SlideShare une entreprise Scribd logo

Audit commands by shift

Télécharger en tant que DOCX, PDF
Gary Smith
Gary Smith

Linux audit commands to run by shift

Données & analyses
1  sur  2
Shift Log Analysis Command Explanation First shift: 0800 – 1600 The first shift is the primary shift reviewing log files fromthe day before and generating reports. aureport --summary --start yesterday Running this report w illallow the ISSO to get a rough overview of the current audit statistics (events, logins, processes, etc.)for the previous day. The first shift should run reports summarizing the last day’s events. Use ausearch --event audit-event-id if need be tunneldow n. aureport --failed --start yesterday Running this report w illallow the ISSO to get statistics of failed events. aureport –l --failed -- start yesterday This command w illallow the ISSO to get more granular detail of failed events for login-related events. aureport –f --failed -- start yesterday This command w illallow the ISSO to get more granular detail of failed events for file-related events. aureport –p --failed --start yesterday This command w illallow the ISSO to get more granular detail of failed events for process-related events. aureport –u --failed --start yesterday This command w illallow the ISSO to get more granular detail of failed events for user-related events. aureport –k KeyName --start yesterday This command w illprovide a high-levelreport on all the keys w e set in the audit.rules file. Specific KeyNames w e can use are all the keys starting w ith our KeyName. ausearch –m CONFIG_CHANGE --start yesterday This command w illallow the ISSO to see both successfuland unsuccessfulattempts to read information from the audit records and any modifications to the audit trail. ausearch -k time-change -- start yesterday This command w illallow the ISSO to see any audit record that could affect the time of the system. ausearch -k system- locale --start yesterday This command w illallow the ISSO to see any audit record that could note a change in systemlocale. ausearch -k MAC-policy --start yesterday This command w illallow the ISSO to see any audit record that could note a change in systemthe MAC policy. ausearch -k access --start yesterday This command w illallow the ISSO to see any audit record that could note unsuccessfulaccessattempts to files. ausearch -kprivilege --start yesterday This command w illallow the ISSO to see any use of privileged commands, both unsuccessfuland successful. ausearch -k mounts --start yesterday This command w illallow the ISSO to see any and all successfulexports to media. The ISSO should make note of the user. ausearch -kmodules --start yesterday This command w illallow the ISSO to see if any unauthorized access, modification, or deletion has taken place w ith kernel modules. ausearch -k delete --start yesterday This command w illallow the ISSO to see deletions or rename events. ausearch -k scope --start yesterday This command w illallow the ISSO to see any changes to sudoers. aureport --summary --start today 00:00:01 Running this report w illallow the ISSO to get a rough overview of the current audit statistics (events, logins, processes, etc.)for the day’s events to the current time. Use ausearch --event audit-event-id if needed to tunnel dow n. ausearch –a audit_event_id Running this search w illallow the ISSO to view allrecords carrying a suspicious audit event ID. Each audit event message has a unique ID. One application’s systemcall may have severalevents that are logged and this w illallow a trail of more than one record to be pieced together to tell a story. Second shift: 1600 - 0000 aureport --summary --start today 00:00:01 Running this report w illallow the ISSO to get a rough overview of the current audit statistics (events, logins, processes, etc.)for the day’s events to the current time. Use ausearch --event audit-event-id if needed to tunnel dow n for further investigation. Third shift: 0000 - 0800 aureport --summary --start today Running this report w illallow the ISSO to get a rough overview of the current audit statistics (events, logins,
Shift Log Analysis Command Explanation processes, etc.)for the day’s events to the current time. Use ausearch --event audit-event-id if needed to tunnel dow n for further investigation. ausearch -ts today 00:00:01 --raw |aulast --stdin Running this report w illallow the ISSO to report on all bad log- ins for the day. All users found in this list should be emailed and asked if they had failed logins for that specific day. When they come in for w orkthe next day, they w illsee their email. Policy states that they are to reply back if they did not have the failed log-in attempt.

Recommandé

The Linux Audit Framework
The Linux Audit FrameworkThe Linux Audit Framework
The Linux Audit FrameworkGary Smith
 
Linux audit framework
Linux audit frameworkLinux audit framework
Linux audit frameworkTorstein Hansen
 
2009-08-24 The Linux Audit Subsystem Deep Dive
2009-08-24 The Linux Audit Subsystem Deep Dive2009-08-24 The Linux Audit Subsystem Deep Dive
2009-08-24 The Linux Audit Subsystem Deep DiveShawn Wells
 
DevOps Fest 2020. Philipp Krenn. Scale Your Auditing Events
DevOps Fest 2020. Philipp Krenn. Scale Your Auditing EventsDevOps Fest 2020. Philipp Krenn. Scale Your Auditing Events
DevOps Fest 2020. Philipp Krenn. Scale Your Auditing EventsDevOps_Fest
 
Osquery
OsqueryOsquery
OsqueryAnimesh Roy
 
Apache
ApacheApache
ApacheMindtree
 
How To Manage Linux User on RHEL 7
How To Manage Linux User on RHEL 7How To Manage Linux User on RHEL 7
How To Manage Linux User on RHEL 7VCP Muthukrishna
 
SANS @Night There's Gold in Them Thar Package Management Databases
SANS @Night There's Gold in Them Thar Package Management DatabasesSANS @Night There's Gold in Them Thar Package Management Databases
SANS @Night There's Gold in Them Thar Package Management DatabasesPhil Hagen
 

Recommandé

The Linux Audit Framework
The Linux Audit FrameworkThe Linux Audit Framework
The Linux Audit FrameworkGary Smith
 
Linux audit framework
Linux audit frameworkLinux audit framework
Linux audit frameworkTorstein Hansen
 
2009-08-24 The Linux Audit Subsystem Deep Dive
2009-08-24 The Linux Audit Subsystem Deep Dive2009-08-24 The Linux Audit Subsystem Deep Dive
2009-08-24 The Linux Audit Subsystem Deep DiveShawn Wells
 
