Learn how to see and produce Linux Audit report

Posted: April 9, 2015 in LINUX
Tags: ,

Here in this article i am going to mention a detail article on “aureport” linux tool. This tool is used produce summary report of audit system logs and in this way help us to solve many complicated analysis.So here we will see how to use aureport command to see linux audit reports.

Full system audit daemon logs:

[root@localhost ~]# aureport

Summary Report
======================
Range of time in logs: 01/25/2015 12:41:21.838 – 04/09/2015 18:06:47.269
Selected time for report: 01/25/2015 12:41:21 – 04/09/2015 18:06:47.269
Number of changes in configuration: 25
Number of changes to accounts, groups, or roles: 22
Number of logins: 15
Number of failed logins: 1
Number of authentications: 18
Number of failed authentications: 1
Number of users: 2
Number of terminals: 9
Number of host names: 2
Number of executables: 8
Number of files: 0
Number of AVC’s: 0
Number of MAC events: 12
Number of failed syscalls: 0
Number of anomaly events: 0
Number of responses to anomaly events: 0
Number of crypto events: 0
Number of keys: 0
Number of process IDs: 79
Number of events: 322

Report about users:

[root@localhost ~]# aureport -u

User ID Report
====================================
# date time auid term host exe event
====================================
1. 01/25/2015 12:42:29 -1 pts/0 ? /sbin/hwclock 6
2. 01/25/2015 14:57:21 -1 :0 ? /usr/sbin/gdm-binary 6
3. 01/25/2015 14:57:21 -1 :0 ? /usr/sbin/gdm-binary 7
4. 01/25/2015 14:57:21 -1 :0 ? /usr/sbin/gdm-binary 8
5. 01/25/2015 14:57:21 0 ? ? ? 9
6. 01/25/2015 14:57:21 0 :0 ? /usr/sbin/gdm-binary 10
7. 01/25/2015 14:57:21 0 :0 localhost.localdomain /usr/sbin/gdm-binary 11
8. 01/25/2015 14:59:09 -1 tty1 ? /bin/login 12
9. 01/25/2015 14:59:09 -1 tty1 ? /bin/login 13
10. 01/25/2015 14:59:10 0 ? ? ? 14
11. 01/25/2015 14:59:10 0 tty1 ? /bin/login 15
12. 01/25/2015 14:59:11 0 tty1 ? /bin/login 16
13. 01/25/2015 14:59:11 0 tty1 ? /bin/login 17
14. 01/25/2015 14:59:11 0 tty1 ? /bin/login 18
15. 01/30/2015 21:30:32 -1 tty1 ? /bin/login 6
16. 01/30/2015 21:30:32 -1 tty1 ? /bin/login 7

Audit report version.

[root@localhost ~]# aureport -v
aureport version 1.7.13
[root@localhost ~]#

aureport version 1.7.13

Reports about executables.

[root@localhost ~]# aureport -x

Executable Report
====================================
# date time exe term host auid event
====================================
1. 01/25/2015 12:42:29 /sbin/hwclock pts/0 ? -1 6
2. 01/25/2015 14:57:21 /usr/sbin/gdm-binary :0 ? -1 6
3. 01/25/2015 14:57:21 /usr/sbin/gdm-binary :0 ? -1 7
4. 01/25/2015 14:57:21 /usr/sbin/gdm-binary :0 ? -1 8

Report about terminals.
[root@localhost ~]# aureport -tm

Terminal Report
====================================
# date time term host exe auid event
====================================
1. 01/25/2015 12:42:29 pts/0 ? /sbin/hwclock -1 6
2. 01/25/2015 14:57:21 :0 ? /usr/sbin/gdm-binary -1 6
3. 01/25/2015 14:57:21 :0 ? /usr/sbin/gdm-binary -1 7
4. 01/25/2015 14:57:21 :0 ? /usr/sbin/gdm-binary -1 8
5. 01/25/2015 14:57:21 :0 ? /usr/sbin/gdm-binary 0 10
6. 01/25/2015 14:57:21 :0 localhost.localdomain /usr/sbin/gdm-binary 0 11
7. 01/25/2015 14:59:09 tty1 ? /bin/login -1 12
8. 01/25/2015 14:59:09 tty1 ? /bin/login -1 13
9. 01/25/2015 14:59:10 tty1 ? /bin/login 0 15

