Inspecting Audit Logs with ausearch and aureport

Working with ausearch and aureport to analyse audit logs on a RHEL system.

The auditing system ships with the ausearch command, which is a powerful tool for searching audit logs.

The aureport is a tool that produces summary reports of the audit system logs.

Searching For and Viewing SELinux Denials

A number of tools are available for viewing SELinux denials, such as ausearch, aureport and sealert.

List all denials:

# ausearch -m avc

List denials since system boot:

# ausearch -m avc --start boot

List denials for a mysqld service:

# ausearch -m avc -c mysqld

Generating Reports

Generate an AVC object summary report:

# aureport -a

Avc Object Summary Report
=================================
total  obj
=================================
1  system_u:object_r:unreserved_port_t:s0

Generate a summary report for all login events:

# aureport -i --login --summary

Login Summary Report
============================
total  auid
============================
40  vince
24  root
20  alice
8  sandy
1  (unknown)

Generate an executable summary report of command executions:

# aureport -i --executable --summary

Executable Summary Report
=================================
total  file
=================================
2634  /usr/sbin/crond
2019  /usr/sbin/sshd
976  /usr/lib/systemd/systemd
539  /usr/sbin/xtables-multi
100  /usr/bin/kmod
96  /usr/sbin/ebtables-restore
45  /usr/bin/login
24  /usr/bin/su
21  /usr/lib/systemd/systemd-update-utmp
12  /usr/sbin/useradd
12  /usr/bin/passwd
7  /usr/sbin/groupadd
6  /usr/sbin/faillock
3  /usr/sbin/sshd;5cfab207 (deleted)
2  /usr/sbin/load_policy
2  /usr/bin/sudo
1  /usr/bin/python2.7
1  /usr/sbin/semanage

Retrieve Records Based on Audit Event ID

Find the last login event:

# aureport -i --login|tail -n1
93. 30/06/19 12:41:28 alice 10.11.1.10 /dev/pts/2 /usr/sbin/sshd yes 3197

Retrieve more information about the last login event:

# ausearch -i -a 3197
----
type=USER_LOGIN msg=audit(30/06/19 12:41:28.984:3197) : pid=8565 uid=root auid=alice ses=211 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=login id=alice exe=/usr/sbin/sshd hostname=10.11.1.10 addr=10.11.1.10 terminal=/dev/pts/2 res=success'

Export records in a CSV format:

# ausearch -a 3197 --format csv
NODE,EVENT,DATE,TIME,SERIAL_NUM,EVENT_KIND,SESSION,SUBJ_PRIME,SUBJ_SEC,SUBJ_KIND,ACTION,RESULT,OBJ_PRIME,OBJ_SEC,OBJ_KIND,HOW
,USER_LOGIN,30/06/19,12:41:28,3197,user-login,211,alice,,,logged-in,success,/dev/pts/2,,user-session,/usr/sbin/sshd

Leave a Reply

Your email address will not be published. Required fields are marked *