Aureport – linux tool for audit reporting of linux systems

Audit daemon(auditd) is the userspace component that runs on linux systems which will keep track of audit records by writing all the events to /var/log/audit/audit.log

It would consult the audit rules configured in /etc/audit/audit.rules for what needs to be monitored and tracked such as file access, command runs, systemcalls executions etc

Since, there is huge amount of events that are written to audit.log, we definitely look for some tool to view the reports of these logs.

YES, aureport does this job for us. aureport is a tool that produces summary reports of the audit system logs.

We will look at few examples of using this aureport command for reporting.

1. Audit report of successful/failed authentications to host

[root@linuxminion:~/]# aureport --auth --success

Authentication Report
============================================
# date time acct host term exe success event
============================================
1. 04/09/19 20:52:28 root 192.168.163.1 ssh /usr/sbin/sshd yes 157
2. 04/09/19 20:52:28 root 192.168.163.1 ssh /usr/sbin/sshd yes 160
3. 04/09/19 21:03:53 root 192.168.163.1 ssh /usr/sbin/sshd yes 157
4. 04/09/19 21:03:53 root 192.168.163.1 ssh /usr/sbin/sshd yes 160
5. 04/11/19 14:00:33 johnny 10.38.190.40 ssh /usr/sbin/sshd yes 8117
6. 04/11/19 14:00:33 johnny 10.38.190.40 ssh /usr/sbin/sshd yes 8120
7. 04/11/19 14:00:56 johnny ? /dev/pts/0 /usr/bin/sudo yes 8167
8. 04/11/19 14:00:56 root linuxminion pts/0 /usr/bin/su yes 8174
9. 04/11/19 14:32:54 johnny  10.57.83.122 ssh /usr/sbin/sshd yes 9090
10. 04/11/19 14:32:55 johnny 10.57.83.122 ssh /usr/sbin/sshd yes 9093
11. 04/11/19 14:33:22 johnny ? /dev/pts/0 /usr/bin/sudo yes 9140
12. 04/11/19 14:33:22 root  linuxminion  pts/0 /usr/bin/su yes 9147
13. 04/11/19 14:35:24 tonyboy 10.57.83.143 ssh /usr/sbin/sshd yes 9216
14. 04/11/19 14:35:24 tonyboy 10.57.83.143 ssh /usr/sbin/sshd yes 9219
15. 04/11/19 14:48:00 johnny ? /dev/pts/0 /usr/bin/sudo yes 9933
16. 04/11/19 14:48:00 root linuxminion  pts/0 /usr/bin/su yes 9941
17. 04/11/19 15:15:48 tonyboy 10.57.83.143 ssh /usr/sbin/sshd yes 10638
18. 04/11/19 15:15:48 tonyboy 10.57.83.143 ssh /usr/sbin/sshd yes 10641
19. 04/11/19 15:16:17 tonyboy ? /dev/pts/0 /usr/bin/sudo yes 10688
20. 04/11/19 15:16:17 root linuxminion  pts/0 /usr/bin/su yes 10695
21. 04/11/19 15:30:00 tonyboy 10.57.83.143 ssh /usr/sbin/sshd yes 11376
22. 04/11/19 15:30:00 tonyboy 10.57.83.143 ssh /usr/sbin/sshd yes 11379
[root@linuxminion:~/]# aureport --auth --failed