Report about only successful events.
[root@localhost ~]# aureport –success

Success Summary Report
======================
Range of time in logs: 01/25/2015 12:41:21.838 – 04/09/2015 18:06:47.269
Selected time for report: 01/25/2015 12:41:21 – 04/09/2015 18:06:47.269
Number of changes in configuration: 25
Number of changes to accounts, groups, or roles: 15
Number of logins: 15
Number of failed logins: 0
Number of authentications: 18
Number of failed authentications: 0
Number of users: 2
Number of terminals: 9
Number of host names: 2
Number of executables: 8
Number of files: 0
Number of AVC’s: 0
Number of MAC events: 12
Number of failed syscalls: 0
Number of anomaly events: 0
Number of responses to anomaly events: 0
Number of crypto events: 0
Number of keys: 0
Number of process IDs: 71
Number of events: 312

Report about mac events.

[root@localhost ~]# aureport –mac

MAC Report
===================================
# date time auid type success event
===================================
1. 01/25/2015 14:59:10 0 USER_ROLE_CHANGE yes 15
2. 01/30/2015 21:30:32 0 USER_ROLE_CHANGE yes 9
3. 01/30/2015 21:36:39 0 USER_ROLE_CHANGE yes 9
4. 02/05/2015 03:20:44 0 USER_ROLE_CHANGE yes 9
5. 02/09/2015 18:18:32 0 USER_ROLE_CHANGE yes 9
6. 02/15/2015 02:16:51 0 USER_ROLE_CHANGE yes 9
7. 02/15/2015 02:17:59 500 USER_ROLE_CHANGE yes 17
8. 02/15/2015 02:32:08 500 USER_ROLE_CHANGE yes 33
9. 02/20/2015 02:05:50 0 USER_ROLE_CHANGE yes 15
10. 03/03/2015 11:30:42 0 USER_ROLE_CHANGE yes 9
11. 04/08/2015 13:03:45 0 USER_ROLE_CHANGE yes 17
12. 04/09/2015 16:14:45 0 USER_ROLE_CHANGE yes 33
Report about Processes.

[root@localhost ~]# aureport –pid

Process ID Report
======================================
# date time pid exe syscall auid event
======================================
1. 01/25/2015 12:41:21 1716 ? 0 -1 6653
2. 01/25/2015 12:42:29 2320 /sbin/hwclock 0 -1 6
3. 01/25/2015 12:44:24 3273 ? 0 -1 6654
4. 01/25/2015 14:32:13 1708 ? 0 -1 7221

Reports about logins.
[root@localhost ~]# aureport –login

Login Report
============================================
# date time auid host term exe success event
============================================
1. 01/25/2015 14:57:21 0 localhost.localdomain :0 /usr/sbin/gdm-binary yes 11
2. 01/25/2015 14:59:11 0 ? tty1 /bin/login yes 18
3. 01/30/2015 21:30:32 0 ? tty1 /bin/login yes 12
4. 01/30/2015 21:36:39 0 ? tty1 /bin/login yes 12
5. 02/05/2015 03:20:44 0 ? tty1 /bin/login yes 12
6. 02/09/2015 18:18:32 0 ? tty3 /bin/login yes 12
7. 02/15/2015 02:16:51 0 ? tty2 /bin/login yes 12
8. 02/15/2015 02:17:59 0 ? tty3 /bin/login yes 20
9. 02/15/2015 02:32:08 0 ? tty3 /bin/login yes 36
10. 02/20/2015 02:05:50 0 ? tty2 /bin/login yes 18
11. 03/03/2015 11:30:42 0 ? tty2 /bin/login yes 12
12. 03/31/2015 23:46:33 0 localhost.localdomain :0 /usr/sbin/gdm-binary yes 11
13. 04/08/2015 12:30:37 unknown: localhost.localdomain :0
/usr/sbin/gdm-binary no 7
14. 04/08/2015 13:03:45 0 ? tty3 /bin/login yes 20
15. 04/09/2015 16:14:45 0 ? tty4 /bin/login yes 36
16. 04/09/2015 18:06:47 0 localhost.localdomain :0 /usr/sbin/gdm-binary yes 54

