I. Overview
Previous (Understanding Linux Audit Service.) We mainly analyze the structure of Audit services, the configuration of Audit services, and how to read the meanings represented by the Audit log. This article mainly describes how to use the three tools provided by Audit Aureport, Ausearch, autrace to statistically analyze and track log logs.
Second, Aureport
The raw type of audit log is stored in the/var/log/audit目录下,这些log体量大而且比较难懂,用aureport可以轻易的统计量化日志报告:
Aureport-ifmyfile #aureport with no parameters, only specify a audit log file with-if, statistics its overall log report, how to not specify the file, display the current audit statistics. Summary Report======================Range ofTime in logs:03/02/09 14:13:38.225-17/02/09 14:52:27.971Selected time for report:03/02/09 14:13:38-17/02/09 14:52:27.971 Number ofChanges in Configuration:13 Number ofChanges to accounts, groups,orroles:0 Number ofLogins:6 Number ofFailed logins:13 Number ofAuthentications:7 Number ofFailed authentications:573 Number ofUsers:1 Number ofTerminals:9 Number ofHost Names:4 Number ofExecutables:17 Number offiles:279 Number ofAVC ' S:0number ofMAC events:0 Number ofFailed syscalls:994 Number ofAnomaly events:0 Number ofResponses to anomaly events:0 Number ofCrypto events:0 Number ofKeys:2 Number ofProcess ids:1211 Number ofevents:5320
Aureport-l
Aureport-l-ts 14:00-te 15:00-if myfile #对于myfile的log文件, the user login information from 14:00 to 15:00 is counted. Loginreport ============================================# Date Time Auid host term exe success event===== =======================================1. 17/02/09 14:21:09 root:192.168.2.100 sshd/usr/sbin/sshd no 77182. 17/02/09 14:21:15 0 JUPITER/DEV/PTS/3/usr/sbin/sshd Yes 7724
Aureport--failed/success
Aureport--failed #针对失败的event的统计 If the statistics are successful with Aureport--successfailed Summary Report======================Range ofTime in logs:03/02/09 14:13:38.225-17/02/09 14:57:35.183Selected time for report:03/02/09 14:13:38-17/02/09 14:57:35.183 Number ofChanges in configuration:0 Number ofChanges to accounts, groups,orroles:0 Number oflogins:0 Number ofFailed logins:13 Number ofauthentications:0 Number ofFailed authentications:574 Number ofUsers:1 Number ofTerminals:5 Number ofHost Names:4 Number ofExecutables:11 Number ofFiles:77 Number ofAVC ' S:0number ofMAC events:0 Number ofFailed syscalls:994 Number ofAnomaly events:0 Number ofResponses to anomaly events:0 Number ofCrypto events:0 Number ofKeys:2 Number ofProcess ids:708 Number ofevents:1583
Aureport-u-I--summary #对用户的event进行总体统计User summaryreport =========================== total Auid===========================5640 root Tux3 Wilber
Aureport-e-ts 14:00-te 14:21 #从14: List of event events from 00 to 14:21.Event Report===================================# Date Time Event type Auid success===================================1. 17/02/09 14:20:27 7462 Daemon_start 0Yes2.17/02/09 14:20:27 7715 Config_change 0Yes3.17/02/09 14:20:57 7716 user_end 0Yes4.17/02/09 14:20:57 7717 Cred_disp 0Yes5.17/02/09 14:21:09 7718 user_login-1No6.17/02/09 14:21:15 7719 user_auth-1Yes7.17/02/09 14:21:15 7720 user_acct-1Yes8.17/02/09 14:21:15 7721 cred_acq-1Yes9.17/02/09 14:21:15 7722 LOGIN 0Yes17/02/09 14:21:15 7723 User_start 0Yes17/02/09 14:21:15 7724 User_login 0Yes17/02/09 14:21:15 7725 CRED_REFR 0 Yes
Aureport-P #对于进程所有event的信息Process IDreport ======================================# date Time PID EXE Syscall auid event======================================1. 13/02/09 15:30:01 32742/usr/sbin/cron 0 0 352. 13/02/09 15:30:01 32742/usr/sbin/cron 0 0 363. 13/02/09 15:38:34 32734/usr/lib/gdm/gdm-session-worker 0-1 37
Aureport-s #system call reports Syscall report=======================================# Date Time Syscall PID Comm Auid Event=======================================1. 16/02/09 17:45:01 2 20343 cron-1 22792. 16/02/09 17:45:02 20350 mktemp 0 22843. 16/02/09 17:45:02 20351 mkdir 0 2285
