type=PATH
In the third re cord, the type fie ld value is PATH. An Audit e ve nt contains a PATH-type re cord for e ve ry path that is pas s e d to the s ys te m call as an argume nt. In this Audit e ve nt, only one path (/etc/ssh/sshd_config) was us e d as an
argume nt.
msg=audit(1364481363.243:24287):
The msg fie ld holds the s ame time s tamp and ID value as the value in the firs t and s e cond re cord.
item=0
The item fie ld indicate s which ite m, of the total numbe r of ite ms re fe re nce d in the SYSCALL type re cord, the curre nt re cord is . This numbe r is ze ro-bas e d; a value of 0 me ans it is the firs t ite m.
name="/etc/ssh/sshd_config"
The name fie ld re cords the full path of the file or dire ctory that was pas s e d to the s ys te m call as an argume nt. In this cas e , it was the /etc/ssh/sshd_config file . inode=409248
The inode fie ld contains the inode numbe r as s ociate d with the file or dire ctory re corde d in this e ve nt. The following command dis plays the file or dire ctory that is as s ociate d with the 409248 inode numbe r:
~]# find / -inum 409248 -print /etc/ssh/sshd_config
dev=fd:00
The dev fie ld s pe cifie s the minor and major ID of the de vice that contains the file or dire ctory re corde d in this e ve nt. In this cas e , the value re pre s e nts the
/dev/fd/0 de vice . mode=0100600
The mode fie ld re cords the file or dire ctory pe rmis s ions , e ncode d in nume rical notation. In this cas e , 0100600 can be inte rpre te d as -rw---, me aning that only the root us e r has re ad and write pe rmis s ions to the /etc/ssh/sshd_config file .
ouid=0
The ouid fie ld re cords the obje ct owne r's us e r ID.
ogid=0
The ogid fie ld re cords the obje ct owne r's group ID.
rdev=00:00
The rdev fie ld contains a re corde d de vice ide ntifie r for s pe cial file s only. In this cas e , it is not us e d as the re corde d file is a re gular file .
obj=system_u:object_r:etc_t:s0
The obj fie ld re cords the SELinux conte xt with which the re corde d file or dire ctory was labe le d at the time of e xe cution.
The Audit e ve nt analyze d above contains only a s ubs e t of all pos s ible fie lds that an e ve nt can contain. For a lis t of all e ve nt fie lds and the ir e xplanation, re fe r to Se ction B.1, “Audit Eve nt Fie lds ”. For a lis t of all e ve nt type s and the ir e xplanation, re fe r to Se ction B.2, “Audit Re cord Type s ”.
Example 5.5. Addit io nal audit.log event s
The following Audit e ve nt re cords a s ucce s s ful s tart of the auditd dae mon. The ver fie ld s hows the ve rs ion of the Audit dae mon that was s tarte d.
type=DAEMON_START msg=audit(1363713609.192:5426): auditd start,
ver=2.2 format=raw kernel=2.6.32-358.2.1.el6.x86_64 auid=500 pid=4979 subj=unconfined_u:system_r:auditd_t:s0 res=success
The following Audit e ve nt re cords a faile d atte mpt of us e r with UID of 500 to log in as the root us e r.
type=USER_AUTH msg=audit(1364475353.159:24270): user pid=3280 uid=500 auid=500 ses=1
subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='op=PAM:authentication acct="root" exe="/bin/su"
hostname=? addr=? terminal=pts/0 res=failed'
5.7. Searching t he Audit Log Files
The ausearch utility allows you to s e arch Audit log file s for s pe cific e ve nts . By de fault, ausearch s e arche s the /var/log/audit/audit.log file . You can s pe cify a diffe re nt file us ing the ausearch options -if file_name command. Supplying multiple options in one ausearch command is e quivale nt to us ing the AND ope rator.
Example 5.6. Using ausearch t o search Audit lo g f iles
To s e arch the /var/log/audit/audit.log file for faile d login atte mpts , us e the following command:
~]# ausearch --message USER_LOGIN --success no --interpret
To s e arch for all account, group, and role change s , us e the following command:
~]# ausearch -m ADD_USER -m DEL_USER -m ADD_GROUP -m USER_CHAUTHTOK -m DEL_GROUP -m CHGRP_ID -m ROLE_ASSIGN -m ROLE_REMOVE -i
To s e arch for all logge d actions pe rforme d by a ce rtain us e r, us ing the us e r's login ID (auid), us e the following command:
~]# ausearch -ua 500 -i
To s e arch for all faile d s ys te m calls from ye s te rday up until now, us e the following command:
~]# ausearch --start yesterday --end now -m SYSCALL -sv no -i
For a full lis ting of all ausearch options , re fe r to the aus e arch(8) man page .
5.8. Creat ing Audit Report s
The aurepo rt utility allows you to ge ne rate s ummary and columnar re ports on the
e ve nts re corde d in Audit log file s . By de fault, all audit.log file s in the /var/log/audit/
dire ctory are que rie d to cre ate the re port. You can s pe cify a diffe re nt file to run the re port agains t us ing the aureport options -if file_name command.
Example 5.7. Using aureport t o generat e Audit repo rt s
To ge ne rate a re port for logge d e ve nts in the pas t thre e days e xcluding the curre nt e xample day, us e the following command:
~]# aureport --start 04/08/2013 00:00:00 --end 04/11/2013 00:00:00 To ge ne rate a re port of all e xe cutable file e ve nts , us e the following command:
~]# aureport -x
To ge ne rate a s ummary of the e xe cutable file e ve nt re port above , us e the following command:
~]# aureport -x --summary
To ge ne rate a s ummary re port of faile d e ve nts for all us e rs , us e the following command:
~]# aureport -u --failed --summary -i
To ge ne rate a s ummary re port of all faile d login atte mpts pe r e ach s ys te m us e r, us e the following command:
~]# aureport --login --summary -i
To ge ne rate a re port from an ausearch que ry that s e arche s all file acce s s e ve nts for us e r 500, us e the following command:
~]# ausearch start today loginuid 500 raw | aureport -f --summary
To ge ne rate a re port of all Audit file s that are que rie d and the time range of e ve nts the y include , us e the following command:
~]# aureport -t
For a full lis ting of all aureport options , re fe r to the aure port(8) man page .
5.9. Addit ional Resources
For more information about the Audit s ys te m, re fe r to the following s ource s .