7-server
~]# service auditd restart
Stopping logging: [ OK ]
Redirecting start to /bin/systemctl
start auditd.service
Good References,
https://www.novell.com/de-de/documentation/opensuse111/opensuse111_security/data/cha_audit_comp.html
No comments:
Post a Comment