{"id":22482,"date":"2023-10-15T04:38:07","date_gmt":"2023-10-15T04:38:07","guid":{"rendered":"https:\/\/linuxways.net\/?p=22482"},"modified":"2023-10-19T02:14:55","modified_gmt":"2023-10-19T02:14:55","slug":"audit-linux-process-using-autrance-centosrhel","status":"publish","type":"post","link":"https:\/\/linuxways.net\/de\/centos\/audit-linux-process-using-autrance-centosrhel\/","title":{"rendered":"How to Audit Linux Process Using \u2018Autrance\u2019 on CentOSRHEL"},"content":{"rendered":"
\nProcess auditing is a vital component in Linux systems. Process monitoring and tracking aids in spotting potential security concerns and troubleshooting system difficulties. CentOS\/RHEL (Red Hat Enterprise Linux) includes a robust tool called \u201cautrace\u201d that allows the administrators to effectively audit the processes.<\/p>\n

The usage of “autrace” to audit the Linux processes on CentOS\/RHEL will be discussed in this article. We will walk through the process of installing and setting \u201cautrace\u201d as well as demonstrating its use in auditing various process activities. In the end, we will learn how to use \u201cautrace\u201d to improve the security and stability of our Linux system.<\/p>\n

Installing \u201cAutrace\u201d on CentOS\/RHEL<\/strong><\/h2>\n

Start a terminal session or connect to the CentOS\/RHEL system.<\/p>\n

$ <\/span>sudo<\/span> -i<\/span><\/div><\/div>\n

After entering the password, we login as a root user.<\/p>\n

The system’s package repository can be updated by running the following command:<\/p>\n

# <\/span>yum update<\/span><\/div><\/div>\n

Install the \u201caudit\u201d package which includes the \u201cautrace\u201d utility by running the following command:<\/p>\n

# <\/span>yum install<\/span> audit<\/div><\/div>\n

We will be prompted to confirm the installation using this command.<\/p>\n

Check the version of \u201cautrace\u201d if the installation is correct. Execute this command:<\/p>\n

# <\/span>autrace --version<\/span><\/div><\/div>\n

We will see the version information displayed in the terminal if \u201cautrace\u201d is installed properly.<\/p>\n

Obtaining the Trace of a Specific File<\/strong><\/h2>\n

We must remove any previous audit rules before running the \u201cautrace\u201d command. Otherwise, \u201cautrace\u201d will give us an error. The audit rules are shown by this command:<\/p>\n

# <\/span>autrace \/<\/span>usr\/<\/span>bin\/<\/span>df<\/span><\/div><\/div>\n

First, use the following command to remove all of the audited rules:<\/p>\n

# <\/span>auditctl -D<\/span><\/div><\/div>\n

Let’s look for a trace of the \u201cdf\u201d command’s execution after we completed the previous two jobs. To get the result, use the following command:<\/p>\n

# <\/span>autrace \/<\/span>usr\/<\/span>bin\/<\/span>df<\/span> -h<\/span><\/div><\/div>\n
    \n
  • \u2018autrace\u2019:<\/strong> Autrace is a command-line tool for tracing the system calls performed by a single command or process.<\/li>\n
  • \u2018\/usr\/bin\/df\u2019:<\/strong> This defines the path to the command or binary to be traced. It is \u201c\/usr\/bin\/df\u201d in this example which is a tool that is used on Linux systems to display the disc space utilization information.<\/li>\n<\/ul>\n

    The \u201c-h\u201d option stands for “human-readable” and formats the \u201cdf\u201d command output to be more user-friendly by displaying the sizes in a human-readable format (e.g., “1K”, “1M”, “1G”).<\/p>\n

    Using Ausearch to Locate the Log Entries<\/strong><\/h2>\n

    Ausearch is a command-line application that aids in the discovery of log entries associated with the traces that are run. When we use the \u201cautrace\u201d command, we get the following results:<\/p>\n

    # <\/span>ausearch -i<\/span> -p<\/span> 10458<\/span><\/div><\/div>\n
      \n
    • \u2018-i\u2019:<\/strong> The \u201c-i” flag aids in the conversion of numerical data to text.<\/li>\n
    • \u2018-p\u2019:<\/strong> The \u201c-p\u201d flag is used to define the process ID (PID) for which the audit events should be searched.<\/li>\n<\/ul>\n

