How to Audit Linux Process Using ‘autrace’ on CentOS/RHEL
Last Updated :
09 Dec, 2022
Autrace is a command line tool that is used for the purpose of auditing processes on Linux. The audit rules which are created by autrace are stored in the /var/www/audit/audit.log file. Before autrace can work perfectly all the previous audit logs must be deleted.
The syntax of autrace is given below:
Syntax:
autrace -r program program-args
Note: Here the -r flag is used to limit the number of syscalls.
Note that the syntax given on the man page of autrace is autrace program -r program-args, this is a documentation mistake and is incorrect. If we try to run autrace this way then the program we try to execute will be considered an internal command of autrace. This will result in an error.
Steps to Get started with autrace
Step 1: Getting the trace of a particular file
Before executing the autrace command we need to make sure that all the previous audit rules are deleted otherwise autrace gives us an error.
To delete the rules use the below command:
auditctl -D
After performing the above two tasks let us find a trace of the execution of the df command. Use the below command to obtain the result:
autrace /usr/bin/df -h (-h is for human readable format)
Step 2: Finding the log entries with ausearch
Ausearch is a command line utility that helps in finding the log entries related to the traces that are carried out. These are also mentioned below when we run the autrace command:
Let us search the records with the ausearch command:
ausearch -i -p 10485
Note: The number 10485 is unique in my case, you may have different ID.
- -i flag: helps in the interpretation of numeric values to text
- -p flag: provides the Process ID (PID) to be searched.
Step 3: Generating a report with the help of aureport
To generate a report which contains all the details about the trace which was carried out, use the below command:
ausearch -p 10485 --raw | aureport -i -f
- --raw flag: instructs ausearch for delivering raw input to aureport.
- -f flag: helps in reporting about af_unix sockets and files.
Step 4: Limiting the Syscalls
Limiting the syscalls means reducing those syscalls which are not necessary for the analysis of resource usage of the df package. For this purpose the -r flag is used.
autrace -r /usr/bin/df -h
Step 5: Producing reports only for the current day
Suppose a user carried a trace a few weeks back, so there must be a lot of information in the audit logs. To get rid of that information we use the ts flag, which is used to specify the time and date for the trace.
ausearch -ts today -p 10485 --raw | aureport -i -f
More information about autrace can be found on the man page of autrace.
man autrace
Conclusion:
So these were some ways in which you can use Autrace for auditing your processes on Linux. Just like autrace, there are lots of different tools in the market which are used for auditing. One such tool is strace. Once you are comfortable with autrace you can also check out the usage of strace. Thanks for reading the article, hope you liked it.
Similar Reads
How to execute commands remotely using SSH in Linux?
Many times users need to work in remote systems. For which they have to log in to the remote server, execute certain commands and come out of that session. Is it possible to perform all these actions locally? Yes, it's possible using ssh client. In this article, we will see different ways of running
2 min read
Using htop to Monitor System Processes on Linux
htop a Linux tool that is used in process-managing and terminal-based system monitoring. It allows real-time monitoring of processes and performs every task to monitor the process in the Linux system. The tool is written in the C programming language by Hisham Muhammad. It displays a complete list o
5 min read
How To Setup And Use Anonsurf On kali Linux
Anonsurf is one of the good anonymizing tools of Linux distribution. It helps us make our network tunnel secure. This tool uses TOR iptables to anonymize our network system. Installation of Anonsurf First of all, you can make a separate directory for this tool for your convenience and git clone the
2 min read
How to authenticate a user in tests in Django
Testing user authentication in Django applications is a critical aspect of ensuring the security and functionality of our application. In Django, the testing framework provides a robust way to simulate user interactions, including authentication. This article will guide us through the process of aut
5 min read
How to use Python Pexpect to Automate Linux Commands?
Pexpect is a Python library for spawning child processes and controlling them automatically. Pexpect can be used to automate interactive applications such as SSH, FTP, password, telnet, etc. Pexpect works by spawning child processes and responding to expected patterns. Installation: Pexpect can be i
4 min read
How to Find Hidden Processes in Linux
Hidden or unlisted running processes in Linux can indicate issues like misconfigured applications or potential security threats, including malware or rootkits. Identifying and addressing these hidden processes is crucial for maintaining a secure and efficient system. This guide provides simple and a
5 min read
Auditd Tool for Security Auditing on Linux Server
Auditd is short for Linux Audit Daemon which is a tool in Linux used for the process of collecting and writing the audit log files of the system. The term "daemon" is used for the processes which run in the background of service in work, this means that this tool is continuously operating behind the
4 min read
How to Audit Network Performance, Security, and Troubleshooting in Linux
Network security auditing is the process of assessing a network's health by analyzing and studying the flow of data through the network. Network auditing is one of the critical steps to detect potential security threats and errors within the network. Security audits are either performed manually or
6 min read
How to check any script is running in linux using Python?
Python is a strong and exponentially growing programming language in the present day. There is a multiple-way to check which script is running in the background of a Linux environment. One of them is using the subprocess module in python. Subprocess is used to run new programs through Python code by
2 min read
Getting System and Process Information Using C Programming and Shell in Linux
Whenever you start a new process in Linux it creates a file in /proc/ folder with the same name as that of the process id of the process. In that folder, there is a file named "status" which has all the details of the process. We can get those Process Information Through shell as follows: cat /proc/
2 min read