Reports about account modification.
[root@localhost ~]# aureport -m

Account Modifications Report
=================================================
# date time auid addr term exe acct success event
=================================================
1. 02/15/2015 02:17:47 0 ? tty2 /usr/bin/passwd ? yes 13
2. 04/01/2015 00:28:02 0 ? pts/1 /usr/bin/passwd ? yes 18
3. 04/01/2015 00:29:47 0 ? pts/1 /usr/bin/passwd ? no 19
4. 04/01/2015 00:30:11 0 ? pts/1 /usr/bin/passwd ? no 20
5. 04/01/2015 00:30:20 0 ? pts/1 /usr/bin/passwd ? yes 21
6. 04/01/2015 00:32:12 0 ? pts/1 /usr/sbin/usermod ? yes 22
7. 04/01/2015 00:34:57 0 ? pts/1 /usr/bin/passwd satish yes 23
8. 04/01/2015 00:34:57 0 ? pts/1 /usr/bin/passwd ? yes 24
9. 04/01/2015 00:36:36 0 ? pts/1 /usr/sbin/usermod ? yes 25
10. 04/01/2015 00:37:42 0 ? pts/1 /usr/sbin/usermod ? yes 26
11. 04/01/2015 00:46:01 0 ? pts/1 /usr/bin/passwd ? no 27
12. 04/01/2015 00:46:09 0 ? pts/1 /usr/sbin/usermod ? yes 28
13. 04/01/2015 00:46:10 0 ? pts/1 /usr/bin/passwd ? no 29
14. 04/01/2015 00:46:24 0 ? pts/1 /usr/sbin/usermod ? yes 30
15. 04/01/2015 00:46:27 0 ? pts/1 /usr/bin/passwd ? no 31
16. 04/01/2015 00:55:51 0 ? pts/1 /usr/bin/passwd ? yes 32
17. 04/01/2015 00:55:59 0 ? pts/1 /usr/bin/passwd ? no 33
18. 04/01/2015 00:57:47 0 ? pts/1 /usr/bin/passwd ? yes 34
19. 04/01/2015 00:57:50 0 ? pts/1 /usr/bin/passwd ? no 35
20. 04/01/2015 01:02:05 0 ? pts/1 /usr/bin/chage ? yes 42
21. 04/01/2015 01:02:57 0 ? pts/1 /usr/bin/chage ? yes 43
22. 04/01/2015 01:03:01 0 ? pts/1 /usr/bin/chage ? yes 44

Report about hosts.
[root@localhost ~]# aureport -h

Host Report
===================================
# date time host syscall auid event
===================================
1. 01/25/2015 12:42:29 ? 0 -1 6
2. 01/25/2015 14:57:21 ? 0 -1 6
3. 01/25/2015 14:57:21 ? 0 -1 7
4. 01/25/2015 14:57:21 ? 0 -1 8
5. 01/25/2015 14:57:21 ? 0 0 10
6. 01/25/2015 14:57:21 localhost.localdomain 0 0 11

Report about files.
[root@localhost ~]# aureport -f

File Report
===============================================
# date time file syscall success exe auid event
===============================================
<no events of interest were found>