DevOps Fest 2020. Philipp Krenn. Scale Your Auditing Events
DevOps Fest 2020. Philipp Krenn. Scale Your Auditing EventsDevOps Fest 2020. Philipp Krenn. Scale Your Auditing Events
DevOps Fest 2020. Philipp Krenn. Scale Your Auditing EventsDevOps_Fest
 
Osquery
OsqueryOsquery
OsqueryAnimesh Roy
 
Apache
ApacheApache
ApacheMindtree
 
How To Manage Linux User on RHEL 7
How To Manage Linux User on RHEL 7How To Manage Linux User on RHEL 7
How To Manage Linux User on RHEL 7VCP Muthukrishna
 
SANS @Night There's Gold in Them Thar Package Management Databases
SANS @Night There's Gold in Them Thar Package Management DatabasesSANS @Night There's Gold in Them Thar Package Management Databases
SANS @Night There's Gold in Them Thar Package Management DatabasesPhil Hagen
 
How To Check file exists and Delete PowerShell
How To Check file exists and Delete PowerShellHow To Check file exists and Delete PowerShell
How To Check file exists and Delete PowerShellVCP Muthukrishna
 
Spraykatz installation & basic usage
Spraykatz installation & basic usageSpraykatz installation & basic usage
Spraykatz installation & basic usageSylvain Cortes
 
SnortReport Presentation
SnortReport PresentationSnortReport Presentation
SnortReport Presentationwebhostingguy
 
Controlfile
ControlfileControlfile
Controlfiledkeerthan
 
Memory forensics cheat sheet
Memory forensics cheat sheetMemory forensics cheat sheet
Memory forensics cheat sheetMartin Cabrera
 
Creating "Secure" PHP applications, Part 2, Server Hardening
Creating "Secure" PHP applications, Part 2, Server HardeningCreating "Secure" PHP applications, Part 2, Server Hardening
Creating "Secure" PHP applications, Part 2, Server Hardeningarchwisp
 
Awesome_fuzzing_for _pentester_red-pill_2017
Awesome_fuzzing_for _pentester_red-pill_2017Awesome_fuzzing_for _pentester_red-pill_2017
Awesome_fuzzing_for _pentester_red-pill_2017Manich Koomsusi
 
Ch8-Computer Security
Ch8-Computer SecurityCh8-Computer Security
Ch8-Computer SecurityAttaporn Ninsuwan
 
如何安装Oracle one off临时小补丁及注意事项
如何安装Oracle one off临时小补丁及注意事项如何安装Oracle one off临时小补丁及注意事项
如何安装Oracle one off临时小补丁及注意事项maclean liu
 
Instalasi Solr
Instalasi SolrInstalasi Solr
Instalasi SolrDwi Fajar Saputra
 
A3Sec Advanced Deployment System
A3Sec Advanced Deployment SystemA3Sec Advanced Deployment System
A3Sec Advanced Deployment Systema3sec
 
Sydney Python Presentation (October 2010) - Splunk
Sydney Python Presentation (October 2010) - SplunkSydney Python Presentation (October 2010) - Splunk
Sydney Python Presentation (October 2010) - SplunkKelvin Nicholson
 
Audit
AuditAudit
AuditMark Ellzey Thomas
 
12c (12.1) Database installation on Solaris 11(11.2)
12c (12.1) Database installation on Solaris 11(11.2)12c (12.1) Database installation on Solaris 11(11.2)
12c (12.1) Database installation on Solaris 11(11.2)K Kumar Guduru
 
اسلاید ارائه سوم جلسه ۱۰ کلاس پایتون برای هکر های قانونی
اسلاید ارائه سوم جلسه ۱۰ کلاس پایتون برای هکر های قانونی اسلاید ارائه سوم جلسه ۱۰ کلاس پایتون برای هکر های قانونی
اسلاید ارائه سوم جلسه ۱۰ کلاس پایتون برای هکر های قانونی Mohammad Reza Kamalifard
 
Iwatch tech 1
Iwatch tech 1Iwatch tech 1
Iwatch tech 1ShailajaMca
 
How To Check IE Enhanced Security Is Enabled Windows PowerShell
How To Check IE Enhanced Security Is Enabled Windows PowerShellHow To Check IE Enhanced Security Is Enabled Windows PowerShell
How To Check IE Enhanced Security Is Enabled Windows PowerShellVCP Muthukrishna
 
Oracle数据库日志满导致错误
Oracle数据库日志满导致错误Oracle数据库日志满导致错误
Oracle数据库日志满导致错误Zianed Hou
 
How To Connect To Active Directory PowerShell
How To Connect To Active Directory PowerShellHow To Connect To Active Directory PowerShell
How To Connect To Active Directory PowerShellVCP Muthukrishna
 
Log4j is a reliable, fast and flexible
Log4j is a reliable, fast and flexibleLog4j is a reliable, fast and flexible
Log4j is a reliable, fast and flexibleRamakrishna kapa
 
ECPC involvement in research
ECPC involvement in researchECPC involvement in research
ECPC involvement in researchKathi Apostolidis
 
Фінальна презентація "неформальної групи" проектного семінару "Право на місто"
Фінальна презентація "неформальної групи" проектного семінару "Право на місто"Фінальна презентація "неформальної групи" проектного семінару "Право на місто"
Фінальна презентація "неформальної групи" проектного семінару "Право на місто"Department_of_urban_planning
 

Contenu connexe

Tendances

How To Check file exists and Delete PowerShell
How To Check file exists and Delete PowerShellHow To Check file exists and Delete PowerShell
How To Check file exists and Delete PowerShellVCP Muthukrishna
 
Spraykatz installation & basic usage
Spraykatz installation & basic usageSpraykatz installation & basic usage
Spraykatz installation & basic usageSylvain Cortes
 
