Open In App

How to Audit Linux Process Using ‘autrace’ on CentOS/RHEL

Improve
Improve
Like Article
Like
Save
Share
Report

Autrace is a command line tool that is used for the purpose of auditing processes on Linux. The audit rules which are created by autrace are stored in the /var/www/audit/audit.log file. Before autrace can work perfectly all the previous audit logs must be deleted.

The syntax of autrace is given below:

Syntax:

 autrace -r program program-args

Note: Here the -r flag is used to limit the number of syscalls.

Note that the syntax given on the man page of autrace is autrace program -r program-args, this is a documentation mistake and is incorrect. If we try to run autrace this way then the program we try to execute will be considered an internal command of autrace. This will result in an error. 

This is the incorrect format.

 

Steps to Get started with autrace

Step 1: Getting the trace of a particular file

Before executing the autrace command we need to make sure that all the previous audit rules are deleted otherwise autrace gives us an error.

Getting particular trace

 

To delete the rules use the below command:

auditctl -D
Delete the rules

 

After performing the above two tasks let us find a trace of the execution of the df command. Use the below command to obtain the result:

autrace /usr/bin/df  -h (-h is for human readable format)
Execution of df command

 

Step 2: Finding the log entries with ausearch

Ausearch is a command line utility that helps in finding the log entries related to the traces that are carried out. These are also mentioned below when we run the autrace command:

Finding log entries

 

Let us search the records with the ausearch command:

ausearch -i -p 10485 

Note: The number 10485 is unique in my case, you may have different ID.

  • -i flag: helps in the  interpretation of numeric values to text
  • -p flag: provides the Process ID (PID) to be searched.
Search the records

 

Step 3: Generating a report with the help of aureport

To generate a report which contains all the details about the trace which was carried out, use the below command:

ausearch -p  10485 --raw | aureport -i -f 
  • –raw flag: instructs ausearch for delivering raw input to aureport.
  • -f flag: helps in reporting about af_unix sockets and files.
Generating report

 

Step 4: Limiting the Syscalls 

Limiting the syscalls means reducing those syscalls which are not necessary for the analysis of resource usage of the df package. For this purpose the -r flag is used.

autrace -r /usr/bin/df  -h

 

Step 5: Producing reports only for the current day

Suppose a user carried a trace a few weeks back, so there must be a lot of information in the audit logs. To get rid of that information we use the ts flag, which is used to specify the time and date for the trace. 

ausearch -ts today -p 10485 --raw | aureport -i -f
Producing reports only for current day

 

More information about autrace can be found on the man page of autrace.

man autrace

Conclusion:

So these were some ways in which you can use Autrace for auditing your processes on Linux. Just like autrace, there are lots of different tools in the market which are used for auditing. One such tool is strace. Once you are comfortable with autrace you can also check out the usage of strace. Thanks for reading the article, hope you liked it.


Last Updated : 09 Dec, 2022
Like Article
Save Article
Previous
Next
Share your thoughts in the comments
Similar Reads