How to Audit Linux Process Using ‘autrace’ on CentOS/RHEL

This article is our ongoing series on Linux Auditing, in our last three articles we have explained how to audit Linux systems (CentOS and RHEL), query auditd logs using ausearch and generate reports using aureport utility.

In this article, we will explain how to audit a given process using autrace utility, where we’ll analyze a process by tracing the system calls a process makes.

Read Also: How to Trace Execution of Commands in Shell Script with Shell Tracing

What is autrace?

autrace is a command line utility that runs a program until it exits, just like strace; it adds the audit rules to trace a process and saves the audit information in /var/www/audit/audit.log file. For it to work (i.e before running the selected program), you must first delete all existing audit rules.

The syntax for using autrace is shown below, and it only accepts one option, -r which limits syscalls collected to ones required for assessing resource usage of the process:

# autrace -r program program-args

Attention: In the autrace man page, the syntax as follows, which is actually a documentation mistake. Because using this form, the program you run will assume you’re using one of its internal option thus resulting into an error or performing the default action enabled by the option.

# autrace program -r program-args

If you have any audit rules present, autrace shows the following error.

# autrace /usr/bin/df
autrace Error
autrace Error

First delete all the auditd rules with the following command.

# auditctl -D

Then proceed to run autrace with your target program. In this example, we are tracing the execution of df command, which shows filesystem usage.

# autrace /usr/bin/df -h
Trace df Command
Trace df Command

From the screenshot above, you can find all the log entries to do with the trace, from the audit log file using ausearch utility as follows.

# ausearch -i -p 2678

Where the option:

  • -i – enables interpreting of numeric values into text.
  • -p – passes the process ID to be searched.
Audit Report of df Command
Audit Report of df Command

To generate a report about the trace details, you can build a command line of ausearch and aureport like this.

# ausearch -p 2678 --raw | aureport -i -f

Where:

  • --raw – tells ausearch to deliver raw input to aureport.
  • -f – enables reporting about files and af_unix sockets.
  • -i – allows interpreting of numeric values into text.
Generate Trace Report of df Command
Generate Trace Report of df Command

And using the command below, we are limiting the syscalls gathered to ones needed for analyzing resource usage of the df process.

# autrace -r /usr/bin/df -h

Assuming you have autraced a program for the last one week; meaning there is a lot of information dumped in the audit logs. To produce a report for only today’s records, use the -ts ausearch flag to specify the start date/time for searching:

# ausearch -ts today -p 2678 --raw | aureport -i -f
Generate Trace Report based on Time
Generate Trace Report based on Time

That’s it! this way you can trace and audit specific Linux process using autrace tool, for more information check man pages.

You can also read out these related, useful guides:

  1. Sysdig – A Powerful System Monitoring and Troubleshooting Tool for Linux
  2. BCC – Dynamic Tracing Tools for Linux Performance Monitoring, Networking and More
  3. 30 Useful ‘ps Command’ Examples for Linux Process Monitoring
  4. CPUTool – Limit and Control CPU Utilization of Any Process in Linux
  5. Find Top Running Processes by Highest Memory and CPU Usage in Linux

That’s all for now! You can ask any questions or share thoughts about this article via the comment from below. In the next article, we will describe how to configure PAM (Pluggable Authentication Module) for auditing of TTY input for specified users CentOS/RHEL.

Aaron Kili
Aaron Kili is a Linux and F.O.S.S enthusiast, an upcoming Linux SysAdmin, web developer, and currently a content creator for TecMint who loves working with computers and strongly believes in sharing knowledge.

Each tutorial at TecMint is created by a team of experienced Linux system administrators so that it meets our high-quality standards.

Join the TecMint Weekly Newsletter (More Than 156,129 Linux Enthusiasts Have Subscribed)
Was this article helpful? Please add a comment or buy me a coffee to show your appreciation.

Got something to say? Join the discussion.

Thank you for taking the time to share your thoughts with us. We appreciate your decision to leave a comment and value your contribution to the discussion. It's important to note that we moderate all comments in accordance with our comment policy to ensure a respectful and constructive conversation.

Rest assured that your email address will remain private and will not be published or shared with anyone. We prioritize the privacy and security of our users.