SnortReport Presentation
SnortReport PresentationSnortReport Presentation
SnortReport Presentationwebhostingguy
 
Memory forensics cheat sheet
Memory forensics cheat sheetMemory forensics cheat sheet
Memory forensics cheat sheetMartin Cabrera
 
Creating "Secure" PHP applications, Part 2, Server Hardening
Creating "Secure" PHP applications, Part 2, Server HardeningCreating "Secure" PHP applications, Part 2, Server Hardening
Creating "Secure" PHP applications, Part 2, Server Hardeningarchwisp
 
Awesome_fuzzing_for _pentester_red-pill_2017
Awesome_fuzzing_for _pentester_red-pill_2017Awesome_fuzzing_for _pentester_red-pill_2017
Awesome_fuzzing_for _pentester_red-pill_2017Manich Koomsusi
 
如何安装Oracle one off临时小补丁及注意事项
如何安装Oracle one off临时小补丁及注意事项如何安装Oracle one off临时小补丁及注意事项
如何安装Oracle one off临时小补丁及注意事项maclean liu
 
A3Sec Advanced Deployment System
A3Sec Advanced Deployment SystemA3Sec Advanced Deployment System
A3Sec Advanced Deployment Systema3sec
 
Sydney Python Presentation (October 2010) - Splunk
Sydney Python Presentation (October 2010) - SplunkSydney Python Presentation (October 2010) - Splunk
Sydney Python Presentation (October 2010) - SplunkKelvin Nicholson
 
12c (12.1) Database installation on Solaris 11(11.2)
12c (12.1) Database installation on Solaris 11(11.2)12c (12.1) Database installation on Solaris 11(11.2)
12c (12.1) Database installation on Solaris 11(11.2)K Kumar Guduru
 
اسلاید ارائه سوم جلسه ۱۰ کلاس پایتون برای هکر های قانونی
اسلاید ارائه سوم جلسه ۱۰ کلاس پایتون برای هکر های قانونی اسلاید ارائه سوم جلسه ۱۰ کلاس پایتون برای هکر های قانونی
اسلاید ارائه سوم جلسه ۱۰ کلاس پایتون برای هکر های قانونی Mohammad Reza Kamalifard
 
How To Check IE Enhanced Security Is Enabled Windows PowerShell
How To Check IE Enhanced Security Is Enabled Windows PowerShellHow To Check IE Enhanced Security Is Enabled Windows PowerShell
How To Check IE Enhanced Security Is Enabled Windows PowerShellVCP Muthukrishna
 
Oracle数据库日志满导致错误
Oracle数据库日志满导致错误Oracle数据库日志满导致错误
Oracle数据库日志满导致错误Zianed Hou
 
How To Connect To Active Directory PowerShell
How To Connect To Active Directory PowerShellHow To Connect To Active Directory PowerShell
How To Connect To Active Directory PowerShellVCP Muthukrishna
 
Log4j is a reliable, fast and flexible
Log4j is a reliable, fast and flexibleLog4j is a reliable, fast and flexible
Log4j is a reliable, fast and flexibleRamakrishna kapa
 

Tendances (20)

How To Check file exists and Delete PowerShell
How To Check file exists and Delete PowerShellHow To Check file exists and Delete PowerShell
How To Check file exists and Delete PowerShell
 
Spraykatz installation & basic usage
Spraykatz installation & basic usageSpraykatz installation & basic usage
Spraykatz installation & basic usage
 
SnortReport Presentation
SnortReport PresentationSnortReport Presentation
SnortReport Presentation
 
Controlfile
ControlfileControlfile
Controlfile
 
Memory forensics cheat sheet
Memory forensics cheat sheetMemory forensics cheat sheet
Memory forensics cheat sheet
 
Creating "Secure" PHP applications, Part 2, Server Hardening
Creating "Secure" PHP applications, Part 2, Server HardeningCreating "Secure" PHP applications, Part 2, Server Hardening
Creating "Secure" PHP applications, Part 2, Server Hardening
 
Awesome_fuzzing_for _pentester_red-pill_2017
Awesome_fuzzing_for _pentester_red-pill_2017Awesome_fuzzing_for _pentester_red-pill_2017
Awesome_fuzzing_for _pentester_red-pill_2017
 
Ch8-Computer Security
Ch8-Computer SecurityCh8-Computer Security
Ch8-Computer Security
 
如何安装Oracle one off临时小补丁及注意事项
如何安装Oracle one off临时小补丁及注意事项如何安装Oracle one off临时小补丁及注意事项
如何安装Oracle one off临时小补丁及注意事项
 
Instalasi Solr
Instalasi SolrInstalasi Solr
Instalasi Solr
 
A3Sec Advanced Deployment System
A3Sec Advanced Deployment SystemA3Sec Advanced Deployment System
A3Sec Advanced Deployment System
 
Sydney Python Presentation (October 2010) - Splunk
Sydney Python Presentation (October 2010) - SplunkSydney Python Presentation (October 2010) - Splunk
Sydney Python Presentation (October 2010) - Splunk
 
Audit
AuditAudit
Audit
 
12c (12.1) Database installation on Solaris 11(11.2)
12c (12.1) Database installation on Solaris 11(11.2)12c (12.1) Database installation on Solaris 11(11.2)
12c (12.1) Database installation on Solaris 11(11.2)
 
اسلاید ارائه سوم جلسه ۱۰ کلاس پایتون برای هکر های قانونی
اسلاید ارائه سوم جلسه ۱۰ کلاس پایتون برای هکر های قانونی اسلاید ارائه سوم جلسه ۱۰ کلاس پایتون برای هکر های قانونی
اسلاید ارائه سوم جلسه ۱۰ کلاس پایتون برای هکر های قانونی
 
Iwatch tech 1
Iwatch tech 1Iwatch tech 1
Iwatch tech 1
 
How To Check IE Enhanced Security Is Enabled Windows PowerShell
How To Check IE Enhanced Security Is Enabled Windows PowerShellHow To Check IE Enhanced Security Is Enabled Windows PowerShell
How To Check IE Enhanced Security Is Enabled Windows PowerShell
 