Authentication Report
============================================
# date time acct host term exe success event
============================================
1. 04/11/19 12:37:34 splunk ? ? /usr/sbin/useradd no 491
2. 04/11/19 13:55:37 minionuser 10.57.83.143 ssh /usr/sbin/sshd no 7949
3. 04/11/19 13:55:37 minionuser 10.57.83.143 ssh /usr/sbin/sshd no 7951
4. 04/11/19 13:55:56 ? 10.57.83.143 ssh /usr/sbin/sshd no 7956
5. 04/11/19 13:55:56 (unknown) 10.57.83.143 ssh /usr/sbin/sshd no 7958
6. 04/11/19 13:59:11 ? 10.57.83.143 ssh /usr/sbin/sshd no 8086
7. 04/11/19 13:59:11 (unknown) 10.57.83.143 ssh /usr/sbin/sshd no 8088
8. 04/11/19 13:59:30 minionuser 10.57.83.143 ssh /usr/sbin/sshd no 8094
9. 04/11/19 13:59:30 minionuser 10.57.83.143 ssh /usr/sbin/sshd no 8096
10. 04/11/19 14:02:42 minionuser 10.57.83.143 ssh /usr/sbin/sshd no 8244
11. 04/11/19 14:02:42 minionuser 10.57.83.143 ssh /usr/sbin/sshd no 8246
12. 04/11/19 14:14:30 minionuser 10.57.83.143 ssh /usr/sbin/sshd no 8407
13. 04/11/19 14:14:30 minionuser 10.57.83.143 ssh /usr/sbin/sshd no 8409
14. 04/11/19 14:17:32 minionuser 10.57.83.143 ssh /usr/sbin/sshd no 8577
15. 04/11/19 14:17:32 minionuser 10.57.83.143 ssh /usr/sbin/sshd no 8579
16. 04/11/19 14:17:46 minionuser 10.57.83.143 ssh /usr/sbin/sshd no 8666
17. 04/11/19 14:17:46 minionuser 10.57.83.143 ssh /usr/sbin/sshd no 8668
18. 04/11/19 14:17:54 minionuser 10.57.83.143 ssh /usr/sbin/sshd no 8689
19. 04/11/19 14:17:54 minionuser 10.57.83.143 ssh /usr/sbin/sshd no 8691
20. 04/11/19 14:17:54 minionuser 10.57.83.143 ssh /usr/sbin/sshd no 8692

2. Account Modification Report

To depict this case, we first added user minionGUY using useradd command & then deleted the user using userdel. All these events are tracked in audit log and running below command would produce these acct modification report.

[root@linuxminion:~/]# aureport -m --success

Account Modifications Report
=================================================
# date time auid addr term exe acct success event
=================================================
1. 04/11/19 12:37:34 -1 ? ? /usr/sbin/groupadd ? yes 464
2. 04/11/19 12:37:34 -1 ? ? /usr/sbin/groupadd ? yes 467
3. 04/11/19 12:37:34 -1 ? ? /usr/sbin/useradd ? yes 478
4. 04/11/19 12:37:34 -1 ? ? /usr/sbin/pam_tally2 ? yes 489
5. 04/11/19 12:38:03 -1 ? ? /usr/sbin/groupadd ? yes 1427
6. 04/11/19 12:38:03 -1 ? ? /usr/sbin/groupadd ? yes 1430
7. 04/11/19 12:38:03 -1 ? ? /usr/sbin/useradd ? yes 1441
8. 04/11/19 12:38:03 -1 ? ? /usr/sbin/pam_tally2 ? yes 1452
9. 04/11/19 12:46:14 -1 ? ? /usr/sbin/chpasswd ? yes 5402
10. 04/11/19 12:47:51 -1 ? ? /usr/sbin/groupadd ? yes 5704
11. 04/11/19 12:47:51 -1 ? ? /usr/sbin/groupadd ? yes 5707
12. 04/11/19 14:35:15 41103 ? /dev/pts/0 /usr/sbin/pam_tally2 ? yes 9214
13. 04/11/19 14:48:44 41103 ? /dev/pts/0 /usr/sbin/pam_tally2 ? yes 10186
14. 06/11/19 14:33:34 41391 linuxminion pts/0 /usr/sbin/useradd tony yes 95325
15. 06/11/19 14:33:34 41391 linuxminion  pts/0 /usr/sbin/useradd ? yes 95327
16. 06/11/19 14:33:34 41391 ? /dev/pts/0 /usr/sbin/pam_tally2 ? yes 95374
17. 06/11/19 14:33:34 41391 linuxminion  pts/0 /usr/sbin/useradd ? yes 95379
18. 06/11/19 14:36:00 41391 linuxminion pts/0 /usr/sbin/userdel ? yes 95423
19. 06/11/19 14:36:00 41391 linuxminion pts/0 /usr/sbin/userdel abcd yes 95424
20. 06/11/19 14:36:00 41391 linuxminion pts/0 /usr/sbin/userdel jack yes 95425
21. 06/11/19 14:40:11 41391 linuxminion pts/0 /usr/sbin/useradd tony yes 95681
22. 06/11/19 14:40:11 41391 linuxminion pts/0 /usr/sbin/useradd ? yes 95683
23. 06/11/19 14:40:11 41391 ? /dev/pts/0 /usr/sbin/pam_tally2 ? yes 95730
24. 06/11/19 14:40:11 41391 linuxminion pts/0 /usr/sbin/useradd ? yes 95735
25. 06/11/19 14:41:47 41391 linuxminion pts/0 /usr/sbin/usermod ? yes 95795
26. 06/11/19 14:41:47 41391 linuxminion  pts/0 /usr/sbin/usermod ? yes 95809
27. 06/11/19 14:42:18 41391 linuxminion pts/0 /usr/sbin/userdel ? yes 95835
28. 06/11/19 14:46:20 41391 linuxminion pts/0 /usr/sbin/groupdel ? yes 96028
29. 06/11/19 14:46:20 41391 linuxminion pts/0 /usr/sbin/groupdel ? yes 96036
30. 06/11/19 14:46:27 41391 linuxminion pts/0 /usr/sbin/useradd minionGUY yes 96052
31. 06/11/19 14:46:27 41391 linuxminion pts/0 /usr/sbin/useradd ? yes 96054
32. 06/11/19 14:46:27 41391 ? /dev/pts/0 /usr/sbin/pam_tally2 ? yes 96101
33. 06/11/19 14:48:20 41391 linuxminion pts/0 /usr/sbin/usermod ? yes 96558
34. 06/11/19 14:48:28 41391 linuxminion pts/0 /usr/sbin/userdel ? yes 96582
35. 06/11/19 14:48:28 41391 linuxminion pts/0 /usr/sbin/userdel minionGUY yes 96583

