상세 컨텐츠

본문 제목

[CentOS 8] ausearch, aureport로 Auditd 로그 확인방법

Linux

by mp.jamong 2021. 1. 17. 10:59

본문

 

이전 포스팅에서 Auditd 설정과 사용법에 대해 소개드렸는데요. 이번 포스팅에서는 ausearch, aureport를 이용하여 audit 로그를 쉽게 보는 방법에 대해 알아보고자 합니다. 

 

 

ausearch로 audit 로그 검색

 

ausearch를 이용하여 보고자 하는 audit 로그를 검색할 수 있습니다. 사용 방법은 아래와 같습니다.

 


# 로그인 로그 검색
[root@localhost ~]# ausearch --message USER_LOGIN --interpret
----
type=USER_LOGIN msg=audit(10/20/2020 15:24:36.279:60) : pid=925 uid=root auid=root ses=1 subj=system_u:system_r:local_login_t:s0-s0:c0.c1023 msg='op=login id=root exe=/usr/bin/login hostname=localhost.localdomain addr=? terminal=tty1 res=success'
----
type=USER_LOGIN msg=audit(10/23/2020 18:43:43.867:54) : pid=869 uid=root auid=root ses=1 subj=system_u:system_r:local_login_t:s0-s0:c0.c1023 msg='op=login id=root exe=/usr/bin/login hostname=localhost.localdomain addr=? terminal=tty1 res=success'


# UID 1001 계정 로그 검색
[root@localhost ~]# ausearch -ua 1001
----
time->Sun Jan 17 09:56:23 2021
type=LOGIN msg=audit(1610844983.025:98): pid=910 uid=0 subj=system_u:system_r:local_login_t:s0-s0:c0.c1023 old-auid=4294967295 auid=1001 tty=tty1 old-ses=4294967295 ses=3 res=1
----
time->Sun Jan 17 09:56:23 2021
type=PROCTITLE msg=audit(1610844983.025:98): proctitle=2F62696E2F6C6F67696E002D70002D2D002020202020202020
type=SYSCALL msg=audit(1610844983.025:98): arch=c000003e syscall=1 success=yes exit=4 a0=6 a1=7ffd90d52b50 a2=4 a3=0 items=0 ppid=1 pid=910 auid=1001 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=tty1 ses=3 comm="login" exe="/usr/bin/login" subj=system_u:system_r:local_login_t:s0-s0:c0.c1023 key=(null)
----
time->Sun Jan 17 09:56:23 2021
type=USER_ROLE_CHANGE msg=audit(1610844983.049:99): pid=910 uid=0 auid=1001 ses=3 subj=system_u:system_r:local_login_t:s0-s0:c0.c1023 msg='pam: default-context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 selected-context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 exe="/usr/bin/login" hostname=localhost.localdomain addr=? terminal=tty1 res=success'
----


# UID 1001 계정의 sudo 로그 검색
[root@localhost ~]# ausearch -x sudo -ua 1001
----
time->Sun Jan 17 09:59:43 2021
type=USER_AUTH msg=audit(1610845183.827:109): pid=1976 uid=1001 auid=1001 ses=3 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='op=PAM:authentication grantors=pam_unix acct="mpjamong" exe="/usr/bin/sudo" hostname=localhost.localdomain addr=? terminal=/dev/tty1 res=success'
----
time->Sun Jan 17 09:59:43 2021
type=USER_ACCT msg=audit(1610845183.828:110): pid=1976 uid=1001 auid=1001 ses=3 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='op=PAM:accounting grantors=pam_unix acct="mpjamong" exe="/usr/bin/sudo" hostname=localhost.localdomain addr=? terminal=/dev/tty1 res=success'
----
time->Sun Jan 17 09:59:43 2021
type=USER_CMD msg=audit(1610845183.828:111): pid=1976 uid=1001 auid=1001 ses=3 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='cwd="/home/mpjamong" cmd=79756D20696E7374616C6C206874747064 exe="/usr/bin/sudo" terminal=tty1 res=failed'


