4

I'm tailing auditd.log and piping it into ausearch and then aureport, with the aim of getting a simple stream of modified files:

tail -f /var/log/audit/audit.log | ausearch -k my_key | aureport -f --success -i

While aureport seems to do the job of correlating and combining multiple records, it doesn't seem to merge the 2 PATH lines that auditd logs for each file - for example, if someone runs commands that specify relative paths (rather than absolute ones), aureport is showing something like:

File Report
===============================================
# date time file syscall success exe auid event
===============================================
1. 13/01/18 21:45:44 myfile open yes /usr/bin/touch user 6229
2. 13/01/18 21:45:46 myfile open yes /usr/bin/touch user 6230

Is there any way to get aureport to show the full path instead?

Jeff Schaller
  • 66,199
  • 35
  • 114
  • 250
Cocowalla
  • 173
  • 6
  • 1
    I want to chime in and say I'm interested in an answer to this too. I've checked the man pages for ausearch, aureport and auditd.conf but see nothing that could do what's wanted. When auditing recursively, I've found that a few times I get reports of files with the same filename but in different directories. In situations like that, it's impossible for me to figure out which file is altered. – Phil Feb 07 '19 at 00:04
  • 1
    Have you tried `ausearch -k delete --format text` or `--format csv` (without piping to aureport). – Marco Marsala Jan 04 '21 at 11:01
  • @MarcoMarsala huh, the `--format` parameter isn't mentioned in the `--help` output on RHEL 7.5?! I just tried this, and it *does* work, outputting the full path, and I can include only succesful events with `ausearch -k my_key --success yes --format [csv|text]` - if you submit an answer, I'll happily accept it! – Cocowalla Jan 04 '21 at 22:13
  • @Cocowalla it is mentioned in man page only `man ausearch` – Marco Marsala Jan 06 '21 at 17:58
  • @MarcoMarsala yeah, after your last comment, I checked the ausearch command output in RHEL again and noticed it defo wasn't there, then checked the online man pages, and sure enough it was there. Very annoying it was there all along! – Cocowalla Jan 06 '21 at 20:39

1 Answers1

2

You can do ausearch -k my-key --format text or ausearch -k delete --format csv, without piping to aureport. You can filter by start-end dates (--start --end), uid (--uid 123), and result (--success yes|no)

Marco Marsala
  • 353
  • 1
  • 4
  • 14