Oracle数据库日志满导致错误
Oracle数据库日志满导致错误Oracle数据库日志满导致错误
Oracle数据库日志满导致错误
 
How To Connect To Active Directory PowerShell
How To Connect To Active Directory PowerShellHow To Connect To Active Directory PowerShell
How To Connect To Active Directory PowerShell
 
Log4j is a reliable, fast and flexible
Log4j is a reliable, fast and flexibleLog4j is a reliable, fast and flexible
Log4j is a reliable, fast and flexible
 

En vedette

ECPC involvement in research
ECPC involvement in researchECPC involvement in research
ECPC involvement in researchKathi Apostolidis
 
Фінальна презентація "неформальної групи" проектного семінару "Право на місто"
Фінальна презентація "неформальної групи" проектного семінару "Право на місто"Фінальна презентація "неформальної групи" проектного семінару "Право на місто"
Фінальна презентація "неформальної групи" проектного семінару "Право на місто"Department_of_urban_planning
 
PowerMic II Product Brochure
PowerMic II Product BrochurePowerMic II Product Brochure
PowerMic II Product BrochureVoice Automated
 
Reform in healthcare starts with each one of us
Reform in healthcare starts with each one of usReform in healthcare starts with each one of us
Reform in healthcare starts with each one of usKathi Apostolidis
 
Landmarks of Humankind's First Landmark
Landmarks of Humankind's First LandmarkLandmarks of Humankind's First Landmark
Landmarks of Humankind's First LandmarkHaleyeatstoast
 
O Paul Florence Knoll Presentation
O Paul Florence Knoll PresentationO Paul Florence Knoll Presentation
O Paul Florence Knoll PresentationOlivia Paul
 
Mbs mini talk 3 cnhn
Mbs mini talk 3 cnhnMbs mini talk 3 cnhn
Mbs mini talk 3 cnhnDuc Phan
 
Fdi circular 2015
Fdi circular 2015Fdi circular 2015
Fdi circular 2015Rohit Gupta
 
Linux audit-rules
Linux audit-rulesLinux audit-rules
Linux audit-rulesGary Smith
 
Information Organisation as a System
Information Organisation as a SystemInformation Organisation as a System
Information Organisation as a SystemAnupama Saini
 

En vedette (13)

ECPC involvement in research
ECPC involvement in researchECPC involvement in research
ECPC involvement in research
 
Фінальна презентація "неформальної групи" проектного семінару "Право на місто"
Фінальна презентація "неформальної групи" проектного семінару "Право на місто"Фінальна презентація "неформальної групи" проектного семінару "Право на місто"
Фінальна презентація "неформальної групи" проектного семінару "Право на місто"
 
Linked in bingo
Linked in bingoLinked in bingo
Linked in bingo
 
PowerMic II Product Brochure
PowerMic II Product BrochurePowerMic II Product Brochure
PowerMic II Product Brochure
 
Spice girls
Spice girlsSpice girls
Spice girls
 
Reform in healthcare starts with each one of us
Reform in healthcare starts with each one of usReform in healthcare starts with each one of us
Reform in healthcare starts with each one of us
 
Landmarks of Humankind's First Landmark
Landmarks of Humankind's First LandmarkLandmarks of Humankind's First Landmark
Landmarks of Humankind's First Landmark
 
O Paul Florence Knoll Presentation
O Paul Florence Knoll PresentationO Paul Florence Knoll Presentation
O Paul Florence Knoll Presentation
 
Mbs mini talk 3 cnhn
Mbs mini talk 3 cnhnMbs mini talk 3 cnhn
Mbs mini talk 3 cnhn
 
Fdi circular 2015
Fdi circular 2015Fdi circular 2015
Fdi circular 2015
 
Docs20 narrative slides v.1
Docs20 narrative slides v.1Docs20 narrative slides v.1
Docs20 narrative slides v.1
 
Linux audit-rules
Linux audit-rulesLinux audit-rules
Linux audit-rules
 
Information Organisation as a System
Information Organisation as a SystemInformation Organisation as a System
Information Organisation as a System
 

Similaire à Audit commands by shift

Windows logging cheat sheet
Windows logging cheat sheetWindows logging cheat sheet
Windows logging cheat sheetMichael Gough
 
OSGi Alliance Residential Expert Group
OSGi Alliance Residential Expert GroupOSGi Alliance Residential Expert Group
OSGi Alliance Residential Expert GroupOSGiUsers
 
Best Practices in Handling Performance Issues
Best Practices in Handling Performance IssuesBest Practices in Handling Performance Issues
Best Practices in Handling Performance IssuesOdoo
 
Linux Cluster Job Management Systems (SGE)
Linux Cluster Job Management Systems (SGE)Linux Cluster Job Management Systems (SGE)
Linux Cluster Job Management Systems (SGE)anandvaidya
 
Troubleshooting Tips and Tricks for Database 19c - EMEA Tour Oct 2019
Troubleshooting Tips and Tricks for Database 19c - EMEA Tour Oct 2019Troubleshooting Tips and Tricks for Database 19c - EMEA Tour Oct 2019
Troubleshooting Tips and Tricks for Database 19c - EMEA Tour Oct 2019Sandesh Rao
 
Reversing Engineering a Web Application - For fun, behavior and detection
Reversing Engineering a Web Application - For fun, behavior and detectionReversing Engineering a Web Application - For fun, behavior and detection
Reversing Engineering a Web Application - For fun, behavior and detectionRodrigo Montoro
 
Velocity 2015 Amsterdam: Alerts overload
Velocity 2015 Amsterdam: Alerts overloadVelocity 2015 Amsterdam: Alerts overload
Velocity 2015 Amsterdam: Alerts overloadsarahjwells
 
