CentOS

How to Audit Linux Process Using ‘Autrance’ on CentOSRHEL

Process auditing is a vital component in Linux systems. Process monitoring and tracking aids in spotting potential security concerns and troubleshooting system difficulties. CentOS/RHEL (Red Hat Enterprise Linux) includes a robust tool called “autrace” that allows the administrators to effectively audit the processes.

The usage of “autrace” to audit the Linux processes on CentOS/RHEL will be discussed in this article. We will walk through the process of installing and setting “autrace” as well as demonstrating its use in auditing various process activities. In the end, we will learn how to use “autrace” to improve the security and stability of our Linux system.

Installing “Autrace” on CentOS/RHEL

Start a terminal session or connect to the CentOS/RHEL system.

$ sudo -i

After entering the password, we login as a root user.

The system’s package repository can be updated by running the following command:

# yum update

Install the “audit” package which includes the “autrace” utility by running the following command:

# yum install audit

We will be prompted to confirm the installation using this command.

Check the version of “autrace” if the installation is correct. Execute this command:

# autrace --version

We will see the version information displayed in the terminal if “autrace” is installed properly.

Obtaining the Trace of a Specific File

We must remove any previous audit rules before running the “autrace” command. Otherwise, “autrace” will give us an error. The audit rules are shown by this command:

# autrace /usr/bin/df

First, use the following command to remove all of the audited rules:

# auditctl -D

Let’s look for a trace of the “df” command’s execution after we completed the previous two jobs. To get the result, use the following command:

# autrace /usr/bin/df -h
  • ‘autrace’: Autrace is a command-line tool for tracing the system calls performed by a single command or process.
  • ‘/usr/bin/df’: This defines the path to the command or binary to be traced. It is “/usr/bin/df” in this example which is a tool that is used on Linux systems to display the disc space utilization information.

The “-h” option stands for “human-readable” and formats the “df” command output to be more user-friendly by displaying the sizes in a human-readable format (e.g., “1K”, “1M”, “1G”).

Using Ausearch to Locate the Log Entries

Ausearch is a command-line application that aids in the discovery of log entries associated with the traces that are run. When we use the “autrace” command, we get the following results:

# ausearch -i -p 10458
  • ‘-i’: The “-i” flag aids in the conversion of numerical data to text.
  • ‘-p’: The “-p” flag is used to define the process ID (PID) for which the audit events should be searched.

In this situation, the number 10458 is unique; we may have a different ID.

Now, we create a report with the assistance of “aureport”. Use the following command to generate a report with all of the details about the trace that was performed:

# ausearch -p 2678 --raw | aureport -i -f
  • ‘—raw’: The “-raw” parameter instructs “ausearch” to send a raw input to “aureport”.
  • ‘-f’: The “-f” option is useful for reporting the “af_unix” ports and directories.

Reducing the Syscalls Using “Autrace”

Limiting the syscalls means decreasing those syscalls that aren’t required for the “df” package’s resource use analysis.

# autrace -r /usr/bin/df -h

‘-r’: This option indicates that we wish to track the system calls made by a certain command.

Creating Reports for Only the Present Day

Suppose we out a trace a few weeks ago; the audit logs have to contain a lot of data. To eliminate this kind of data, the “ts” variable is used which provides the date and time.

# ausearch -ts today -p 2678 --raw | aureport -i -f
  • ‘ausearch’: This command searches and extracts the audit events from the audit log files.
  • ‘-ts today’: The “-ts” flag specifies the timestamp for which to search for events. In this scenario, the “today” variable is used to search for events that occurred on the current day.
  • ‘|’: The pipe symbol (|) is used to divert the output of the previous command (ausearch) and provides it as input to the next command (aureport).
  • ‘aureport’: This command is used to generate the human-readable reports based on “ausearch” input.

Conclusion

Maintaining the system security and integrity requires auditing the Linux processes. With “autrace”, CentOS/RHEL users have a strong tool at their disposal to successfully monitor and analyze the process behavior. Administrators can use “autrace” to discover potential security threats, troubleshoot issues, and maintain compliance with regulatory standards by following the principles that are given in this article, thereby boosting the security posture of their Linux systems.

Similar Posts