linux审计工具aureport

aureport是一个用于查看和分析Linux操作系统中的审计日志的命令行工具。

审计日志是一个记录了系统活动、安全事件和资源访问的详细信息的日志文件。它可以帮助管理员监视和追踪系统上发生的各种活动,包括用户登录、文件访问、进程创建、权限更改等。

aureport命令提供了一种以可读格式显示审计日志的方式,并提供了丰富的过滤和报告选项,以便根据不同的需求进行分析。

以下是一些常见的用法示例:

  • 显示所有的审计事件:
aureport
  • 显示特定时间范围内的审计事件:
aureport --start <开始时间> --end <结束时间>
  • 按特定字段进行过滤和排序:
aureport --input-logs <日志文件路径> --event <事件名称> --summary
  • 生成HTML格式的审计报告:
aureport --output-format html > report.html

上述示例只是aureport命令的一些常见用法,你可以通过运行man aureport命令或在终端中输入aureport --help来获取更多关于该命令的详细信息和用法说明。

需要注意的是,aureport命令通常需要管理员权限才能访问和分析审计日志。

#显示所有的审计事件
[root@local ~]# aureport

Summary Report
======================
Range of time in logs: 01/01/1970 08:00:00.000 - 12/01/2023 15:30:01.031
Selected time for report: 01/01/1970 08:00:00 - 12/01/2023 15:30:01.031
Number of changes in configuration: 0
Number of changes to accounts, groups, or roles: 1
Number of logins: 333
Number of failed logins: 2587
Number of authentications: 975
Number of failed authentications: 748
Number of users: 5
Number of terminals: 7
Number of host names: 781
Number of executables: 5
Number of commands: 1
Number of files: 0
Number of AVC's: 0
Number of MAC events: 0
Number of failed syscalls: 0
Number of anomaly events: 0
Number of responses to anomaly events: 0
Number of crypto events: 37745
Number of integrity events: 0
Number of virt events: 0
Number of keys: 0
Number of process IDs: 17258
Number of events: 162157

#显示特定时间范围内的审计事件:
[root@local ~]# aureport --start 06/06/2023 --end 09/19/2023

Summary Report
======================
Range of time in logs: 09/19/2023 16:00:01.039 - 01/01/1970 08:00:00.000
Selected time for report: 06/06/2023 00:00:00 - 09/19/2023 15:56:55
Number of changes in configuration: 0
Number of changes to accounts, groups, or roles: 0
Number of logins: 17
Number of failed logins: 419
Number of authentications: 51
Number of failed authentications: 228
Number of users: 3
Number of terminals: 4
Number of host names: 219
Number of executables: 3
Number of commands: 1
Number of files: 0
Number of AVC's: 0
Number of MAC events: 0
Number of failed syscalls: 0
Number of anomaly events: 0
Number of responses to anomaly events: 0
Number of crypto events: 6506
Number of integrity events: 0
Number of virt events: 0
Number of keys: 0
Number of process IDs: 5053
Number of events: 35262
#查询root用户的审计记录,no表示登陆失败的
[root@local ~]# aureport -au |grep root
1. 08/28/2023 13:22:52 root 159.203.72.167 ssh /usr/sbin/sshd no 1080412
2. 08/28/2023 13:22:53 root 159.203.72.167 ssh /usr/sbin/sshd no 1080413
3. 08/31/2023 06:18:57 root 207.154.214.81 ssh /usr/sbin/sshd no 1084192
4. 08/31/2023 06:18:58 root 207.154.214.81 ssh /usr/sbin/sshd no 1084193
5. 08/31/2023 06:18:59 root 207.154.214.81 ssh /usr/sbin/sshd no 1084206
6. 08/31/2023 06:19:00 root 207.154.214.81 ssh /usr/sbin/sshd no 1084207
7. 08/31/2023 06:19:01 root 207.154.214.81 ssh /usr/sbin/sshd no 1084220
8. 08/31/2023 06:19:01 root 207.154.214.81 ssh /usr/sbin/sshd no 1084221
9. 08/31/2023 06:19:03 root 207.154.214.81 ssh /usr/sbin/sshd no 1084234
10. 08/31/2023 06:19:04 root 207.154.214.81 ssh /usr/sbin/sshd no 1084235
11. 08/31/2023 06:19:05 root 207.154.214.81 ssh /usr/sbin/sshd no 1084248
12. 08/31/2023 06:19:05 root 207.154.214.81 ssh /usr/sbin/sshd no 1084249
13. 08/31/2023 06:19:07 root 207.154.214.81 ssh /usr/sbin/sshd no 1084262
14. 08/31/2023 06:19:07 root 207.154.214.81 ssh /usr/sbin/sshd no 1084263
15. 08/31/2023 06:19:09 root 207.154.214.81 ssh /usr/sbin/sshd no 1084276
16. 08/31/2023 06:19:09 root 207.154.214.81 ssh /usr/sbin/sshd no 1084277
17. 08/31/2023 06:19:11 root 207.154.214.81 ssh /usr/sbin/sshd no 1084290
18. 08/31/2023 06:19:11 root 207.154.214.81 ssh /usr/sbin/sshd no 1084291
19. 08/31/2023 06:19:13 root 207.154.214.81 ssh /usr/sbin/sshd no 1084304
20. 08/31/2023 06:19:13 root 207.154.214.81 ssh /usr/sbin/sshd no 1084305
21. 09/01/2023 02:27:23 root 159.223.199.121 ssh /usr/sbin/sshd no 1085479
22. 09/01/2023 02:27:23 root 159.223.199.121 ssh /usr/sbin/sshd no 1085480
23. 09/01/2023 12:38:30 root 134.122.111.0 ssh /usr/sbin/sshd no 1086172
24. 09/01/2023 12:38:30 root 134.122.111.0 ssh /usr/sbin/sshd no 1086173
25. 09/02/2023 19:00:01 root 170.64.182.148 ssh /usr/sbin/sshd no 1088168
26. 09/02/2023 19:00:01 root 170.64.182.148 ssh /usr/sbin/sshd no 1088176
27. 09/02/2023 19:00:03 root 170.64.182.148 ssh /usr/sbin/sshd no 1088189
28. 09/02/2023 19:00:04 root 170.64.182.148 ssh /usr/sbin/sshd no 1088190
29. 09/02/2023 19:00:06 root 170.64.182.148 ssh /usr/sbin/sshd no 1088203
30. 09/02/2023 19:00:06 root 170.64.182.148 ssh /usr/sbin/sshd no 1088204
31. 09/02/2023 19:00:08 root 170.64.182.148 ssh /usr/sbin/sshd no 1088217

参考:
Linux aureport命令 功能描述

你可能感兴趣的:(linux,linux,运维,服务器)