# 특정 기간의 UID 1001 계정 로그 검색
[root@localhost ~]# ausearch --start 01/10/2021 --end 01/17/2021 -ul 1001
----
time->Sun Jan 17 09:56:23 2021
type=LOGIN msg=audit(1610844983.025:98): pid=910 uid=0 subj=system_u:system_r:local_login_t:s0-s0:c0.c1023 old-auid=4294967295 auid=1001 tty=tty1 old-ses=4294967295 ses=3 res=1
----
time->Sun Jan 17 09:56:23 2021
type=PROCTITLE msg=audit(1610844983.025:98): proctitle=2F62696E2F6C6F67696E002D70002D2D002020202020202020
type=SYSCALL msg=audit(1610844983.025:98): arch=c000003e syscall=1 success=yes exit=4 a0=6 a1=7ffd90d52b50 a2=4 a3=0 items=0 ppid=1 pid=910 auid=1001 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=tty1 ses=3 comm="login" exe="/usr/bin/login" subj=system_u:system_r:local_login_t:s0-s0:c0.c1023 key=(null)
----
time->Sun Jan 17 09:56:23 2021
type=USER_ROLE_CHANGE msg=audit(1610844983.049:99): pid=910 uid=0 auid=1001 ses=3 subj=system_u:system_r:local_login_t:s0-s0:c0.c1023 msg='pam: default-context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 selected-context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 exe="/usr/bin/login" hostname=localhost.localdomain addr=? terminal=tty1 res=success'

 

 

aureport로 audit 로그 리포트 보기

 

aureport를 이용하여 audit 로그를 요약 리포트로 볼 수 있습니다. 사용 방법은 아래와 같습니다.

 


# aureport로 요약 리포트 보기
[root@localhost ~]# aureport

Summary Report
======================
Range of time in logs: 10/20/2020 15:24:19.906 - 01/17/2021 09:41:10.115
Selected time for report: 10/20/2020 15:24:19 - 01/17/2021 09:41:10.115
Number of changes in configuration: 96
Number of changes to accounts, groups, or roles: 73
Number of logins: 32
Number of failed logins: 11
Number of authentications: 34
Number of failed authentications: 11
Number of users: 2
Number of terminals: 7
Number of host names: 5
Number of executables: 13
Number of commands: 9
Number of files: 0
Number of AVC's: 0
Number of MAC events: 61
Number of failed syscalls: 0
Number of anomaly events: 0
Number of responses to anomaly events: 0
Number of crypto events: 422
Number of integrity events: 0
Number of virt events: 0
Number of keys: 0
Number of process IDs: 309
Number of events: 4717


