1AUREPORT:(8) System Administration Utilities AUREPORT:(8)
2
3
4
6 aureport - a tool that produces summary reports of audit daemon logs
7
9 aureport [options]
10
12 aureport is a tool that produces summary reports of the audit system
13 logs. The aureport utility can also take input from stdin as long as
14 the input is the raw log data. The reports have a column label at the
15 top to help with interpretation of the various fields. Except for the
16 main summary report, all reports have the audit event number. You can
17 subsequently lookup the full event with ausearch -a event number. You
18 may need to specify start & stop times if you get multiple hits. The
19 reports produced by aureport can be used as building blocks for more
20 complicated analysis.
21
22
24 -au, --auth
25 Report about authentication attempts
26
27 -a, --avc
28 Report about avc messages
29
30 --comm Report about commands run
31
32 -c, --config
33 Report about config changes
34
35 -cr, --crypto
36 Report about crypto events
37
38 -e, --event
39 Report about events
40
41 --escape option
42 This option determines if the output is escaped to make the con‐
43 tent safer for certain uses. The options are raw , tty , shell ,
44 and shell_quote. Each mode includes the characters of the pre‐
45 ceding mode and escapes more characters. That is to say shell
46 includes all characters escaped by tty and adds more. tty is the
47 default.
48
49 -f, --file
50 Report about files and af_unix sockets
51
52 --failed
53 Only select failed events for processing in the reports. The
54 default is both success and failed events.
55
56 -h, --host
57 Report about hosts
58
59 --help Print brief command summary
60
61 -i, --interpret
62 Interpret numeric entities into text. For example, uid is con‐
63 verted to account name. The conversion is done using the current
64 resources of the machine where the search is being run. If you
65 have renamed the accounts, or don't have the same accounts on
66 your machine, you could get misleading results.
67
68 -if, --input file | directory
69 Use the given file or directory instead of the logs. This is to
70 aid analysis where the logs have been moved to another machine
71 or only part of a log was saved.
72
73 --input-logs
74 Use the log file location from auditd.conf as input for analy‐
75 sis. This is needed if you are using aureport from a cron job.
76
77 --integrity
78 Report about integrity events
79
80 -k, --key
81 Report about audit rule keys
82
83 -l, --login
84 Report about logins
85
86 -m, --mods
87 Report about account modifications
88
89 -ma, --mac
90 Report about Mandatory Access Control (MAC) events
91
92 -n, --anomaly
93 Report about anomaly events. These events include NIC going into
94 promiscuous mode and programs segfaulting.
95
96 --node node-name
97 Only select events originating from node name string for pro‐
98 cessing in the reports. The default is to include all nodes.
99 Multiple nodes are allowed.
100
101 -nc, --no-config
102 Do not include the CONFIG_CHANGE event. This is particularly
103 useful for the key report because audit rules have key labels in
104 many cases. Using this option gets rid of these false positives.
105
106 -p, --pid
107 Report about processes
108
109 -r, --response
110 Report about responses to anomaly events
111
112 -s, --syscall
113 Report about syscalls
114
115 --success
116 Only select successful events for processing in the reports. The
117 default is both success and failed events.
118
119 --summary
120 Run the summary report that gives a total of the elements of the
121 main report. Not all reports have a summary.
122
123 -t, --log
124 This option will output a report of the start and end times for
125 each log.
126
127 --tty Report about tty keystrokes
128
129 -te, --end [end-date] [end-time]
130 Search for events with time stamps equal to or before the given
131 end time. The format of end time depends on your locale. If the
132 date is omitted, today is assumed. If the time is omitted, now
133 is assumed. Use 24 hour clock time rather than AM or PM to spec‐
134 ify time. An example date using the en_US.utf8 locale is
135 09/03/2009. An example of time is 18:00:00. The date format
136 accepted is influenced by the LC_TIME environmental variable.
137
138 You may also use the word: now, recent, boot, today, yesterday,
139 this-week, week-ago, this-month, this-year. Now means starting
140 now. Recent is 10 minutes ago. Boot means the time of day to the
141 second when the system last booted. Today means now. Yesterday
142 is 1 second after midnight the previous day. This-week means
143 starting 1 second after midnight on day 0 of the week determined
144 by your locale (see localtime). Week-ago means 1 second after
145 midnight exactly 7 days ago. This-month means 1 second after
146 midnight on day 1 of the month. This-year means the 1 second
147 after midnight on the first day of the first month.
148
149 -tm, --terminal
150 Report about terminals
151
152 -ts, --start [start-date] [start-time]
153 Search for events with time stamps equal to or after the given
154 end time. The format of end time depends on your locale. If the
155 date is omitted, today is assumed. If the time is omitted, mid‐
156 night is assumed. Use 24 hour clock time rather than AM or PM to
157 specify time. An example date using the en_US.utf8 locale is
158 09/03/2009. An example of time is 18:00:00. The date format
159 accepted is influenced by the LC_TIME environmental variable.
160
161 You may also use the word: now, recent, boot, today, yesterday,
162 this-week, week-ago, this-month, this-year. Boot means the time
163 of day to the second when the system last booted. Today means
164 starting at 1 second after midnight. Recent is 10 minutes ago.
165 Yesterday is 1 second after midnight the previous day. This-week
166 means starting 1 second after midnight on day 0 of the week
167 determined by your locale (see localtime). Week-ago means start‐
168 ing 1 second after midnight exactly 7 days ago. This-month means
169 1 second after midnight on day 1 of the month. This-year means
170 the 1 second after midnight on the first day of the first month.
171
172 -u, --user
173 Report about users
174
175 -v, --version
176 Print the version and exit
177
178 --virt Report about Virtualization events
179
180 -x, --executable
181 Report about executables
182
183
185 The boot time option is a convenience function and has limitations. The
186 time it calculates is based on time now minus /proc/uptime. If after
187 boot the system clock has been adjusted, perhaps by ntp, then the cal‐
188 culation may be wrong. In that case you'll need to fully specify the
189 time. You can check the time it would use by running:
190
191 date -d "`cut -f1 -d. /proc/uptime` seconds ago"
192
193
195 ausearch(8), auditd(8).
196
197
198
199Red Hat March 2017 AUREPORT:(8)