      In this situation, the number 10458 is unique; we may have a different ID.<\/p>\n

      Now, we create a report with the assistance of \u201caureport\u201d. Use the following command to generate a report with all of the details about the trace that was performed:<\/p>\n

      # <\/span>ausearch -p<\/span> 2678<\/span> --raw<\/span> |<\/span> aureport -i<\/span> -f<\/span><\/div><\/div>\n
        \n
      • \u2018\u2014raw\u2019:<\/strong> The \u201c-raw\u201d parameter instructs \u201causearch\u201d to send a raw input to \u201caureport\u201d.<\/li>\n
      • \u2018-f\u2019: <\/strong>The \u201c-f\u201d option is useful for reporting the \u201caf_unix\u201d ports and directories.<\/li>\n<\/ul>\n

        Reducing the Syscalls Using \u201cAutrace\u201d<\/strong><\/h2>\n

        Limiting the syscalls means decreasing those syscalls that aren’t required for the \u201cdf\u201d package’s resource use analysis.<\/p>\n

        # <\/span>autrace -r<\/span> \/<\/span>usr\/<\/span>bin\/<\/span>df<\/span> -h<\/span><\/div><\/div>\n

        \u2018-r\u2019:<\/strong> This option indicates that we wish to track the system calls made by a certain command.<\/p>\n

        Creating Reports for Only the Present Day<\/strong><\/h2>\n

        Suppose we out a trace a few weeks ago; the audit logs have to contain a lot of data. To eliminate this kind of data, the \u201cts\u201d variable is used which provides the date and time.<\/p>\n

        # <\/span>ausearch -ts<\/span> today -p<\/span> 2678<\/span> --raw<\/span> |<\/span> aureport -i<\/span> -f<\/span><\/div><\/div>\n
          \n
        • \u2018ausearch\u2019:<\/strong> This command searches and extracts the audit events from the audit log files.<\/li>\n
        • \u2018-ts today\u2019:<\/strong> The \u201c-ts\u201d flag specifies the timestamp for which to search for events. In this scenario, the “today” variable is used to search for events that occurred on the current day.<\/li>\n
        • \u2018|\u2019:<\/strong> The pipe symbol (|) is used to divert the output of the previous command (ausearch) and provides it as input to the next command (aureport).<\/li>\n
        • \u2018aureport\u2019:<\/strong> This command is used to generate the human-readable reports based on \u201causearch\u201d input.<\/li>\n<\/ul>\n

          Conclusion<\/strong><\/h2>\n

          Maintaining the system security and integrity requires auditing the Linux processes. With \u201cautrace\u201d, CentOS\/RHEL users have a strong tool at their disposal to successfully monitor and analyze the process behavior. Administrators can use \u201cautrace\u201d to discover potential security threats, troubleshoot issues, and maintain compliance with regulatory standards by following the principles that are given in this article, thereby boosting the security posture of their Linux systems.<\/p>","protected":false},"excerpt":{"rendered":"

          Tutorial on installing and setting \u201cautrace\u201d and using it in auditing various process activities to improve the security and stability of our Linux system.<\/p>","protected":false},"author":111,"featured_media":22487,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[],"class_list":["post-22482","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-centos"],"_links":{"self":[{"href":"https:\/\/linuxways.net\/de\/wp-json\/wp\/v2\/posts\/22482","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/linuxways.net\/de\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/linuxways.net\/de\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/linuxways.net\/de\/wp-json\/wp\/v2\/users\/111"}],"replies":[{"embeddable":true,"href":"https:\/\/linuxways.net\/de\/wp-json\/wp\/v2\/comments?post=22482"}],"version-history":[{"count":0,"href":"https:\/\/linuxways.net\/de\/wp-json\/wp\/v2\/posts\/22482\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/linuxways.net\/de\/wp-json\/wp\/v2\/media\/22487"}],"wp:attachment":[{"href":"https:\/\/linuxways.net\/de\/wp-json\/wp\/v2\/media?parent=22482"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/linuxways.net\/de\/wp-json\/wp\/v2\/categories?post=22482"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/linuxways.net\/de\/wp-json\/wp\/v2\/tags?post=22482"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}