# 인증 로그 리포트 보기
[root@localhost ~]# aureport -au

Authentication Report
============================================
# date time acct host term exe success event
============================================
1. 10/20/2020 15:24:35 root localhost.localdomain tty1 /usr/bin/login yes 47
2. 10/23/2020 18:43:43 root localhost.localdomain tty1 /usr/bin/login yes 41
3. 10/24/2020 04:32:41 root localhost.localdomain tty1 /usr/bin/login yes 41
4. 10/24/2020 04:37:18 root localhost.localdomain tty1 /usr/bin/login yes 40
5. 10/24/2020 04:39:44 root 192.168.56.1 ssh /usr/sbin/sshd yes 60
6. 10/24/2020 04:49:56 root localhost.localdomain tty1 /usr/bin/login yes 39
7. 10/24/2020 04:50:05 root 192.168.56.1 ssh /usr/sbin/sshd yes 59
8. 10/24/2020 05:01:09 root localhost.localdomain tty1 /usr/bin/login yes 45
9. 10/25/2020 21:29:59 root localhost.localdomain tty1 /usr/bin/login yes 47
10. 10/26/2020 07:49:31 root 192.168.56.1 ssh /usr/sbin/sshd yes 50
11. 12/14/2020 13:26:56 root 192.168.56.1 ssh /usr/sbin/sshd yes 50
12. 12/14/2020 13:29:33 root localhost.localdomain tty1 /usr/bin/login no 72
13. 12/14/2020 13:29:38 root localhost.localdomain tty1 /usr/bin/login no 74
14. 12/14/2020 13:29:43 root localhost.localdomain tty1 /usr/bin/login no 76
15. 12/14/2020 13:29:58 mpjamong localhost.localdomain tty1 /usr/bin/login no 82
16. 12/14/2020 13:30:05 mpjamong localhost.localdomain tty1 /usr/bin/login no 84
17. 12/14/2020 13:44:19 root localhost.localdomain tty1 /usr/bin/login no 116
18. 12/14/2020 13:44:26 root localhost.localdomain tty1 /usr/bin/login no 118
19. 12/14/2020 13:44:33 mpjamong localhost.localdomain tty1 /usr/bin/login no 120
20. 12/24/2020 11:50:49 root localhost.localdomain tty1 /usr/bin/login yes 54
21. 12/24/2020 11:53:03 root 192.168.56.1 ssh /usr/sbin/sshd yes 73
22. 12/24/2020 11:59:16 root 192.168.56.1 ssh /usr/sbin/sshd yes 49
23. 12/24/2020 12:03:13 root 192.168.56.1 ssh /usr/sbin/sshd yes 51
24. 12/24/2020 12:09:38 root 192.168.56.1 ssh /usr/sbin/sshd yes 51
25. 12/31/2020 10:49:29 root 192.168.56.1 ssh /usr/sbin/sshd yes 53
26. 01/02/2021 11:50:24 root 192.168.56.1 ssh /usr/sbin/sshd yes 55
27. 01/02/2021 11:56:15  ::ffff:10.0.2.15 pts/1 /usr/bin/login no 86
28. 01/02/2021 11:58:46 \033\033\033q ::ffff:10.0.2.15 pts/1 /usr/bin/login no 92
29. 01/02/2021 12:17:50 root localhost.localdomain tty1 /usr/bin/login yes 118
30. 01/02/2021 16:13:09 root 192.168.56.1 ssh /usr/sbin/sshd yes 53
31. 01/02/2021 18:21:07 root localhost.localdomain tty1 /usr/bin/login yes 173
32. 01/03/2021 10:48:13 root 192.168.56.1 ssh /usr/sbin/sshd yes 53
33. 01/03/2021 20:27:32 root 192.168.56.1 ssh /usr/sbin/sshd yes 60
34. 01/06/2021 00:24:36 root 192.168.56.1 ssh /usr/sbin/sshd yes 53
35. 01/10/2021 06:29:10 root 192.168.56.1 ssh /usr/sbin/sshd yes 53
36. 01/14/2021 08:18:13 root 192.168.56.1 ssh /usr/sbin/sshd yes 55
37. 01/14/2021 22:22:19 [A localhost.localdomain tty1 /usr/bin/login no 50
38. 01/14/2021 22:22:24 root localhost.localdomain tty1 /usr/bin/login yes 52
39. 01/15/2021 08:42:10 root 192.168.56.1 ssh /usr/sbin/sshd yes 55
40. 01/16/2021 05:52:00 root 192.168.56.1 ssh /usr/sbin/sshd yes 57
41. 01/16/2021 06:35:22 root 192.168.56.1 ssh /usr/sbin/sshd yes 56
42. 01/17/2021 09:32:01 root 192.168.56.1 ssh /usr/sbin/sshd yes 56
43. 01/17/2021 09:32:03 root 192.168.56.1 ssh /usr/sbin/sshd yes 57
44. 01/17/2021 09:37:05 testuser1111 localhost.localdomain pts/0 /usr/bin/su yes 111
45. 01/17/2021 09:38:15 testuser1111 localhost.localdomain pts/0 /usr/bin/su yes 126


# 인증 실패 로그 리스트 보기
[root@localhost ~]# aureport -au --failed

Authentication Report
============================================
# date time acct host term exe success event
============================================
1. 12/14/2020 13:29:33 root localhost.localdomain tty1 /usr/bin/login no 72
2. 12/14/2020 13:29:38 root localhost.localdomain tty1 /usr/bin/login no 74
3. 12/14/2020 13:29:43 root localhost.localdomain tty1 /usr/bin/login no 76
4. 12/14/2020 13:29:58 mpjamong localhost.localdomain tty1 /usr/bin/login no 82
5. 12/14/2020 13:30:05 mpjamong localhost.localdomain tty1 /usr/bin/login no 84


# 인증 실패 로그 요약 보기
[root@localhost ~]# aureport -au --failed --summary

Failed Authentication Summary Report
=============================
total  acct
=============================
5  root
3  mpjamong
1
1  \033\033\033q
1  [A