Observability: Beyond the Three Pillars with Spring
Observability: Beyond the Three Pillars with SpringObservability: Beyond the Three Pillars with Spring
Observability: Beyond the Three Pillars with SpringVMware Tanzu
 
OnTune suggestion for value_2012
OnTune suggestion for value_2012OnTune suggestion for value_2012
OnTune suggestion for value_2012Austin Lee
 
Full accesspolicyconsolidation for event processing systems
Full accesspolicyconsolidation for event processing systemsFull accesspolicyconsolidation for event processing systems
Full accesspolicyconsolidation for event processing systemsviswanadhamsatish
 
Employment Hero monitoring solution
Employment Hero monitoring solutionEmployment Hero monitoring solution
Employment Hero monitoring solutionLuong Vo
 
Logs: Can’t Hate Them, Won’t Love Them: Brief Log Management Class by Anton C...
Logs: Can’t Hate Them, Won’t Love Them: Brief Log Management Class by Anton C...Logs: Can’t Hate Them, Won’t Love Them: Brief Log Management Class by Anton C...
Logs: Can’t Hate Them, Won’t Love Them: Brief Log Management Class by Anton C...Anton Chuvakin
 
Open stack gbp final sn-4-slideshare
Open stack gbp final sn-4-slideshareOpen stack gbp final sn-4-slideshare
Open stack gbp final sn-4-slideshareSumit Naiksatam
 
Sarah Wells - Alert overload: How to adopt a microservices architecture witho...
Sarah Wells - Alert overload: How to adopt a microservices architecture witho...Sarah Wells - Alert overload: How to adopt a microservices architecture witho...
Sarah Wells - Alert overload: How to adopt a microservices architecture witho...Codemotion
 
Codemotion Milan 2015 Alerts Overload
Codemotion Milan 2015 Alerts OverloadCodemotion Milan 2015 Alerts Overload
Codemotion Milan 2015 Alerts Overloadsarahjwells
 

Similaire à Audit commands by shift (20)

Windows logging cheat sheet
Windows logging cheat sheetWindows logging cheat sheet
Windows logging cheat sheet
 
sun solaris
sun solarissun solaris
sun solaris
 
OSGi Alliance Residential Expert Group
OSGi Alliance Residential Expert GroupOSGi Alliance Residential Expert Group
OSGi Alliance Residential Expert Group
 
Elk scilifelab
Elk scilifelabElk scilifelab
Elk scilifelab
 
Best Practices in Handling Performance Issues
Best Practices in Handling Performance IssuesBest Practices in Handling Performance Issues
Best Practices in Handling Performance Issues
 
Linux Cluster Job Management Systems (SGE)
Linux Cluster Job Management Systems (SGE)Linux Cluster Job Management Systems (SGE)
Linux Cluster Job Management Systems (SGE)
 
Asg dashboard usage_guide_v1
Asg dashboard usage_guide_v1Asg dashboard usage_guide_v1
Asg dashboard usage_guide_v1
 
Troubleshooting Tips and Tricks for Database 19c - EMEA Tour Oct 2019
Troubleshooting Tips and Tricks for Database 19c - EMEA Tour Oct 2019Troubleshooting Tips and Tricks for Database 19c - EMEA Tour Oct 2019
Troubleshooting Tips and Tricks for Database 19c - EMEA Tour Oct 2019
 
Reversing Engineering a Web Application - For fun, behavior and detection
Reversing Engineering a Web Application - For fun, behavior and detectionReversing Engineering a Web Application - For fun, behavior and detection
Reversing Engineering a Web Application - For fun, behavior and detection
 
Velocity 2015 Amsterdam: Alerts overload
Velocity 2015 Amsterdam: Alerts overloadVelocity 2015 Amsterdam: Alerts overload
Velocity 2015 Amsterdam: Alerts overload
 
Why SureLog?
Why SureLog?Why SureLog?
Why SureLog?
 
Observability: Beyond the Three Pillars with Spring
Observability: Beyond the Three Pillars with SpringObservability: Beyond the Three Pillars with Spring
Observability: Beyond the Three Pillars with Spring
 
OnTune suggestion for value_2012
OnTune suggestion for value_2012OnTune suggestion for value_2012
OnTune suggestion for value_2012
 
Full accesspolicyconsolidation for event processing systems
Full accesspolicyconsolidation for event processing systemsFull accesspolicyconsolidation for event processing systems
Full accesspolicyconsolidation for event processing systems
 
Employment Hero monitoring solution
Employment Hero monitoring solutionEmployment Hero monitoring solution
Employment Hero monitoring solution
 
Backtrack Manual Part8
Backtrack Manual Part8Backtrack Manual Part8
Backtrack Manual Part8
 
Logs: Can’t Hate Them, Won’t Love Them: Brief Log Management Class by Anton C...
Logs: Can’t Hate Them, Won’t Love Them: Brief Log Management Class by Anton C...Logs: Can’t Hate Them, Won’t Love Them: Brief Log Management Class by Anton C...
Logs: Can’t Hate Them, Won’t Love Them: Brief Log Management Class by Anton C...
 
Open stack gbp final sn-4-slideshare
Open stack gbp final sn-4-slideshareOpen stack gbp final sn-4-slideshare
Open stack gbp final sn-4-slideshare
 
Sarah Wells - Alert overload: How to adopt a microservices architecture witho...
Sarah Wells - Alert overload: How to adopt a microservices architecture witho...Sarah Wells - Alert overload: How to adopt a microservices architecture witho...
Sarah Wells - Alert overload: How to adopt a microservices architecture witho...
 
