LINUX AND VMWARE STUFF

This Blog is to share our knowledge and expertise on Linux System Administration and VMware Administration

Friday, October 5, 2018

Home / Linux General / Digging audit log with ausearch tool in RHEL 7

Digging audit log with ausearch tool in RHEL 7

by on in
ausearch is a tool to search audit daemon logs based upon the events based on different search criteria.

  Audit system stores log entries in the /var/log/audit/audit.log file; if log rotation is enabled, rotated audit.log files are stored in the same directory.

 Each event consists of three records, which share the same time stamp. Each record consists of several name=value pairs separated by a white space or a comma. 

 type=SYSCALL msg=audit(1510471123.129:36): arch=c000003e syscall=175 success=yes exit=0 a0=1901a20 a1=1c5d a2=41a2d8 a3=18fe400 items=0 ppid=7 24 pid=725 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="modprobe" exe="/usr/bin/kmo d" subj=system_u:system_r:insmod_t:s0 key=(null)
type=PROCTITLE msg=audit(1510471123.129:36): proctitle=2F7362696E2F6D6F6470726F6265002D71002D2D0069707461626C655F6D616E676C65
type=NETFILTER_CFG msg=audit(1510471123.276:37): table=nat family=2 entries=0

 Here, ausearch utility allows us to search Audit log files for specific events. Also it is used to read the audit log timestamp to user readable timestamp by using -i (--interpret) option.

 Example:

 1.Search for hostname with given hostname specific.

 [root@nsk ~]# ausearch -i -hn nsk.testingserver.internal
----
type=USER_AUTH msg=audit(10/04/2018 12:32:02.610:75) : pid=1617 uid=root auid=unset ses=unset subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 msg='op=PAM:authentication grantors=pam_permit acct=gdm exe=/usr/libexec/gdm-session-worker hostname=nsk.testingserver.internal addr=? terminal=/dev/tty1 res=success'
----

 2. Search only the first event that matches the search pattern.

 [root@nsk ~]# ausearch -i -hn nsk.testingserver.internal --just-one
----
type=USER_AUTH msg=audit(10/04/2018 12:32:02.610:75) : pid=1617 uid=root auid=unset ses=unset subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 msg='op=PAM:authentication grantors=pam_permit acct=gdm exe=/usr/libexec/gdm-session-worker hostname=nsk.testingserver.internal addr=? terminal=/dev/tty1 res=success'
[root@nsk ~]#

 3. Search for all logged actions performed by user nsk, using the user's login ID (auid). 

 [root@nsk log]# ausearch -ua 1001 -i
----
type=LOGIN msg=audit(12/04/2017 11:39:18.052:156) : pid=1433 uid=root subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 old-auid=unset auid=nsk tty=(none) old-ses=4294967295 ses=2 res=yes
----
type=USER_ROLE_CHANGE msg=audit(12/04/2017 11:39:18.991:157) : pid=1433 uid=root auid=nsk ses=2 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='pam: default-context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 selected-context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 exe=/usr/sbin/sshd hostname=nsk addr=fe80::f24d:eb49:d219:6b0 terminal=ssh res=success'

 4. Search for an event matching the given Process ID.

 [root@nsk ~]# ausearch -i -p 2162
----
type=CRYPTO_SESSION msg=audit(10/05/2018 13:07:54.052:118) : pid=2162 uid=root auid=unset ses=unset subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=start direction=from-server cipher=aes256-ctr ksize=256 mac=hmac-sha2-256 pfs=curve25519-sha256@libssh.org spid=2163 suid=sshd rport=50935 laddr=10.0.2.15 lport=22  exe=/usr/sbin/sshd hostname=? addr=10.0.2.2 terminal=? res=success'
----

 5. Search the /var/log/audit/audit.log file for successful login attempts

 [root@nsk log]# ausearch --message USER_LOGIN --success yes --interpret
----
type=USER_LOGIN msg=audit(11/12/2017 13:04:08.279:110) : pid=662 uid=root auid=root ses=2 subj=system_u:system_r:local_login_t:s0-s0:c0.c1023
msg='op=login id=root exe=/usr/bin/login hostname=nsk addr=? terminal=tty1 res=success'
----
type=USER_LOGIN msg=audit(11/12/2017 13:05:46.297:107) : pid=1242 uid=root auid=root ses=1 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c
0.c1023 msg='op=login id=root exe=/usr/sbin/sshd hostname=10.0.2.2 addr=10.0.2.2 terminal=/dev/pts/0 res=success'
----

 6. Search for all account and group activities.

 [root@nsk log]# ausearch -m ADD_USER -m DEL_USER -m ADD_GROUP -m DEL_GROUP -i
----
type=ADD_GROUP msg=audit(11/15/2017 22:05:29.396:169) : pid=15764 uid=root auid=root ses=2 subj=unconfined_u:unconfined_r:groupadd_t:s0-s0:c0.c1023 msg='op=add-group id=dovecot exe=/usr/sbin/groupadd hostname=? addr=? terminal=? res=success'
----
type=ADD_USER msg=audit(11/15/2017 22:05:29.431:171) : pid=15769 uid=root auid=root ses=2 subj=unconfined_u:unconfined_r:useradd_t:s0-s0:c0.c1023 msg='op=add-user id=dovecot exe=/usr/sbin/useradd hostname=? addr=? terminal=? res=success'

 7. Search for all failed PROCTITLE from yesterday up until now

 [root@nsk log]# ausearch --start yesterday --end now -m PROCTITLE -sv no -i
----
type=PROCTITLE msg=audit(10/03/2018 18:00:02.623:71) : proctitle=/usr/sbin/httpd -DFOREGROUND
type=SYSCALL msg=audit(10/03/2018 18:00:02.623:71) : arch=x86_64 syscall=open success=no exit=EACCES(Permission denied) a0=0x560fb5acc008 a1=O_RDONLY a2=0x1b6 a3=0x24 items=0 ppid=1 pid=1145 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=httpd exe=/usr/sbin/httpd subj=system_u:system_r:httpd_t:s0 key=(null)
type=AVC msg=audit(10/03/2018 18:00:02.623:71) : avc:  denied  { read } for  pid=1145 comm=httpd name=php-mapi.cfg dev="dm-0" ino=19498435 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:zarafa_etc_t:s0 tclass=file

 Please refer man ausearch for more option.
By v�o l�c
Labels:

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)