Linux Audit Framework: using aureport

The Linux audit framework logs events, as specified by the configured watches. To extract particular events we can use the ausearch or aureport tools. The latter is the one we will focus on in this article, to get the most out of the tool.

Aureport

The aureport utility can be executed without any parameters. It will then extract all audit events available from the log. Since the audit log can be very big, it might be better to use the -start parameter, together with a time interval (e.g. this-month).

# aureport -start this-month

Summary Report  
======================  
Range of time in logs: 03/01/2014 00:00:01.801 - 03/20/2014 10:17:01.209  
Selected time for report: 03/01/2014 00:00:00 - 03/20/2014 10:17:01.209  
Number of changes in configuration: 61  
Number of changes to accounts, groups, or roles: 0  
Number of logins: 0  
Number of failed logins: 0  
Number of authentications: 0  
Number of failed authentications: 0  
Number of users: 4  
Number of terminals: 7  
Number of host names: 0  
Number of executables: 13  
Number of files: 155  
Number of AVC's: 0  
Number of MAC events: 0  
Number of failed syscalls: 94  
Number of anomaly events: 2  
Number of responses to anomaly events: 0  
Number of crypto events: 0  
Number of keys: 3  
Number of process IDs: 12796  
Number of events: 16648

Each individual entry shown in this list, can be extracted independently.

# aureport -file

File Report  
===============================================  
\# date time file syscall success exe auid event  
===============================================  
1. 11/07/2013 19:28:45 console 0 unset ? -1 2996  
2. 11/07/2013 19:52:22 /var/run/ 2 yes /bin/dash 0 3011  
3. 11/07/2013 19:53:11 /var/run/ 263 yes /bin/rm 0 3012  
4. 11/07/2013 20:20:04 /var/run/ 2 yes /bin/dash 1000 3032  
5. 11/07/2013 20:20:04 /var/run/ 82 yes /usr/sbin/sshd 1000 3034

Each event ID (first column) can be then analyzed by using ausearch -event <id>.

Configuration changes

Another good item to watch for is configuration changes of the audit rules themselves. Malicious people don’t like them being traced and attacking the audit configuration is a common first target. For that same reason, we suggest to sync audit logs also to an external system, with additional safeguards to protect against compromise.

# aureport -c

Config Change Report  
===================================  
# date time type auid success event  
===================================  
1. 11/07/2013 20:20:04 CONFIG_CHANGE 1000 yes 3033  
2. 11/07/2013 21:50:01 CONFIG_CHANGE 1000 yes 3088  
3. 11/08/2013 10:35:35 CONFIG_CHANGE 1000 yes 3520  
4. 11/08/2013 10:38:39 CONFIG_CHANGE 1000 yes 3527

Different audit logs

When using archived logs for example, aureport needs a hint to read that file instead. This can be done by using aureport -if or aureport -input, followed by the file.

Feedback

Small picture of Michael Boelen

This article has been written by our Linux security expert Michael Boelen. With focus on creating high-quality articles and relevant examples, he wants to improve the field of Linux security. No more web full of copy-pasted blog posts.

Discovered outdated information or have a question? Share your thoughts. Thanks for your contribution!

Mastodon icon