Codemotion Milan 2015 Alerts Overload
Codemotion Milan 2015 Alerts OverloadCodemotion Milan 2015 Alerts Overload
Codemotion Milan 2015 Alerts Overload
 

Dernier

7. Epi of Chronic respiratory diseases.ppt
7. Epi of Chronic respiratory diseases.ppt7. Epi of Chronic respiratory diseases.ppt
7. Epi of Chronic respiratory diseases.pptibrahimabdi22
 
Jual obat aborsi Bandung ( 085657271886 ) Cytote pil telat bulan penggugur ka...
Jual obat aborsi Bandung ( 085657271886 ) Cytote pil telat bulan penggugur ka...Jual obat aborsi Bandung ( 085657271886 ) Cytote pil telat bulan penggugur ka...
Jual obat aborsi Bandung ( 085657271886 ) Cytote pil telat bulan penggugur ka...Klinik kandungan
 
Top profile Call Girls In Tumkur [ 7014168258 ] Call Me For Genuine Models We...
Top profile Call Girls In Tumkur [ 7014168258 ] Call Me For Genuine Models We...Top profile Call Girls In Tumkur [ 7014168258 ] Call Me For Genuine Models We...
Top profile Call Girls In Tumkur [ 7014168258 ] Call Me For Genuine Models We...nirzagarg
 
5CL-ADBA,5cladba, Chinese supplier, safety is guaranteed
5CL-ADBA,5cladba, Chinese supplier, safety is guaranteed5CL-ADBA,5cladba, Chinese supplier, safety is guaranteed
5CL-ADBA,5cladba, Chinese supplier, safety is guaranteedamy56318795
 
DATA SUMMIT 24 Building Real-Time Pipelines With FLaNK
DATA SUMMIT 24 Building Real-Time Pipelines With FLaNKDATA SUMMIT 24 Building Real-Time Pipelines With FLaNK
DATA SUMMIT 24 Building Real-Time Pipelines With FLaNKTimothy Spann
 
Top profile Call Girls In Vadodara [ 7014168258 ] Call Me For Genuine Models ...
Top profile Call Girls In Vadodara [ 7014168258 ] Call Me For Genuine Models ...Top profile Call Girls In Vadodara [ 7014168258 ] Call Me For Genuine Models ...
Top profile Call Girls In Vadodara [ 7014168258 ] Call Me For Genuine Models ...gajnagarg
 
Top profile Call Girls In Latur [ 7014168258 ] Call Me For Genuine Models We ...
Top profile Call Girls In Latur [ 7014168258 ] Call Me For Genuine Models We ...Top profile Call Girls In Latur [ 7014168258 ] Call Me For Genuine Models We ...
Top profile Call Girls In Latur [ 7014168258 ] Call Me For Genuine Models We ...gajnagarg
 
High Profile Call Girls Service in Jalore { 9332606886 } VVIP NISHA Call Girl...
High Profile Call Girls Service in Jalore { 9332606886 } VVIP NISHA Call Girl...High Profile Call Girls Service in Jalore { 9332606886 } VVIP NISHA Call Girl...
High Profile Call Girls Service in Jalore { 9332606886 } VVIP NISHA Call Girl...kumargunjan9515
 
Vadodara 💋 Call Girl 7737669865 Call Girls in Vadodara Escort service book now
Vadodara 💋 Call Girl 7737669865 Call Girls in Vadodara Escort service book nowVadodara 💋 Call Girl 7737669865 Call Girls in Vadodara Escort service book now
Vadodara 💋 Call Girl 7737669865 Call Girls in Vadodara Escort service book nowgargpaaro
 
Digital Transformation Playbook by Graham Ware
Digital Transformation Playbook by Graham WareDigital Transformation Playbook by Graham Ware
Digital Transformation Playbook by Graham WareGraham Ware
 
SAC 25 Final National, Regional & Local Angel Group Investing Insights 2024 0...
SAC 25 Final National, Regional & Local Angel Group Investing Insights 2024 0...SAC 25 Final National, Regional & Local Angel Group Investing Insights 2024 0...
SAC 25 Final National, Regional & Local Angel Group Investing Insights 2024 0...Elaine Werffeli
 
怎样办理圣地亚哥州立大学毕业证(SDSU毕业证书)成绩单学校原版复制
怎样办理圣地亚哥州立大学毕业证(SDSU毕业证书)成绩单学校原版复制怎样办理圣地亚哥州立大学毕业证(SDSU毕业证书)成绩单学校原版复制
怎样办理圣地亚哥州立大学毕业证(SDSU毕业证书)成绩单学校原版复制vexqp
 
Top profile Call Girls In Purnia [ 7014168258 ] Call Me For Genuine Models We...
Top profile Call Girls In Purnia [ 7014168258 ] Call Me For Genuine Models We...Top profile Call Girls In Purnia [ 7014168258 ] Call Me For Genuine Models We...
Top profile Call Girls In Purnia [ 7014168258 ] Call Me For Genuine Models We...nirzagarg
 
Digital Advertising Lecture for Advanced Digital & Social Media Strategy at U...
Digital Advertising Lecture for Advanced Digital & Social Media Strategy at U...Digital Advertising Lecture for Advanced Digital & Social Media Strategy at U...
Digital Advertising Lecture for Advanced Digital & Social Media Strategy at U...Valters Lauzums
 
Aspirational Block Program Block Syaldey District - Almora
Aspirational Block Program Block Syaldey District - AlmoraAspirational Block Program Block Syaldey District - Almora
Aspirational Block Program Block Syaldey District - AlmoraGovindSinghDasila
 
In Riyadh ((+919101817206)) Cytotec kit @ Abortion Pills Saudi Arabia
In Riyadh ((+919101817206)) Cytotec kit @ Abortion Pills Saudi ArabiaIn Riyadh ((+919101817206)) Cytotec kit @ Abortion Pills Saudi Arabia
In Riyadh ((+919101817206)) Cytotec kit @ Abortion Pills Saudi Arabiaahmedjiabur940
 
Charbagh + Female Escorts Service in Lucknow | Starting ₹,5K To @25k with A/C...
Charbagh + Female Escorts Service in Lucknow | Starting ₹,5K To @25k with A/C...Charbagh + Female Escorts Service in Lucknow | Starting ₹,5K To @25k with A/C...
Charbagh + Female Escorts Service in Lucknow | Starting ₹,5K To @25k with A/C...HyderabadDolls
 
