|
|
| Purpose |
Command |
| Search shutdown events |
ausearch -i -m system_boot,system_shutdown | tail -4
type=SYSTEM_SHUTDOWN msg=audit(08/31/2020 06:33:01.571:595) : pid=27156 uid=root auid=unset ses=unset subj=system_u:system_r:init_t:s0 msg=' comm=systemd-update-utmp exe=/usr/lib/systemd/systemd-update-utmp hostname=? addr=? terminal=? res=success'
----
type=SYSTEM_BOOT msg=audit(08/31/2020 06:33:12.838:9) : pid=828 uid=root auid=unset ses=unset subj=system_u:system_r:init_t:s0 msg=' comm=systemd-update-utmp exe=/usr/lib/systemd/systemd-update-utmp hostname=? addr=? terminal=? res=success'
|
| Search failed login attempts |
ausearch --message USER_LOGIN --success no --interpret
|
| search for all account, group, and role changes |
ausearch -m ADD_USER -m DEL_USER -m ADD_GROUP -m USER_CHAUTHTOK -m DEL_GROUP -m CHGRP_ID -m ROLE_ASSIGN -m ROLE_REMOVE -i |
search for all logged actions performed by a certain user, using the user's login ID (auid) |
ausearch -ua 1000 -i |
| search for all failed system calls from yesterday up until now |
ausearch --start yesterday --end now -m SYSCALL -sv no -i |
|
|