Linux Audit Framework: using aureport

Linux Audit Framework: using aureport

The Linux audit framework logs events, as specified by the configured watches. To extract particular events we can use the ausearch or aureport tools. The latter is the one we will focus on in this article, to get the most out of the tool.


The aureport utility can be executed without any parameters. It will then extract all audit events available from the log. Since the audit log can be very big, it might be better to use the –start parameter, together with a time interval (e.g. this-month).

 root@host:~# aureport -start this-month

Summary Report
Range of time in logs: 03/01/2014 00:00:01.801 – 03/20/2014 10:17:01.209
Selected time for report: 03/01/2014 00:00:00 – 03/20/2014 10:17:01.209
Number of changes in configuration: 61
Number of changes to accounts, groups, or roles: 0
Number of logins: 0
Number of failed logins: 0
Number of authentications: 0
Number of failed authentications: 0
Number of users: 4
Number of terminals: 7
Number of host names: 0
Number of executables: 13
Number of files: 155
Number of AVC’s: 0
Number of MAC events: 0
Number of failed syscalls: 94
Number of anomaly events: 2
Number of responses to anomaly events: 0
Number of crypto events: 0
Number of keys: 3
Number of process IDs: 12796
Number of events: 16648

Each individual entry shown in this list, can be extracted independently.

aureport –file

File Report
# date time file syscall success exe auid event
1. 11/07/2013 19:28:45 console 0 unset ? -1 2996
2. 11/07/2013 19:52:22 /var/run/ 2 yes /bin/dash 0 3011
3. 11/07/2013 19:53:11 /var/run/ 263 yes /bin/rm 0 3012
4. 11/07/2013 20:20:04 /var/run/ 2 yes /bin/dash 1000 3032
5. 11/07/2013 20:20:04 /var/run/ 82 yes /usr/sbin/sshd 1000 3034

Each event ID (first column) can be then analyzed by using ausearch –event <id>.

Configuration changes

Another good item to watch for is configuration changes of the audit rules themselves. Malicious people don’t like them being traced and attacking the audit configuration is a common first target. For that same reason, we suggest to sync audit logs also to an external system, with additional safeguards to protect against compromise.

root@host:~# aureport -c

Config Change Report
# date time type auid success event
1. 11/07/2013 20:20:04 CONFIG_CHANGE 1000 yes 3033
2. 11/07/2013 21:50:01 CONFIG_CHANGE 1000 yes 3088
3. 11/08/2013 10:35:35 CONFIG_CHANGE 1000 yes 3520
4. 11/08/2013 10:38:39 CONFIG_CHANGE 1000 yes 3527

Different audit logs

When using archived logs for example, aureport needs a hint to read that file instead. This can be done by using aureport –if or –input, followed by the file.

One more thing...

Keep learning

So you are interested in Linux security? Join the Linux Security Expert training program, a practical and lab-based training ground. For those who want to become (or stay) a Linux security expert.

See training package

Lynis Enterprise screenshot to help with system hardeningSecurity scanning with Lynis and Lynis Enterprise

Run automated security scans and increase your defenses. Lynis is an open source security tool to perform in-depth audits. It helps with system hardening, vulnerability discovery, and compliance.