Nirala Nagar / Cheap Call Girls In Lucknow Phone No 9548273370 Elite Escort S...
Nirala Nagar / Cheap Call Girls In Lucknow Phone No 9548273370 Elite Escort S...Nirala Nagar / Cheap Call Girls In Lucknow Phone No 9548273370 Elite Escort S...
Nirala Nagar / Cheap Call Girls In Lucknow Phone No 9548273370 Elite Escort S...HyderabadDolls
 
Top profile Call Girls In Begusarai [ 7014168258 ] Call Me For Genuine Models...
Top profile Call Girls In Begusarai [ 7014168258 ] Call Me For Genuine Models...Top profile Call Girls In Begusarai [ 7014168258 ] Call Me For Genuine Models...
Top profile Call Girls In Begusarai [ 7014168258 ] Call Me For Genuine Models...nirzagarg
 

Dernier (20)

7. Epi of Chronic respiratory diseases.ppt
7. Epi of Chronic respiratory diseases.ppt7. Epi of Chronic respiratory diseases.ppt
7. Epi of Chronic respiratory diseases.ppt
 
Jual obat aborsi Bandung ( 085657271886 ) Cytote pil telat bulan penggugur ka...
Jual obat aborsi Bandung ( 085657271886 ) Cytote pil telat bulan penggugur ka...Jual obat aborsi Bandung ( 085657271886 ) Cytote pil telat bulan penggugur ka...
Jual obat aborsi Bandung ( 085657271886 ) Cytote pil telat bulan penggugur ka...
 
Top profile Call Girls In Tumkur [ 7014168258 ] Call Me For Genuine Models We...
Top profile Call Girls In Tumkur [ 7014168258 ] Call Me For Genuine Models We...Top profile Call Girls In Tumkur [ 7014168258 ] Call Me For Genuine Models We...
Top profile Call Girls In Tumkur [ 7014168258 ] Call Me For Genuine Models We...
 
5CL-ADBA,5cladba, Chinese supplier, safety is guaranteed
5CL-ADBA,5cladba, Chinese supplier, safety is guaranteed5CL-ADBA,5cladba, Chinese supplier, safety is guaranteed
5CL-ADBA,5cladba, Chinese supplier, safety is guaranteed
 
DATA SUMMIT 24 Building Real-Time Pipelines With FLaNK
DATA SUMMIT 24 Building Real-Time Pipelines With FLaNKDATA SUMMIT 24 Building Real-Time Pipelines With FLaNK
DATA SUMMIT 24 Building Real-Time Pipelines With FLaNK
 
Top profile Call Girls In Vadodara [ 7014168258 ] Call Me For Genuine Models ...
Top profile Call Girls In Vadodara [ 7014168258 ] Call Me For Genuine Models ...Top profile Call Girls In Vadodara [ 7014168258 ] Call Me For Genuine Models ...
Top profile Call Girls In Vadodara [ 7014168258 ] Call Me For Genuine Models ...
 
Top profile Call Girls In Latur [ 7014168258 ] Call Me For Genuine Models We ...
Top profile Call Girls In Latur [ 7014168258 ] Call Me For Genuine Models We ...Top profile Call Girls In Latur [ 7014168258 ] Call Me For Genuine Models We ...
Top profile Call Girls In Latur [ 7014168258 ] Call Me For Genuine Models We ...
 
High Profile Call Girls Service in Jalore { 9332606886 } VVIP NISHA Call Girl...
High Profile Call Girls Service in Jalore { 9332606886 } VVIP NISHA Call Girl...High Profile Call Girls Service in Jalore { 9332606886 } VVIP NISHA Call Girl...
High Profile Call Girls Service in Jalore { 9332606886 } VVIP NISHA Call Girl...
 
Vadodara 💋 Call Girl 7737669865 Call Girls in Vadodara Escort service book now
Vadodara 💋 Call Girl 7737669865 Call Girls in Vadodara Escort service book nowVadodara 💋 Call Girl 7737669865 Call Girls in Vadodara Escort service book now
Vadodara 💋 Call Girl 7737669865 Call Girls in Vadodara Escort service book now
 
Abortion pills in Jeddah | +966572737505 | Get Cytotec
Abortion pills in Jeddah | +966572737505 | Get CytotecAbortion pills in Jeddah | +966572737505 | Get Cytotec
Abortion pills in Jeddah | +966572737505 | Get Cytotec
 
Digital Transformation Playbook by Graham Ware
Digital Transformation Playbook by Graham WareDigital Transformation Playbook by Graham Ware
Digital Transformation Playbook by Graham Ware
 
SAC 25 Final National, Regional & Local Angel Group Investing Insights 2024 0...
SAC 25 Final National, Regional & Local Angel Group Investing Insights 2024 0...SAC 25 Final National, Regional & Local Angel Group Investing Insights 2024 0...
SAC 25 Final National, Regional & Local Angel Group Investing Insights 2024 0...
 
怎样办理圣地亚哥州立大学毕业证(SDSU毕业证书)成绩单学校原版复制
怎样办理圣地亚哥州立大学毕业证(SDSU毕业证书)成绩单学校原版复制怎样办理圣地亚哥州立大学毕业证(SDSU毕业证书)成绩单学校原版复制
怎样办理圣地亚哥州立大学毕业证(SDSU毕业证书)成绩单学校原版复制
 
Top profile Call Girls In Purnia [ 7014168258 ] Call Me For Genuine Models We...
Top profile Call Girls In Purnia [ 7014168258 ] Call Me For Genuine Models We...Top profile Call Girls In Purnia [ 7014168258 ] Call Me For Genuine Models We...
Top profile Call Girls In Purnia [ 7014168258 ] Call Me For Genuine Models We...
 