3. Event Report

We can have report for events such as SYSTEM_BOOT, SERVICE_START/STOP, SYSCALL, DAEMON_START, CONFIG_CHANGE etc

Below command gives report on how many times system rebooted & when.

[root@linuxminion:~/]# aureport --event --success | egrep "#|SYSTEM_BOOT"
# date time event type auid success
5. 04/09/19 20:51:30 8 SYSTEM_BOOT -1 yes
284. 04/09/19 21:02:43 8 SYSTEM_BOOT -1 yes
636. 04/11/19 12:21:03 8 SYSTEM_BOOT -1 yes
846. 04/11/19 12:21:33 8 SYSTEM_BOOT -1 yes
13074. 04/11/19 12:45:31 264 SYSTEM_BOOT -1 yes

4. Executable name report

Any executables that are run can also be reported as below. In this case, let us see who ran passwd command and when.
We can get more details on the event by using ausearch command.

In the below command output, the line marked in bold shows that user with ID:41391 ran passwd command on 06/11/19 15:43:18 and the event ID is 98242. Next, running ausearch on this event ID would show us exact command run.

[root@linuxminion:~/]# aureport -x --success | grep passwd
17278. 04/11/19 12:46:14 /usr/sbin/chpasswd (none) ? -1 5399
17279. 04/11/19 12:46:14 /usr/sbin/chpasswd (none) ? -1 5400
17280. 04/11/19 12:46:14 /usr/sbin/chpasswd (none) ? -1 5401
17281. 04/11/19 12:46:14 /usr/sbin/chpasswd ? ? -1 5402
17282. 04/11/19 12:46:14 /usr/sbin/chpasswd (none) ? -1 5404
103034. 06/11/19 15:42:55 /usr/bin/passwd pts0 ? 41391 98048
103203. 06/11/19 15:43:12 /usr/bin/passwd pts0 ? 41391 98228
103208. 06/11/19 15:43:18 /usr/bin/passwd pts0 ? 41391 98233
103211. 06/11/19 15:43:18 /usr/bin/passwd pts0 ? 41391 98236
103212. 06/11/19 15:43:18 /usr/bin/passwd pts0 ? 41391 98237
103213. 06/11/19 15:43:18 /usr/bin/passwd pts0 ? 41391 98238
103214. 06/11/19 15:43:18 /usr/bin/passwd pts0 ? 41391 98239
103215. 06/11/19 15:43:18 /usr/bin/passwd pts0 ? 41391 98241
103216. 06/11/19 15:43:18 /usr/bin/passwd pts/0 linuxminion 41391 98242
[root@linuxminion:~/]# ausearch --event 98242
----
time->Wed Nov  6 15:43:18 2019
type=USER_CHAUTHTOK msg=audit(1573015398.088:98242): pid=19683 uid=0 auid=41391 ses=615 subj=system_u:system_r:passwd_t:s0-s0:c0.c1023 msg='op=PAM:chauthtok grantors=pam_cracklib,pam_unix acct="minionGUY" exe="/usr/bin/passwd" hostname=linuxminion addr=? terminal=pts/0 res=success'

Leave a Reply

Your email address will not be published.