Novell LINUX ENTERPRISE DESKTOP 11 - SECURITY GUIDE 17-03-2009 Manual page 374

Create a Report about Users
To generate a report from the audit log that illustrates which users are running what
executables on your system, use the aureport -u command. This command
generates a numbered list of all user-related events including date, time, audit ID,
terminal used, host, name of the executable, and an event ID.
aureport -u
User ID Report
====================================
# date time auid term host exe event
====================================
1. 13/02/09 15:08:26 -1 sshd 192.168.2.100 /usr/sbin/sshd 12
2. 13/02/09 15:08:28 -1 :0 ? /usr/lib/gdm/gdm-session-worker 13
3. 14/02/09 08:25:39 -1 ssh 192.168.2.101 /usr/sbin/sshd 14
Create a Report about Logins
To create a report that focuses on the login attempts to your machine, run the
aureport -l command. This command generates a numbered list of all login-
related events including date, time, audit ID, host and terminal used, name of the
executable, success or failure of the attempt, and an event ID.
aureport -l -i
Login Report
============================================
# date time auid host term exe success event
============================================
1. 13/02/09 15:08:31 tux: 192.168.2.100 sshd /usr/sbin/sshd no 19
2. 16/02/09 12:39:05 root: 192.168.2.101 sshd /usr/sbin/sshd no 2108
3. 17/02/09 15:29:07 geeko: ? tty3 /bin/login yes 7809
Limit a Report to a Certain Time Frame
To analyze the logs for a particular time frame, such as only the working hours of
Feb 16, 2009, first find out whether this data is contained in the the current audit
.log or whether the logs have been rotated in by running aureport -t:
aureport -t
Log Time Range Report
=====================
/var/log/audit/audit.log: 03/02/09 14:13:38.225 - 17/02/09 15:30:01.636
The current audit.log contains all the desired data. Otherwise, use the -if
option to point the aureport commands to the log file that contains the needed data.
362 Security Guide