Open In App

How to Audit Linux Process Using ‘autrace’ on CentOS/RHEL

Autrace is a command line tool that is used for the purpose of auditing processes on Linux. The audit rules which are created by autrace are stored in the /var/www/audit/audit.log file. Before autrace can work perfectly all the previous audit logs must be deleted.

The syntax of autrace is given below:


 autrace -r program program-args

Note: Here the -r flag is used to limit the number of syscalls.

Note that the syntax given on the man page of autrace is autrace program -r program-args, this is a documentation mistake and is incorrect. If we try to run autrace this way then the program we try to execute will be considered an internal command of autrace. This will result in an error. 


Steps to Get started with autrace

Step 1: Getting the trace of a particular file

Before executing the autrace command we need to make sure that all the previous audit rules are deleted otherwise autrace gives us an error.


To delete the rules use the below command:

auditctl -D


After performing the above two tasks let us find a trace of the execution of the df command. Use the below command to obtain the result:

autrace /usr/bin/df  -h (-h is for human readable format)


Step 2: Finding the log entries with ausearch

Ausearch is a command line utility that helps in finding the log entries related to the traces that are carried out. These are also mentioned below when we run the autrace command:


Let us search the records with the ausearch command:

ausearch -i -p 10485 

Note: The number 10485 is unique in my case, you may have different ID.


Step 3: Generating a report with the help of aureport

To generate a report which contains all the details about the trace which was carried out, use the below command:

ausearch -p  10485 --raw | aureport -i -f 


Step 4: Limiting the Syscalls 

Limiting the syscalls means reducing those syscalls which are not necessary for the analysis of resource usage of the df package. For this purpose the -r flag is used.

autrace -r /usr/bin/df  -h


Step 5: Producing reports only for the current day

Suppose a user carried a trace a few weeks back, so there must be a lot of information in the audit logs. To get rid of that information we use the ts flag, which is used to specify the time and date for the trace. 

ausearch -ts today -p 10485 --raw | aureport -i -f


More information about autrace can be found on the man page of autrace.

man autrace


So these were some ways in which you can use Autrace for auditing your processes on Linux. Just like autrace, there are lots of different tools in the market which are used for auditing. One such tool is strace. Once you are comfortable with autrace you can also check out the usage of strace. Thanks for reading the article, hope you liked it.

Article Tags :