cross-posted from: https://programming.dev/post/43343171

I just started checking out auditd and made a rule to log file accesses.

auditctl -a always,exit -F dir=/path/to/my/directory -F perm=rwa

From the output, I got some things that might be useful:

  • The full path of the executable
  • pid
  • Parent’s pid: ppid
  • Process’ current working directory cwd

Now if the process was still running when I check the logs, I could open htop and find out what exactly called the process, from the pid.
For example, say I run a git pull on a repository and find out that /usr/bin/ssh is accessing some file, I will get something like:

st
└ bash
    └ git
        └ ssh

I will get the full executable path of each executable (and know if the executable was not in the system directories, but in some unsafe location writeable by another user). This will give me enough context to go by.

But using this same example, what happens if I check the logs after the git operation has ended?
The git process ppid will have been lost(?) and I would have no way to know which process called ssh.

How do I solve this condition?
Ideally, I want to have the audit log contain the whole calling tree with the full executable path of each parent.

  • ulternoOPEnglish
    0·
    18 days ago

    Thanks, I’ll try and see how it works.

    Ok, so I did a thing with git and checked the audit log with ausearch -k test-key.
    Then I got the ppid (say 2000) and then ran ausearch --pid 2000, which gave no output, while doing ausearch --pid 2000 just gave the same entries that I got from the previous one.

    So, unable to get the process tree that way.
    Perhaps there is some setting I am overlooking?

    • Treasure@feddit.orgEnglish
      2·
      18 days ago

      Sorry, I mistakenly believed that auditctl records the process tree on event generation automatically, but that’s not the case. You’ll need to add a rule that records execve events.

      • ulternoOPEnglish
        1·
        17 days ago

        Oof! Wouldn’t that either end up recording everything, or require me to know beforehand, what I am looking for?

        • Treasure@feddit.orgEnglish
          2·
          17 days ago

          Pretty much yes, unfortunately. Because the process calling your target process is obviously created before, you’d need to proactively log all executions. :/

          • ulternoOPEnglish
            1·
            16 days ago

            Welp
            Guess I need to look for another way for my auditing desires.

            On the other hand, considering such a thing can be easily done using htop, I’d suppose it would be possible to add such a functionality to auditd (to include the whole tree and full executable paths).
            I feel like this functionality has considerable merit and would make the file access rules much more useful.