# 계정 권한 수정 로그 보기
[root@localhost ~]# aureport -m -i

Account Modifications Report
=================================================
# date time auid addr term exe acct success event
=================================================
1. 10/24/2020 04:54:38 root localhost.localdomain pts/0 /usr/sbin/useradd vboxadd yes 74
2. 10/24/2020 04:54:39 root localhost.localdomain pts/0 /usr/sbin/useradd vboxadd no 75
3. 10/24/2020 04:54:39 root localhost.localdomain pts/0 /usr/sbin/groupadd ? yes 76
4. 10/24/2020 04:54:39 root localhost.localdomain pts/0 /usr/sbin/groupadd ? yes 77


# 이번달 계정 권한 수정 로그 보기
[root@localhost ~]# aureport -m -i --start this-month

Account Modifications Report
=================================================
# date time auid addr term exe acct success event
=================================================
1. 01/02/2021 11:45:02 unset ? ? /usr/sbin/useradd vboxadd no 39
2. 01/02/2021 11:45:02 unset ? ? /usr/sbin/useradd vboxadd no 40
3. 01/02/2021 16:12:32 unset ? ? /usr/sbin/useradd vboxadd no 39
4. 01/02/2021 16:12:32 unset ? ? /usr/sbin/useradd vboxadd no 40


# 실행 로그 보기
[root@localhost ~]# aureport -x -i

Executable Report
====================================
# date time exe term host auid event
====================================
1. 10/20/2020 15:24:19 /usr/lib/systemd/systemd ? ? unset 8
2. 10/20/2020 15:24:19 /usr/lib/systemd/systemd-update-utmp ? ? unset 9
3. 10/20/2020 15:24:19 /usr/lib/systemd/systemd ? ? unset 10
4. 10/20/2020 15:24:19 /usr/lib/systemd/systemd ? ? unset 11


# 특정 기간 실행 로그 검색
[root@localhost ~]# aureport -x -i --start 01/10/2021 --end 01/17/2021

Executable Report
====================================
# date time exe term host auid event
====================================
1. 01/10/2021 06:28:50 /usr/sbin/auditctl (none) ? unset 5
2. 01/10/2021 06:28:50 /usr/sbin/auditctl (none) ? unset 6
3. 01/10/2021 06:28:50 /usr/sbin/auditctl (none) ? unset 7
4. 01/10/2021 06:28:50 /usr/lib/systemd/systemd ? ? unset 8
5. 01/10/2021 06:28:50 /usr/lib/systemd/systemd-update-utmp ? ? unset 9

 

 

ausearch와 aureport를 조합하여 리포트 보기

 

▷ 앞서 설명한 ausearch와 aureport를 조합하여 검색 결과를 리포트 형태로 볼 수도 있습니다. 사용 방법은 아래와 같습니다.

 


# UID 1001인 계정에 대해 sudo 사용 로그 검색후 리포트로 보기
[root@localhost ~]# ausearch -x sudo -ua 1001 | aureport -au

Authentication Report
============================================
# date time acct host term exe success event
============================================
1. 01/17/2021 09:59:43 mpjamong localhost.localdomain /dev/tty1 /usr/bin/sudo yes 109


[root@localhost ~]# ausearch -ui 1001 | aureport -x -i

Executable Report
====================================
# date time exe term host auid event
====================================
1. 01/17/2021 09:59:43 /usr/bin/sudo /dev/tty1 localhost.localdomain mpjamong 109
2. 01/17/2021 09:59:43 /usr/bin/sudo /dev/tty1 localhost.localdomain mpjamong 110
3. 01/17/2021 09:59:43 /usr/bin/sudo tty1 ? mpjamong 111

 

 

 

▽ 같이 보면 더 좋은 블로그 글 

 

[CentOS 8] Auditd 설정과 사용법

Auditd는 리눅스 시스템의 보안 관련 정보를 감사할 수 있는 정보를 수집합니다. 수집하는 정보는 시스템 호출, 보안 이벤트, 파일 접근, 명령어 실행 등으로 해당 로그를 확인함으로써 보안 위협

mpjamong.tistory.com

 

[CentOS 8] 트립와이어(tripwire) 설치와 사용법

트립와이어(tripwire)는 시스템 파일 등 변조와 추가 등을 검사하는 무결성 검사 보안 도구 입니다. 무결성이란 정보(Data)가 인가된 사람만 접근 또는 변경이 가능하다는 것을 의미합니다. 의도치

mpjamong.tistory.com

 

관련글 더보기

댓글 영역