Digital Advertising Lecture for Advanced Digital & Social Media Strategy at U...
Digital Advertising Lecture for Advanced Digital & Social Media Strategy at U...Digital Advertising Lecture for Advanced Digital & Social Media Strategy at U...
Digital Advertising Lecture for Advanced Digital & Social Media Strategy at U...
 
Aspirational Block Program Block Syaldey District - Almora
Aspirational Block Program Block Syaldey District - AlmoraAspirational Block Program Block Syaldey District - Almora
Aspirational Block Program Block Syaldey District - Almora
 
In Riyadh ((+919101817206)) Cytotec kit @ Abortion Pills Saudi Arabia
In Riyadh ((+919101817206)) Cytotec kit @ Abortion Pills Saudi ArabiaIn Riyadh ((+919101817206)) Cytotec kit @ Abortion Pills Saudi Arabia
In Riyadh ((+919101817206)) Cytotec kit @ Abortion Pills Saudi Arabia
 
Charbagh + Female Escorts Service in Lucknow | Starting ₹,5K To @25k with A/C...
Charbagh + Female Escorts Service in Lucknow | Starting ₹,5K To @25k with A/C...Charbagh + Female Escorts Service in Lucknow | Starting ₹,5K To @25k with A/C...
Charbagh + Female Escorts Service in Lucknow | Starting ₹,5K To @25k with A/C...
 
Nirala Nagar / Cheap Call Girls In Lucknow Phone No 9548273370 Elite Escort S...
Nirala Nagar / Cheap Call Girls In Lucknow Phone No 9548273370 Elite Escort S...Nirala Nagar / Cheap Call Girls In Lucknow Phone No 9548273370 Elite Escort S...
Nirala Nagar / Cheap Call Girls In Lucknow Phone No 9548273370 Elite Escort S...
 
Top profile Call Girls In Begusarai [ 7014168258 ] Call Me For Genuine Models...
Top profile Call Girls In Begusarai [ 7014168258 ] Call Me For Genuine Models...Top profile Call Girls In Begusarai [ 7014168258 ] Call Me For Genuine Models...
Top profile Call Girls In Begusarai [ 7014168258 ] Call Me For Genuine Models...
 

Audit commands by shift

  • 1. Shift Log Analysis Command Explanation First shift: 0800 – 1600 The first shift is the primary shift reviewing log files fromthe day before and generating reports. aureport --summary --start yesterday Running this report w illallow the ISSO to get a rough overview of the current audit statistics (events, logins, processes, etc.)for the previous day. The first shift should run reports summarizing the last day’s events. Use ausearch --event audit-event-id if need be tunneldow n. aureport --failed --start yesterday Running this report w illallow the ISSO to get statistics of failed events. aureport –l --failed -- start yesterday This command w illallow the ISSO to get more granular detail of failed events for login-related events. aureport –f --failed -- start yesterday This command w illallow the ISSO to get more granular detail of failed events for file-related events. aureport –p --failed --start yesterday This command w illallow the ISSO to get more granular detail of failed events for process-related events. aureport –u --failed --start yesterday This command w illallow the ISSO to get more granular detail of failed events for user-related events. aureport –k KeyName --start yesterday This command w illprovide a high-levelreport on all the keys w e set in the audit.rules file. Specific KeyNames w e can use are all the keys starting w ith our KeyName. ausearch –m CONFIG_CHANGE --start yesterday This command w illallow the ISSO to see both successfuland unsuccessfulattempts to read information from the audit records and any modifications to the audit trail. ausearch -k time-change -- start yesterday This command w illallow the ISSO to see any audit record that could affect the time of the system. ausearch -k system- locale --start yesterday This command w illallow the ISSO to see any audit record that could note a change in systemlocale. ausearch -k MAC-policy --start yesterday This command w illallow the ISSO to see any audit record that could note a change in systemthe MAC policy. ausearch -k access --start yesterday This command w illallow the ISSO to see any audit record that could note unsuccessfulaccessattempts to files. ausearch -kprivilege --start yesterday This command w illallow the ISSO to see any use of privileged commands, both unsuccessfuland successful. ausearch -k mounts --start yesterday This command w illallow the ISSO to see any and all successfulexports to media. The ISSO should make note of the user. ausearch -kmodules --start yesterday This command w illallow the ISSO to see if any unauthorized access, modification, or deletion has taken place w ith kernel modules. ausearch -k delete --start yesterday This command w illallow the ISSO to see deletions or rename events. ausearch -k scope --start yesterday This command w illallow the ISSO to see any changes to sudoers. aureport --summary --start today 00:00:01 Running this report w illallow the ISSO to get a rough overview of the current audit statistics (events, logins, processes, etc.)for the day’s events to the current time. Use ausearch --event audit-event-id if needed to tunnel dow n. ausearch –a audit_event_id Running this search w illallow the ISSO to view allrecords carrying a suspicious audit event ID. Each audit event message has a unique ID. One application’s systemcall may have severalevents that are logged and this w illallow a trail of more than one record to be pieced together to tell a story. Second shift: 1600 - 0000 aureport --summary --start today 00:00:01 Running this report w illallow the ISSO to get a rough overview of the current audit statistics (events, logins, processes, etc.)for the day’s events to the current time. Use ausearch --event audit-event-id if needed to tunnel dow n for further investigation. Third shift: 0000 - 0800 aureport --summary --start today Running this report w illallow the ISSO to get a rough overview of the current audit statistics (events, logins,
  • 2. Shift Log Analysis Command Explanation processes, etc.)for the day’s events to the current time. Use ausearch --event audit-event-id if needed to tunnel dow n for further investigation. ausearch -ts today 00:00:01 --raw |aulast --stdin Running this report w illallow the ISSO to report on all bad log- ins for the day. All users found in this list should be emailed and asked if they had failed logins for that specific day. When they come in for w orkthe next day, they w illsee their email. Policy states that they are to reply back if they did not have the failed log-in attempt.