I just started checking out auditd and made a rule to log file accesses.
auditctl -a always,exit -F dir=/path/to/my/directory -F perm=rwa
From the output, I got some things that might be useful:
- The full path of the executable
pid- Parent’s pid:
ppid - Process’ current working directory
cwd
Now if the process was still running when I check the logs, I could open htop and find out what exactly called the process, from the pid.
For example, say I run a git pull on a repository and find out that /usr/bin/ssh is accessing some file, I will get something like:
st
└ bash
└ git
└ ssh
I will get the full executable path of each executable (and know if the executable was not in the system directories, but in some unsafe location writeable by another user). This will give me enough context to go by.
But using this same example, what happens if I check the logs after the git operation has ended?
The git process ppid will have been lost(?) and I would have no way to know which process called ssh.
How do I solve this condition?
Ideally, I want to have the audit log contain the whole calling tree with the full executable path of each parent.
You must log in or register to comment.