Linux audit

Search for audit messages triggered by SELinux today

# ausearch -r -m avc -ts today | audit2allow

This weeks audit report about logins

# aureport -l --start this-week

Login Report
===================
 # date time auid host term exe success event
 04/11/2021 02:57:13 1340 hostname1 /dev/pts/2 /usr/sbin/sshd yes 1554971
 04/11/2021 23:20:18 1340 hostname2 /dev/pts/2 /usr/sbin/sshd yes 1615304
 04/12/2021 11:45:17 (unknown) 192.168.1.12 ssh /usr/sbin/sshd no 1684527
 04/12/2021 21:35:41 1340 hostname2  /dev/pts/2 /usr/sbin/sshd yes 1699648 

This weeks audit report about authentication

# aureport -au --start this-week

Authentication Report
=======================
 # date time acct host term exe success event
 04/11/2021 02:57:12 user1  192.168.1.12 ? /usr/sbin/sshd yes 1554951
 04/11/2021 02:57:12 user1  192.168.1.12 ? /usr/sbin/sshd yes 1554952
 04/11/2021 02:57:12 user1  192.168.1.12 ssh /usr/sbin/sshd yes 1554956
 028/04/20214/11/2021 06:22:17 root ? ? /usr/sbin/userhelper yes 1583371
 04/11/2021 20:22:23 root ? ? /usr/sbin/userhelper yes 1603640
 04/11/2021 23:20:18 user1  192.168.1.12 ? /usr/sbin/sshd yes 1615284
 04/11/2021 23:20:18 user1  192.168.1.12 ? /usr/sbin/sshd yes 1615285

This weeks audit summary report

# aureport --start this-week

Summary Report
=======================
Range of time in logs: 03/12/2021 17:50:01.914 - 04/13/2021 08:28:04.748
 Selected time for report: 04/11/2021 00:00:00 - 04/13/2021 08:28:04.748
 Number of changes in configuration: 0
 Number of changes to accounts, groups, or roles: 0
 Number of logins: 3
 Number of failed logins: 1
 Number of authentications: 13
 Number of failed authentications: 5
 Number of users: 5
 Number of terminals: 9
 Number of host names: 5
 Number of executables: 185
 Number of commands: 255
 Number of files: 2294
 Number of AVC's: 0
 Number of MAC events: 3
 Number of failed syscalls: 7885
 Number of anomaly events: 0
 Number of responses to anomaly events: 0
 Number of crypto events: 27
 Number of integrity events: 0
 Number of virt events: 0
 Number of keys: 11
 Number of process IDs: 51551
 Number of events: 197948

Search for todays events between ts (timestart) and te (timeend) and translate numerical values like usernames/groups using LOCAL resources configured in nsswitch.conf. This might give wrong results if executed on a different host.

-i also decodes proctitle field.

# ausearch -ts 14:53:00 -te 14:54:12 -i

Search with time and date

# ausearch -ts 04/28/2020 12:00:00 -te 04/28/2020 12:15:00

When running ausearch commands with cron or facter you should always use –input-logs option otherwise you will most likely see message <no matches>

It gets even more interesting if you try to define dynamic dates like “yesterday” – you can set start time as yesterday (00:00:00) but you cant set end time today (00:00:00) as today will inherit time “now”. When using date command to build dynamic date-range, it turns up that ausearch is unable to parse dates with many different locales.

So, when you use something like this:

#/usr/sbin/ausearch --input-logs -m avc -ts /usr/bin/date --date 'yesterday' +'%m/%d/%Y 00:00:00' -te /usr/bin/date --date 'today' +'%m/%d/%Y 00:00:00'

It might work from your terminal but when you run it via diffrent program like facter, having default C locale, you end up with errors like:

Error parsing start date (05/11/2021)

Invalid start date (2021/05/11). Month, Day, and Year are required.

To avoid this, you should set locale to en_US.UTF-8 which appears to be one locale which datetime format ausearch is able to parse. If you are unable to change facter locale, you could run bash shell, set locale and run command like below.

#/bin/bash -c "export LC_ALL=en_US.UTF-8;/usr/sbin/ausearch --input-logs -m avc -ts /usr/bin/date --date 'yesterday' +'%m/%d/%Y 00:00:00' -te /usr/bin/date --date 'today' +'%m/%d/%Y 00:00:00' --just-one &>/dev/null && /usr/sbin/ausearch --input-logs -m avc -ts /usr/bin/date --date 'yesterday' +'%m/%d/%Y 00:00:00' -te /usr/bin/date --date 'today' +'%m/%d/%Y 00:00:00' |/usr/sbin/aureport |/bin/grep 'Number of events:'|awk '{print \$4}' || echo '0'"

To be continued….

If you found this useful, say thanks, click on some banners or donate, I can always use some beer money.