auditing:view_audit_reports
Differences
This shows you the differences between two versions of the page.
| Both sides previous revisionPrevious revision | |||
| auditing:view_audit_reports [2016/07/28 10:05] – [Auditing - View audit reports] peter | auditing:view_audit_reports [2019/11/26 20:16] (current) – removed peter | ||
|---|---|---|---|
| Line 1: | Line 1: | ||
| - | ====== Auditing - View audit reports ====== | ||
| - | |||
| - | **aureport** is a tool that produces summary reports of the audit system log. | ||
| - | |||
| - | Without any parameters, **aureport** will generate a summary report of audit activity. | ||
| - | |||
| - | <code bash> | ||
| - | sudo aureport | ||
| - | </ | ||
| - | |||
| - | Result: | ||
| - | |||
| - | < | ||
| - | Summary Report | ||
| - | ====================== | ||
| - | Range of time in logs: 16/07/16 01: | ||
| - | Selected time for report: 16/07/16 01:32:46 - 16/07/16 10: | ||
| - | Number of changes in configuration: | ||
| - | Number of changes to accounts, groups, or roles: 0 | ||
| - | Number of logins: 0 | ||
| - | Number of failed logins: 0 | ||
| - | Number of authentications: | ||
| - | Number of failed authentications: | ||
| - | Number of users: 4 | ||
| - | Number of terminals: 14 | ||
| - | Number of host names: 6 | ||
| - | Number of executables: | ||
| - | Number of commands: 155 | ||
| - | Number of files: 186 | ||
| - | Number of AVC's: 0 | ||
| - | Number of MAC events: 0 | ||
| - | Number of failed syscalls: 33 | ||
| - | Number of anomaly events: 0 | ||
| - | Number of responses to anomaly events: 0 | ||
| - | Number of crypto events: 0 | ||
| - | Number of integrity events: 0 | ||
| - | Number of virt events: 0 | ||
| - | Number of keys: 8 | ||
| - | Number of process IDs: 29325 | ||
| - | Number of events: 31471 | ||
| - | </ | ||
| - | |||
| - | |||
| - | This shows some important information. | ||
| - | |||
| - | For example, it shows that there was a failed authentication. | ||
| - | |||
| - | We can use this command to look deeper on failed authentication: | ||
| - | |||
| - | <code bash> | ||
| - | sudo aureport -au | ||
| - | </ | ||
| - | |||
| - | Result: | ||
| - | |||
| - | < | ||
| - | Authentication Report | ||
| - | ============================================ | ||
| - | # date time acct host term exe success event | ||
| - | ============================================ | ||
| - | 1. 16/07/16 07:21:50 anonymous :: | ||
| - | 2. 16/07/16 09:07:47 peter ? /dev/pts/0 / | ||
| - | 3. 16/07/16 10:33:53 peter ? /dev/pts/0 / | ||
| - | </ | ||
| - | |||
| - | Row 1 has a " | ||
| - | |||
| - | |||
| - | ===== Check all events related to account modification ===== | ||
| - | |||
| - | Use the **-m** parameter. | ||
| - | |||
| - | <code bash> | ||
| - | sudo areport -m | ||
| - | </ | ||
| - | |||
| - | Result: | ||
| - | |||
| - | <code bash> | ||
| - | ================================================= | ||
| - | # date time auid addr term exe acct success event | ||
| - | ================================================= | ||
| - | <no events of interest were found> | ||
| - | </ | ||
| - | |||
auditing/view_audit_reports.1469700315.txt.gz · Last modified: 2020/07/15 09:30 (external edit)