How to use Aureport command on Linux
To use aureport command on Linux
Aureport is a tool that produces summary reports of the audit system logs. The aureport utility can also take input from stdin as long as the input is the raw log data. The reports have a column label at the top to help with interpretation of the various fields. Except for the main summary report, all reports have the audit event number. You can subsequently lookup the full event with ausearch -a event number. You may need to specify start & stop times if you get multiple hits. The reports produced by aureport can be used as building blocks for more complicated analysis. aureport is not a complex command, it is very simple to use, and by the end of this tutorial, you will get to know the ways through which aureport command can be used to generate various reports.
Using aureport
If you want to the summary report of the aureport, you shall simply run the following command. The summary report is generated as the output.
[root@linuxhelp ~]# aureport
Summary Report
======================
Range of time in logs: 08/04/2017 17:17:36.535 - 11/24/2017 17:50:01.537
Selected time for report: 08/04/2017 17:17:36 - 11/24/2017 17:50:01.537
Number of changes in configuration: 6
Number of changes to accounts, groups, or roles: 1
Number of logins: 2
Number of failed logins: 1
Number of authentications: 3
Number of failed authentications: 1
Number of users: 2
Number of terminals: 7
Number of host names: 1
Number of executables: 8
Number of commands: 1
Number of files: 0
Number of AVC' s: 0
Number of MAC events: 4
Number of failed syscalls: 0
Number of anomaly events: 0
Number of responses to anomaly events: 0
Number of crypto events: 4
Number of integrity events: 0
Number of virt events: 0
Number of keys: 0
Number of process IDs: 43
Number of events: 201
In case of generating the authentication report, you are required to run the aureport command with the au option.
[root@linuxhelp ~]# aureport -au
Authentication Report
============================================
# date time acct host term exe success event
============================================
1. 08/04/2017 12:53:20 ? ? :0 /usr/libexec/gdm-session-worker no 55
2. 08/04/2017 12:53:31 root ? :0 /usr/libexec/gdm-session-worker yes 57
3. 08/04/2017 13:02:15 root ? pts/1 /usr/sbin/userhelper yes 77
4. 08/04/2017 14:25:15 root ? :0 /usr/libexec/gdm-session-worker yes 5
The aureport command can also be used to view the executables report. You shall get that report from the following command.
[root@linuxhelp ~]# aureport -x
Executable Report
====================================
# date time exe term host auid event
====================================
1. 08/04/2017 17:20:01 /usr/sbin/crond cron ? -1 6
2. 08/04/2017 17:20:01 /usr/sbin/crond cron ? -1 7
3. 08/04/2017 17:20:01 /usr/sbin/crond cron ? 0 9
4. 08/04/2017 17:20:02 /usr/sbin/crond cron ? 0 10
5. 08/04/2017 17:20:02 /usr/sbin/crond cron ? 0 11
6. 08/04/2017 17:30:01 /usr/sbin/crond cron ? -1 12
7. 08/04/2017 17:30:01 /usr/sbin/crond cron ? -1 13
8. 08/04/2017 17:30:01 /usr/sbin/crond cron ? 0 15
9. 08/04/2017 17:30:01 /usr/sbin/crond cron ? 0 16
.
.
.
.
137166. 11/24/2017 18:04:39 /usr/sbin/sshd ssh 192.168.7.219 -1 5538
137167. 11/24/2017 18:04:39 /usr/sbin/sshd ssh 192.168.7.219 -1 5539
137168. 11/24/2017 18:04:39 /usr/sbin/sshd ? 192.168.7.219 -1 5540
137169. 11/24/2017 18:04:39 /usr/sbin/sshd ssh 192.168.7.219 -1 5541
137170. 11/24/2017 18:04:39 /usr/sbin/sshd ssh 192.168.7.219 -1 5542
137171. 11/24/2017 18:04:39 /usr/sbin/sshd ssh 192.168.7.219 0 5544
137172. 11/24/2017 18:04:39 /usr/sbin/sshd /dev/pts/0 192.168.7.219 0 5545
137173. 11/24/2017 18:04:39 /usr/sbin/sshd /dev/pts/0 192.168.7.219 0 5546
137174. 11/24/2017 18:04:39 /usr/sbin/sshd pts/0 192.168.7.219 0 5547
137175. 11/24/2017 18:04:39 /usr/sbin/sshd pts/0 192.168.7.219 0 5548
137176. 11/24/2017 18:04:39 /usr/sbin/sshd ssh 192.168.7.219 0 5549
If you want to view the login report, you shall run the following command.
[root@linuxhelp ~]# aureport -l
Login Report
============================================
# date time auid host term exe success event
============================================
1. 08/04/2017 12:53:20 roo ? /dev/tty1 /usr/libexec/gdm-session-worker no 56
2. 08/04/2017 12:53:31 -1 ? /dev/tty1 /usr/libexec/gdm-session-worker yes 63
3. 08/04/2017 14:25:15 -1 ? /dev/tty1 /usr/libexec/gdm-session-worker yes 10
Viewing the crpto report is also possible with the help of the following command.
