Using Autrace to Audit Linux Processes

January 31, 2020

The Autrace utility is a command-line auditing solution for operating system processes that logs system events. It's used to keep track of key events like the OS shutting down unexpectedly, network configuration changes, system file access privileges being edited, and so on. With the exception of CentOS, the application is part of the auditd package, which is not installed by default on a Linux desktop.

We will tell you how to audit on a server running Ubuntu Server 18.04.

Preliminary preparation

Installing the utility:

sudo apt-get install auditd audispd-plugins

The process will take no more than four minutes.

The product configuration is stored in the /etc/audit/auditd.conf file. For editing, we use a text editor, such as Nano or Vi.

How to run an audit

In general, the command looks like this:

autrace –r name_program [keys]

name_program - the name of the product being checked;
keys - additional options available to the utility.

The r key limits the data that is collected by the utility. When activated, autrace will collect only those logs that are necessary for analysis by the specified parameters.

Let's take an example: the DF program monitors the resources of the file structure.

Run an audit for the service:

sudo autrace -r /bin/df –h

The utility will start monitoring DF operations:

Audit Autrace
Screenshot #1. Audit example.

To view detailed information, use the built-in log. It is opened via the ausearch command. Depending on the program being audited, the syntax of the command varies. In our example in the image above, it is highlighted in red.

We type in the terminal without quotes:

ausearch –I –p 7946

As a result, detailed information on the log will appear on the monitor. The syntax for the ausearch command is as follows:

ausearch –i –p <id>

The id key is the numeric value of the process, which is available after the autrace command is invoked.
The -p switch tells the utility the identifier by which the log is searched, and the -i option interprets numeric values.

If detailed tracing is needed, we use a different syntax:

ausearch -p 7946 --raw | aureport -i –f

, where the -f switch informs about files and sockets, and the raw combination specifies the format of the output report.

To display information depending on the day, write:

ausearch -p 7946 --raw | aureport -i -f

As you can easily see, the value 7946 is the process ID that is used in the example article.

Start your cloud journey? Take the first step right now.