テキスト処理【演習】

ログの整形

sshの当日のアクセスログファイル（/var/log/secure）からアクセス「成功」の記録を抽出し、誰が（ユーザ名）、どこから（ipアドレス）、何回アクセスしてきたか（回数）わかるように表示させるコマンド列を作成してください。並び順は、（回数）（ユーザ名）（IPアドレス）としましょう。~~演習を始めるときは、rootで直接ログインしてください。~~

【ヒント】

1.sshのアクセスログファイルを開きアクセス成功行を検索する文字列を何にするか検討する

（"Accepted"がいいでしょうね）

2.文字列を検索（抽出）するコマンドを構成する

（cat /var/log/secure | ○○○○○○）

3.各行内で必要な項目だけ取り出す

（cat /var/log/secure | ○○○○○○|○○○○○○）

4.並べ替えて回数を集計する

（cat /var/log/secure | ○○○○○○|○○○○○○|○○○○○○|○○○○○○）

【実行例】

[root@aso log]# cat /var/log/secure

May 29 13:56:05 aso polkitd[766]: Loading rules from directory /etc/polkit-1/rules.d

May 29 13:56:05 aso polkitd[766]: Loading rules from directory /usr/share/polkit-1/rules.d

May 29 13:56:05 aso polkitd[766]: Finished loading, compiling and executing 2 rules

May 29 13:56:05 aso polkitd[766]: Acquired the name org.freedesktop.PolicyKit1 on the system bus

May 29 13:56:14 aso sshd[1159]: Server listening on 0.0.0.0 port 22.

May 29 13:56:14 aso sshd[1159]: Server listening on :: port 22.

May 29 14:08:14 aso sshd[9426]: Accepted password for root from 192.168.56.1 port 52028 ssh2

May 29 14:08:14 aso sshd[9426]: pam_unix(sshd:session): session opened for user root by (uid=0)

May 29 15:08:03 aso polkitd[766]: Registered Authentication Agent for unix-process:9546:433100 (system bus name :1.41 [/usr/bin/pkttyagent --notify-fd 5 --fallback], object path /org/freedesktop/PolicyKit1/AuthenticationAgent, locale ja_JP.UTF-8)

May 29 15:08:03 aso polkitd[766]: Unregistered Authentication Agent for unix-process:9546:433100 (system bus name :1.41, object path /org/freedesktop/PolicyKit1/AuthenticationAgent, locale ja_JP.UTF-8) (disconnected from bus)

May 29 15:08:09 aso polkitd[766]: Registered Authentication Agent for unix-process:9564:433730 (system bus name :1.42 [/usr/bin/pkttyagent --notify-fd 5 --fallback], object path /org/freedesktop/PolicyKit1/AuthenticationAgent, locale ja_JP.UTF-8)

May 29 15:08:37 aso polkitd[714]: Loading rules from directory /etc/polkit-1/rules.d

May 29 15:08:37 aso polkitd[714]: Loading rules from directory /usr/share/polkit-1/rules.d

May 29 15:08:37 aso polkitd[714]: Finished loading, compiling and executing 2 rules

May 29 15:08:37 aso polkitd[714]: Acquired the name org.freedesktop.PolicyKit1 on the system bus

May 29 15:08:40 aso sshd[993]: Server listening on 0.0.0.0 port 22.

May 29 15:08:40 aso sshd[993]: Server listening on :: port 22.

May 29 15:09:00 aso sshd[1478]: Accepted password for root from 192.168.56.1 port 57811 ssh2

May 29 15:09:00 aso sshd[1478]: pam_unix(sshd:session): session opened for user root by (uid=0)

May 29 15:21:00 aso groupadd[2333]: group added to /etc/group: name=postgres, GID=26

May 29 15:21:00 aso groupadd[2333]: group added to /etc/gshadow: name=postgres

May 29 15:21:00 aso groupadd[2333]: new group: name=postgres, GID=26

May 29 15:21:00 aso useradd[2338]: new user: name=postgres, UID=26, GID=26, home=/var/lib/pgsql, shell=/bin/bash

May 29 15:21:13 aso runuser: pam_unix(runuser-l:session): session opened for user postgres by (uid=0)

May 29 15:21:18 aso runuser: pam_unix(runuser-l:session): session closed for user postgres

May 29 15:23:16 aso polkitd[714]: Registered Authentication Agent for unix-process:2567:88979 (system bus name :1.27 [/usr/bin/pkttyagent --notify-fd 5 --fallback], object path /org/freedesktop/PolicyKit1/AuthenticationAgent, locale ja_JP.UTF-8)

May 29 15:23:17 aso polkitd[714]: Unregistered Authentication Agent for unix-process:2567:88979 (system bus name :1.27, object path /org/freedesktop/PolicyKit1/AuthenticationAgent, locale ja_JP.UTF-8) (disconnected from bus)