[root@linuxhelp ~]# aureport -cr
Crypto Report
===================================
# date time auid type success event
===================================
1. 08/04/2017 14:15:57 -1 CRYPTO_KEY_USER yes 122
2. 08/04/2017 14:15:57 -1 CRYPTO_KEY_USER yes 123
3. 08/04/2017 14:23:55 0 CRYPTO_KEY_USER yes 134
4. 08/04/2017 14:23:55 0 CRYPTO_KEY_USER yes 135
You shall also check our the account modification report by running the following command.
[root@linuxhelp ~]# aureport -m
Account Modifications Report
=================================================
# date time auid addr term exe acct success event
=================================================
1. 08/04/2017 14:17:20 0 ? ? /usr/sbin/groupadd wbpriv no 124
2. 11/23/2017 15:09:16 0 ? ? /usr/sbin/groupadd ? yes 71
3. 11/23/2017 15:09:16 0 ? ? /usr/sbin/groupadd ? yes 72
4. 11/23/2017 15:09:17 0 ? ? /usr/sbin/useradd ? yes 73
5.
In order to view the PID report, you shall run the following command.
[root@linuxhelp ~]# aureport -p
Process ID Report
======================================
# date time pid exe syscall auid event
======================================
1. 08/04/2017 17:17:36 1339 ? 0 -1 1297
2. 08/04/2017 17:20:01 1990 /usr/sbin/crond 0 -1 6
3. 08/04/2017 17:20:01 1990 /usr/sbin/crond 0 -1 7
4. 08/04/2017 17:20:01 1990 ? 0 0 8
5. 08/04/2017 17:20:01 1990 /usr/sbin/crond 0 0 9
6. 08/04/2017 17:20:02 1990 /usr/sbin/crond 0 0 10
.
.
.
.
204. 11/23/2017 15:10:01 4338 /usr/sbin/crond 0 -1 75
205. 11/23/2017 15:10:01 4338 ? 0 0 76
206. 11/23/2017 15:10:01 4338 /usr/sbin/crond 0 0 77
207. 11/23/2017 15:10:01 4338 /usr/sbin/crond 0 0 78
208. 11/23/2017 15:10:01 4338 /usr/sbin/crond 0 0 79
209. 11/24/2017 18:10:01 4678 /usr/sbin/crond 0 -1 80
210. 11/24/2017 18:10:01 4678 /usr/sbin/crond 0 -1 81
211. 11/24/2017 18:10:01 4678 ? 0 0 82
212. 11/24/2017 18:10:01 4678 /usr/sbin/crond 0 0 83
213. 11/24/2017 18:10:01 4678 /usr/sbin/crond 0 0 84
214. 11/24/2017 18:10:01 4678 /usr/sbin/crond 0 0 85
Also, you shall view the Syscall Report, if you run the following command.
[root@linuxhelp ~]# aureport -s
Syscall Report
=======================================
# date time syscall pid comm auid event
=======================================
1. 08/04/2017 13:00:52 1 3510 load_policy 0 70
2. 08/04/2017 13:52:52 1 52301 load_policy 0 103
3. 08/04/2017 14:17:53 1 64635 load_policy 0 125
In order to view the success report, you can simply run the success option with the aureport command in the following manner.
[root@linuxhelp ~]# aureport --success
Success Summary Report
======================
Range of time in logs: 08/04/2017 17:17:36.535 - 11/24/2017 18:10:01.714
Selected time for report: 08/04/2017 17:17:36 - 11/24/2017 18:10:01.714
Number of changes in configuration: 6
Number of changes to accounts, groups, or roles: 3
Number of logins: 2
Number of failed logins: 0
Number of authentications: 3
Number of failed authentications: 0
Number of users: 2
Number of terminals: 7
Number of host names: 1
Number of executables: 9
Number of commands: 1
Number of files: 0
Number of AVC' s: 0
Number of MAC events: 4
Number of failed syscalls: 0
Number of anomaly events: 0
Number of responses to anomaly events: 0
Number of crypto events: 4
Number of integrity events: 0
Number of virt events: 0
Number of keys: 0
Number of process IDs: 45
Number of events: 213
Finally, if you want to view the additional options, you can simply run the help option along with the aureport command.
[root@linuxhelp ~]# aureport --help
usage: aureport [options]
-a,--avc Avc report
-au,--auth Authentication report
--comm Commands run report
-c,--config Config change report
-cr,--crypto Crypto report
-e,--event Event report
-f,--file File name report
--failed only failed events in report
-h,--host Remote Host name report
--help help
-i,--interpret Interpretive mode
-if,--input < Input File name> use this file as input
--input-logs Use the logs even if stdin is a pipe
--integrity Integrity event report
-l,--login Login report
-k,--key Key report
-m,--mods Modification to accounts report
-ma,--mac Mandatory Access Control (MAC) report
-n,--anomaly aNomaly report
-nc,--no-config Don' t include config events
--node < node name> Only events from a specific node
-p,--pid Pid report
-r,--response Response to anomaly report
-s,--syscall Syscall report
--success only success events in report
--summary sorted totals for main object in report
-t,--log Log time range report
-te,--end [end date] [end time] ending date & time for reports
-tm,--terminal TerMinal name report
-ts,--start [start date] [start time] starting data & time for reports
--tty Report about tty keystrokes
-u,--user User name report
-v,--version Version
--virt Virtualization report
-x,--executable eXecutable name report
If no report is given, the summary report will be displayed
With this, the coverage of the usage of aureport command comes to an end.
Comments ( 0 )
No comments available