Differences

This shows you the differences between two versions of the page.

--- auditing:view_the_audit_log [2016/07/16 09:27] – peter
+++ auditing:view_the_audit_log [2019/11/26 20:13] (current) – removed peter
@@ Line 1: / Line 1: @@
-====== Auditing - View the audit log ======
-Use **ausearch** to view the audit log.
-===== View the audit log against a file =====
-For example, to see the audit log against the /etc/passwd file (assuming that a rule had been added to watch the /etc/passwd file):
-<code bash>
-sudo ausearch -f /etc/passwd
-</code>
-Result:
-<code>
-<no matches>
-</code>
-or
-<code>
-time->Mon Dec 22 09:39:16 2014
-type=PATH msg=audit(1419215956.471:194): item=0 name="/etc/passwd" inode=142512 dev=08:01 mode=0100644 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL
-type=CWD msg=audit(1419215956.471:194): cwd="/home/peter"
-type=SYSCALL msg=audit(1419215956.471:194): arch=40000003 syscall=5 success=yes exit=3 a0=b779694b a1=80000 a2=1b6 a3=b8776aa8 items=1 ppid=2090 pid=2231 auid=4294967295 uid=1000 gid=1000 euid=0 suid=0 fsuid=0 egid=1000 sgid=1000 fsgid=1000 tty=pts0 ses=4294967295 comm="sudo" exe="/usr/bin/sudo" key=(null)
-</code>
-  * **time** ; is when the audit is done.
-  * **name** ; is the object name to be audited.
-  * **cwd** ; is the current directory.
-  * **syscall** ; is related syscall.
-  * **auid** ; is the audit user ID.
-  * **uid** and **gid** ; are User ID and Group ID of the user who access the file.
-  * **comm** ; is the command that the user is used to access the file.
-  * **exe** ; is the location of the command of comm parameter above.
-This is how auditd records the activity to the /etc/passwd file when a new user is added:
-<code>
-time->Mon Dec 22 11:25:23 2014
-type=PATH msg=audit(1419222323.628:510): item=1 name="/etc/passwd.lock" inode=143992 dev=08:01 mode=0100600 ouid=0 ogid=0 rdev=00:00 nametype=DELETE
-type=PATH msg=audit(1419222323.628:510): item=0 name="/etc/" inode=131073 dev=08:01 mode=040755 ouid=0 ogid=0 rdev=00:00 nametype=PARENT
-type=CWD msg=audit(1419222323.628:510): cwd="/root"
-type=SYSCALL msg=audit(1419222323.628:510): arch=40000003 syscall=10 success=yes exit=0 a0=bfc0ceec a1=0 a2=bfc0ceec a3=897764c items=2 ppid=2978 pid=2994 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=4294967295 comm="chfn" exe="/usr/bin/chfn" key=(null)
-</code>
-As e can be seen, that at the particular time, /etc/passwd was accessed by user root (uid = 0 and gid = 0) from directory /root (cwd = /root).  The /etc/passwd file was accessed using the chfn command which is located in /usr/bin/chfn.
-===== View the audit log against a directory =====
-Assuming auditd had been configured to watch directory named /production/.
-If this was a new directory then using **ausearch** would find nothing.
-<code bash>
-sudo ausearch /production/
-</code>
-Result:
-<code>
-No record
-</code>
-Otherwise how would auditd log the root account listing the /production directory using the **ls* command?
-<code bash>
-sudo ls /production
-</code>
-Result:
-<code>
-time->Mon Dec 22 14:18:28 2014
-type=PATH msg=audit(1419232708.344:527): item=0 name="/production/" inode=797104 dev=08:01 mode=040755 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL
-type=CWD msg=audit(1419232708.344:527): cwd="/root"
-type=SYSCALL msg=audit(1419232708.344:527): arch=40000003 syscall=295 success=yes exit=3 a0=ffffff9c a1=95761e8 a2=98800 a3=0 items=1 ppid=3033 pid=3444 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=4294967295 comm="ls" exe="/bin/ls" key=(null)
-</code>
-This shows that the /production folder was looked at by the root account (uid=0 gid=0) using the ls command (comm = ls) and the ls command is located in the /bin/ls folder.