May 29 15:23:35 aso polkitd[714]: Registered Authentication Agent for unix-process:2608:90919 (system bus name :1.28 [/usr/bin/pkttyagent --notify-fd 5 --fallback], object path /org/freedesktop/PolicyKit1/AuthenticationAgent, locale ja_JP.UTF-8)

May 29 15:23:35 aso polkitd[714]: Unregistered Authentication Agent for unix-process:2608:90919 (system bus name :1.28, object path /org/freedesktop/PolicyKit1/AuthenticationAgent, locale ja_JP.UTF-8) (disconnected from bus)

May 29 15:24:09 aso su: pam_unix(su-l:session): session opened for user postgres by root(uid=0)

May 29 15:25:28 aso su: pam_unix(su-l:session): session closed for user postgres

May 29 15:27:25 aso polkitd[714]: Registered Authentication Agent for unix-process:2900:113913 (system bus name :1.33 [/usr/bin/pkttyagent --notify-fd 5 --fallback], object path /org/freedesktop/PolicyKit1/AuthenticationAgent, locale ja_JP.UTF-8)

Jun 12 06:43:07 aso polkitd[722]: Loading rules from directory /etc/polkit-1/rules.d

Jun 12 06:43:07 aso polkitd[722]: Loading rules from directory /usr/share/polkit-1/rules.d

Jun 12 06:43:07 aso polkitd[722]: Finished loading, compiling and executing 2 rules

Jun 12 06:43:07 aso polkitd[722]: Acquired the name org.freedesktop.PolicyKit1 on the system bus

Jun 12 06:43:11 aso sshd[995]: Server listening on 0.0.0.0 port 22.

Jun 12 06:43:11 aso sshd[995]: Server listening on :: port 22.

Jun 12 06:43:36 aso sshd[1529]: Accepted password for guest from 192.168.56.1 port 56992 ssh2

Jun 12 06:43:36 aso sshd[1529]: pam_unix(sshd:session): session opened for user guest by (uid=0)

Jun 12 06:57:03 aso sshd[1529]: pam_unix(sshd:session): session closed for user guest

Jun 12 06:57:17 aso sshd[2310]: Accepted password for guest from 192.168.56.1 port 62876 ssh2

Jun 12 06:57:17 aso sshd[2310]: pam_unix(sshd:session): session opened for user guest by (uid=0)

Jun 12 12:25:47 aso su: pam_unix(su-l:session): session opened for user root by guest(uid=1000)

Jun 12 12:25:51 aso polkitd[722]: Registered Authentication Agent for unix-process:30299:2057794 (system bus name :1.112 [/usr/bin/pkttyagent --notify-fd 5 --fallback], object path /org/freedesktop/PolicyKit1/AuthenticationAgent, locale ja_JP.UTF-8)

Jun 12 12:25:51 aso su: pam_unix(su-l:session): session closed for user root

Jun 12 14:37:30 aso polkitd[711]: Loading rules from directory /etc/polkit-1/rules.d

Jun 12 14:37:30 aso polkitd[711]: Loading rules from directory /usr/share/polkit-1/rules.d

Jun 12 14:37:30 aso polkitd[711]: Finished loading, compiling and executing 2 rules

Jun 12 14:37:30 aso polkitd[711]: Acquired the name org.freedesktop.PolicyKit1 on the system bus

Jun 12 14:37:33 aso sshd[991]: Server listening on 0.0.0.0 port 22.

Jun 12 14:37:33 aso sshd[991]: Server listening on :: port 22.

Jun 12 14:37:58 aso sshd[1520]: Accepted password for root from 192.168.56.1 port 50164 ssh2

Jun 12 14:37:58 aso sshd[1520]: pam_unix(sshd:session): session opened for user root by (uid=0)

Jun 12 14:38:08 aso useradd[1586]: new group: name=yamada, GID=1001

Jun 12 14:38:08 aso useradd[1586]: new user: name=yamada, UID=1001, GID=1001, home=/home/yamada, shell=/bin/bash

Jun 12 14:38:25 aso passwd: pam_unix(passwd:chauthtok): password changed for yamada

Jun 12 14:49:58 aso sshd[1520]: Received disconnect from 192.168.56.1 port 50164:11: disconnected by server request

Jun 12 14:49:58 aso sshd[1520]: Disconnected from 192.168.56.1 port 50164

Jun 12 14:49:58 aso sshd[1520]: pam_unix(sshd:session): session closed for user root

Jun 12 14:50:14 aso sshd[2217]: Accepted password for yamada from 192.168.56.1 port 54717 ssh2

Jun 12 14:50:14 aso sshd[2217]: pam_unix(sshd:session): session opened for user yamada by (uid=0)

Jun 12 15:28:01 aso sshd[2217]: pam_unix(sshd:session): session closed for user yamada

Jun 12 15:28:16 aso sshd[4402]: Accepted password for yamada from 192.168.56.1 port 56324 ssh2

Jun 12 15:28:16 aso sshd[4402]: pam_unix(sshd:session): session opened for user yamada by (uid=0)

Jun 12 16:33:29 aso su: pam_unix(su-l:session): session opened for user root by yamada(uid=1001)

