Working with ausearch and aureport to analyse audit logs on a RHEL system.
The auditing system ships with the ausearch command, which is a powerful tool for searching audit logs.
The aureport is a tool that produces summary reports of the audit system logs.
Searching For and Viewing SELinux Denials
A number of tools are available for viewing SELinux denials, such as ausearch, aureport and sealert.
List all denials:
# ausearch -m avc
List denials since system boot:
# ausearch -m avc --start boot
List denials for a mysqld service:
# ausearch -m avc -c mysqld
Generating Reports
Generate an AVC object summary report:
# aureport -a Avc Object Summary Report ================================= total obj ================================= 1 system_u:object_r:unreserved_port_t:s0
Generate a summary report for all login events:
# aureport -i --login --summary Login Summary Report ============================ total auid ============================ 40 vince 24 root 20 alice 8 sandy 1 (unknown)
Generate an executable summary report of command executions:
# aureport -i --executable --summary Executable Summary Report ================================= total file ================================= 2634 /usr/sbin/crond 2019 /usr/sbin/sshd 976 /usr/lib/systemd/systemd 539 /usr/sbin/xtables-multi 100 /usr/bin/kmod 96 /usr/sbin/ebtables-restore 45 /usr/bin/login 24 /usr/bin/su 21 /usr/lib/systemd/systemd-update-utmp 12 /usr/sbin/useradd 12 /usr/bin/passwd 7 /usr/sbin/groupadd 6 /usr/sbin/faillock 3 /usr/sbin/sshd;5cfab207 (deleted) 2 /usr/sbin/load_policy 2 /usr/bin/sudo 1 /usr/bin/python2.7 1 /usr/sbin/semanage
Retrieve Records Based on Audit Event ID
Find the last login event:
# aureport -i --login|tail -n1 93. 30/06/19 12:41:28 alice 10.11.1.10 /dev/pts/2 /usr/sbin/sshd yes 3197
Retrieve more information about the last login event:
# ausearch -i -a 3197 ---- type=USER_LOGIN msg=audit(30/06/19 12:41:28.984:3197) : pid=8565 uid=root auid=alice ses=211 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=login id=alice exe=/usr/sbin/sshd hostname=10.11.1.10 addr=10.11.1.10 terminal=/dev/pts/2 res=success'
Export records in a CSV format:
# ausearch -a 3197 --format csv NODE,EVENT,DATE,TIME,SERIAL_NUM,EVENT_KIND,SESSION,SUBJ_PRIME,SUBJ_SEC,SUBJ_KIND,ACTION,RESULT,OBJ_PRIME,OBJ_SEC,OBJ_KIND,HOW ,USER_LOGIN,30/06/19,12:41:28,3197,user-login,211,alice,,,logged-in,success,/dev/pts/2,,user-session,/usr/sbin/sshd
Hello,
How could I user aureport on a sosreport file ? I am trying to count login attempts from sosreport but not sure how.
I’ve never used aureport for that. I far as I’m aware it works with audit system logs in particular, not sure about sosreport.
You may extract the sosreport and once extracted you may refer the following to locate the audit file on the exacted sosreport..
Example
aureport -if -l – -summary -i
Here -if (input file name)
-if, –input file