Add authentication log audit tool

2026-05-11 17:04:48 +00:00
parent 452ff4fac1
commit 2da5e8b46c
5 changed files with 1064 additions and 0 deletions
@@ -0,0 +1,112 @@
+# Auth Log Audit
+
+- Overall status: WARNING
+- First seen: May 11 09:58:12
+- Last seen: May 11 10:07:48
+
+## Top Source IPs by Failed Attempts
+
+| Value | Count |
+| --- | ---: |
+| 203.0.113.50 | 7 |
+| 198.51.100.23 | 1 |
+
+## Top Usernames by Failed Attempts
+
+| Value | Count |
+| --- | ---: |
+| appuser | 3 |
+| root | 2 |
+| admin | 1 |
+| backup | 1 |
+
+## Top Source IPs by Successful Logins
+
+| Value | Count |
+| --- | ---: |
+| 10.20.30.15 | 1 |
+
+## Top Usernames by Successful Logins
+
+| Value | Count |
+| --- | ---: |
+| deploy | 1 |
+
+## Suspicious Source IPs
+
+| Value | Count |
+| --- | ---: |
+| 203.0.113.50 | 7 |
+
+## Suspicious Usernames
+
+No entries detected.
+
+## Top Event Types
+
+| Value | Count |
+| --- | ---: |
+| failed_ssh_password | 4 |
+| root_login_attempt | 2 |
+| successful_ssh_login | 1 |
+| sudo_command | 1 |
+| invalid_user_attempt | 1 |
+| disconnect_after_failed_auth | 1 |
+| failed_ssh_publickey | 1 |
+| sudo_auth_failure | 1 |
+| su_session_opened | 1 |
+| refused_user_attempt | 1 |
+
+## Sample Log Lines
+
+### failed_login
+
+```text
+May 11 10:01:44 web01 sshd[1220]: Failed password for invalid user admin from 203.0.113.50 port 45001 ssh2
+May 11 10:02:03 web01 sshd[1224]: Failed password for root from 203.0.113.50 port 45012 ssh2
+May 11 10:02:06 web01 sshd[1224]: Failed password for root from 203.0.113.50 port 45012 ssh2
+```
+
+### invalid_user
+
+```text
+May 11 10:01:46 web01 sshd[1220]: Invalid user admin from 203.0.113.50 port 45001
+```
+
+### root_login_attempt
+
+```text
+May 11 10:02:03 web01 sshd[1224]: Failed password for root from 203.0.113.50 port 45012 ssh2
+May 11 10:02:06 web01 sshd[1224]: Failed password for root from 203.0.113.50 port 45012 ssh2
+```
+
+### sudo_failure
+
+```text
+May 11 10:04:20 web01 sudo: pam_unix(sudo:auth): authentication failure; logname=deploy uid=1001 euid=0 tty=/dev/pts/0 ruser=deploy rhost= user=deploy
+```
+
+### suspicious_source_ip
+
+```text
+May 11 10:01:44 web01 sshd[1220]: Failed password for invalid user admin from 203.0.113.50 port 45001 ssh2
+May 11 10:01:46 web01 sshd[1220]: Invalid user admin from 203.0.113.50 port 45001
+May 11 10:02:03 web01 sshd[1224]: Failed password for root from 203.0.113.50 port 45012 ssh2
+```
+
+## Operational Summary
+
+- Overall status: WARNING
+- Total lines scanned: 15
+- Authentication events detected: 15
+- Failed logins: 8
+- Successful logins: 1
+- Invalid user attempts: 1
+- Root login attempts: 2
+- Sudo usage events: 1
+- Sudo authentication failures: 1
+- su events: 1
+- Suspicious source IPs: 1
+- Suspicious usernames: 0
+- Threshold used: 5
+- Ignored users: None