Aureport-x #从可执行的角度去查看audit logexecutablereport ====================================# Date Time EXE term host Auid event====================================1. 13/02/09 15:08:26/usr/sbin/sshd sshd 192.168.2.100-1 122. 13/02/09 15:08:28/usr/lib/gdm/gdm-session-worker:0? -1 133. 13/02/09 15:08:28/usr/sbin/sshd SSH 192.168.2.100-1 14
Aureport-F #生成一个文件相关event的日志报告Filereport ===============================================# Date Time file Syscall success exe Auid event===============================================1. 16/02/09 17:45:01/etc/shadow 2 yes/usr/sbin/cron-1 22792. 16/02/09 17:45:02/tmp/83 yes/bin/mktemp 0 22843. 16/02/09 17:45:02/var No/bin/mkdir 0 2285
Aureport-u #对于用户在系统运行命令的生成的报告User IDreport ====================================# Date Time Auid Term host EXE event====================================1. 13/02/09 15:08:26-1 sshd 192.168.2.100/usr/sbin/sshd 122. 13/02/09 15:08:28-1:0? /usr/lib/gdm/gdm-session-worker 133. 14/02/09 08:25:39-1 SSH 192.168.2.101/usr/sbin/sshd 14
Aureport-l-i #用户登录事件生成的报告Loginreport ============================================# Date Time Auid Host term EXE success event============================================1. 13/02/09 15:08:31 tux:192.168.2.100 sshd/usr/sbin/sshd no 192. 16/02/09 12:39:05 root:192.168.2.101 sshd/usr/sbin/sshd no 21083. 17/02/09 15:29:07 Geeko:? Tty3/bin/login Yes 7809
Aureport-t #查看audit log file contains the start and end times of the journal Time Rangereport =====================/var/log/audit/audit.log: 03/02/09 14:13:38.225-17/02/09 15:30:01.636
Third, Ausearch
Aureport helps us generate a summary of the overall log, and if we are interested in a particular event, we can filter the desired log by Ausearch.
Ausearch-option-if myfile
It can specify a specific log file for analysis, by adding "-I" to the data format can be converted into a readable text format, such as the user ID and the form of ASCII code CMD.
Ausearch-a 5207 #搜寻当期audit服务中event ID equals 5207 log----time->tue Feb 13:43:58type =path Msg=audit (1234874638.599:5207): item=0 name= "/var/log/audit/audit.log" inode=1219041 dev=08:06 mode= 0100644 ouid=0 ogid=0 rdev=00:00type=cwd msg=audit (1234874638.599:5207): cwd= "/root"
Ausearch-m #按消息类型查找ausearch-ul #按登陆ID查找ausearch-UA #按uid和euid查找ausearch-UI #按uid查找ausearch-UE #按euid查找ausearch-ga #按gid和egid查找ausearch-GI #按gid查找ausearch-GE #按egid查找ausearch-C #按cmd查找ausearch-x #按exe查找ausearch-SC #按syscall查找ausearch-P #按pid查找ausearch-SV #按syscall的返回值查找 (yes/No) Ausearch-F #按文件名查找ausearch-tm #按连接终端查找 (term/ssh/TTY) Ausearch-HN #按主机名查找ausearch-k #按特定的key值查找ausearch-W #按在audit String lookup of rule settings
Iv. Autrace
To keep track of whether the rule is in effect, we often track the specified process, and the log generated by Autrace is stored in/var/log/audit/audit.log. When using Autrace to track a process, in order to ensure that the autrace with previous audit rule generated log conflicts, use auditctl-d to stop all audit log, when Autrace is over, use systemctl restart AUDITD Restart the audit service.
Auditctl-/usr/bin//usr/bin/' ausearch-i-P 7642 '
V. Visualization of logs
AUREPORT-E-I--summary #分类统计事件数量Event summaryreport ====================== total type= = = ===================2434 SYSCALL816 user_start816 user_acct814 Cred_acq810 LOGIN806 cred_disp779 user_end config_change-e-i--summary| Mkbar events #分类统计事件数量 and draw a chart.
These are all the contents of the audit service to generate the Aduit log, omitting the Audisp as the dispatcher for audit event, and sending the events in real time to each application. The next article will list all the audit Record type's list tribute lookup.
Linux Audit Log Analysis tool---aureport, ausearch, Autrace