Jun 12 16:33:50 aso useradd[8028]: new group: name=suzuki, GID=1002

Jun 12 16:33:50 aso useradd[8028]: new user: name=suzuki, UID=1002, GID=1002, home=/home/suzuki, shell=/bin/bash

Jun 12 16:34:12 aso passwd: pam_unix(passwd:chauthtok): password changed for suzuki

Jun 12 16:34:53 aso su: pam_unix(su-l:session): session opened for user suzuki by yamada(uid=0)

Jun 12 16:39:31 aso su: pam_unix(su:session): session opened for user root by yamada(uid=1002)

Jun 12 16:40:47 aso sshd[8489]: Accepted password for suzuki from 192.168.56.1 port 51754 ssh2

Jun 12 16:40:47 aso sshd[8489]: pam_unix(sshd:session): session opened for user suzuki by (uid=0)

Jun 12 16:43:52 aso sshd[8489]: pam_unix(sshd:session): session closed for user suzuki

Jun 12 16:43:55 aso su: pam_unix(su:session): session closed for user root

Jun 12 16:43:58 aso su: pam_unix(su-l:session): session closed for user suzuki

Jun 12 16:44:16 aso su: pam_unix(su-l:session): session opened for user yamada by yamada(uid=0)

Jun 12 16:52:25 aso sshd[9215]: Accepted password for suzuki from 192.168.56.1 port 52759 ssh2

Jun 12 16:52:25 aso sshd[9215]: pam_unix(sshd:session): session opened for user suzuki by (uid=0)

Jun 12 17:17:27 aso sshd[9231]: Received disconnect from 192.168.56.1 port 52759:11: disconnected by server request

Jun 12 17:17:27 aso sshd[9231]: Disconnected from 192.168.56.1 port 52759

Jun 12 17:17:27 aso sshd[9215]: pam_unix(sshd:session): session closed for user suzuki

Jun 12 17:17:30 aso su: pam_unix(su-l:session): session closed for user yamada

Jun 12 17:17:32 aso su: pam_unix(su-l:session): session closed for user root

Jun 12 17:17:33 aso sshd[4409]: Received disconnect from 192.168.56.1 port 56324:11: disconnected by server request

Jun 12 17:17:34 aso sshd[4409]: Disconnected from 192.168.56.1 port 56324

Jun 12 17:17:34 aso sshd[4402]: pam_unix(sshd:session): session closed for user yamada

Jul 17 11:45:37 aso polkitd[731]: Loading rules from directory /etc/polkit-1/rules.d

Jul 17 11:45:37 aso polkitd[731]: Loading rules from directory /usr/share/polkit-1/rules.d

Jul 17 11:45:37 aso polkitd[731]: Finished loading, compiling and executing 2 rules

Jul 17 11:45:37 aso polkitd[731]: Acquired the name org.freedesktop.PolicyKit1 on the system bus

Jul 17 11:45:41 aso sshd[991]: Server listening on 0.0.0.0 port 22.

Jul 17 11:45:41 aso sshd[991]: Server listening on :: port 22.

Jul 17 11:46:12 aso sshd[1530]: Accepted password for guest from 192.168.56.1 port 60528 ssh2

Jul 17 11:46:12 aso sshd[1530]: pam_unix(sshd:session): session opened for user guest by (uid=0)

Jul 17 11:46:18 aso su: pam_unix(su-l:session): session opened for user root by guest(uid=1000)

Jul 17 12:56:52 aso polkitd[731]: Registered Authentication Agent for unix-process:5188:428685 (system bus name :1.43 [/usr/bin/pkttyagent --notify-fd 5 --fallback], object path /org/freedesktop/PolicyKit1/AuthenticationAgent, locale ja_JP.UTF-8)

Jul 17 12:56:52 aso su: pam_unix(su-l:session): session closed for user root

Jul 17 12:56:52 aso sshd[1530]: pam_unix(sshd:session): session closed for user guest

Jul 18 18:43:36 aso polkitd[712]: Loading rules from directory /etc/polkit-1/rules.d

Jul 18 18:43:36 aso polkitd[712]: Loading rules from directory /usr/share/polkit-1/rules.d

Jul 18 18:43:36 aso polkitd[712]: Finished loading, compiling and executing 2 rules

Jul 18 18:43:36 aso polkitd[712]: Acquired the name org.freedesktop.PolicyKit1 on the system bus

Jul 18 18:43:39 aso sshd[992]: Server listening on 0.0.0.0 port 22.

Jul 18 18:43:39 aso sshd[992]: Server listening on :: port 22.

Jul 18 18:44:01 aso sshd[1511]: Accepted password for guest from 192.168.56.1 port 62783 ssh2

Jul 18 18:44:01 aso sshd[1511]: pam_unix(sshd:session): session opened for user guest by (uid=0)

Jul 18 18:44:06 aso su: pam_unix(su-l:session): session opened for user root by guest(uid=1000)

[root@aso log]# cat /var/log/secure | ○○○○○○