Reports about configuration changes.
[root@localhost ~]# aureport –config

Config Change Report
===================================
# date time type auid success event
===================================
1. 01/25/2015 12:41:21 CONFIG_CHANGE -1 yes 4
2. 01/25/2015 12:41:22 CONFIG_CHANGE -1 yes 5
3. 01/25/2015 12:42:29 USYS_CONFIG -1 yes 6
4. 01/25/2015 14:32:13 CONFIG_CHANGE -1 yes 4
5. 01/25/2015 14:32:14 CONFIG_CHANGE -1 yes 5
6. 01/30/2015 21:27:32 CONFIG_CHANGE -1 yes 4
7. 01/30/2015 21:27:32 CONFIG_CHANGE -1 yes 5
8. 01/30/2015 21:35:36 CONFIG_CHANGE -1 yes 4
9. 01/30/2015 21:35:37 CONFIG_CHANGE -1 yes 5
10. 02/05/2015 03:19:54 CONFIG_CHANGE -1 yes 4
11. 02/05/2015 03:19:54 CONFIG_CHANGE -1 yes 5
12. 02/09/2015 18:17:36 CONFIG_CHANGE -1 yes 4
13. 02/09/2015 18:17:36 CONFIG_CHANGE -1 yes 5
14. 02/15/2015 02:16:03 CONFIG_CHANGE -1 yes 4
15. 02/15/2015 02:16:03 CONFIG_CHANGE -1 yes 5
16. 02/20/2015 01:52:15 CONFIG_CHANGE -1 yes 4
17. 02/20/2015 01:52:15 CONFIG_CHANGE -1 yes 5
18. 03/03/2015 11:29:41 CONFIG_CHANGE -1 yes 4
19. 03/03/2015 11:29:41 CONFIG_CHANGE -1 yes 5
20. 03/31/2015 23:45:03 CONFIG_CHANGE -1 yes 4
21. 03/31/2015 23:45:03 CONFIG_CHANGE -1 yes 5
22. 04/08/2015 12:02:39 CONFIG_CHANGE -1 yes 4
23. 04/08/2015 12:02:39 CONFIG_CHANGE -1 yes 5
24. 04/09/2015 12:32:29 CONFIG_CHANGE -1 yes 4
25. 04/09/2015 12:32:29 CONFIG_CHANGE -1 yes 5

Reports about events.
[root@localhost ~]# aureport -e

Event Report
===================================
# date time event type auid success
===================================
1. 01/25/2015 12:41:21 6653 DAEMON_START -1 yes
2. 01/25/2015 12:41:21 4 CONFIG_CHANGE -1 yes
3. 01/25/2015 12:41:22 5 CONFIG_CHANGE -1 yes
4. 01/25/2015 12:42:29 6 USYS_CONFIG -1 yes
5. 01/25/2015 12:44:24 6654 DAEMON_END -1 yes
6. 01/25/2015 14:32:13 7221 DAEMON_START -1 yes
7. 01/25/2015 14:32:13 4 CONFIG_CHANGE -1 yes
8. 01/25/2015 14:32:14 5 CONFIG_CHANGE -1 yes
9. 01/25/2015 14:57:21 6 USER_AUTH -1 yes
10. 01/25/2015 14:57:21 7 USER_ACCT -1 yes
11. 01/25/2015 14:57:21 8 CRED_ACQ -1 yes
12. 01/25/2015 14:57:21 9 LOGIN 0 yes
13. 01/25/2015 14:57:21 10 USER_START 0 yes
14. 01/25/2015 14:57:21 11 USER_LOGIN 0 yes
15. 01/25/2015 14:59:09 12 USER_AUTH -1 yes
16. 01/25/2015 14:59:09 13 USER_ACCT -1 yes
17. 01/25/2015 14:59:10 14 LOGIN 0 yes
18. 01/25/2015 14:59:10 15 USER_ROLE_CHANGE 0 yes
19. 01/25/2015 14:59:11 16 USER_START 0 yes

Comments
  1. There is no need to install any extra software or no need to configure any third party software.When you install Redhat Enterprise Linux you get this command bydeafult in your Linux Box.So you can say you already have software installed and you have to ony start auditing using above command i have mentioned in this article.I hope it will work for you and if it doesn’t worlk,let me inform.

    Like

  2. Ehsan says:

    how to install and configure it ??

    Like

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s