cross-posted from: https://programming.dev/post/43343171
I just started checking out auditd and made a rule to log file accesses.
auditctl -a always,exit -F dir=/path/to/my/directory -F perm=rwa
From the output, I got some things that might be useful:
- The full path of the executable
pid- Parent’s pid:
ppid - Process’ current working directory
cwd
Now if the process was still running when I check the logs, I could open htop and find out what exactly called the process, from the pid.
For example, say I run a git pull on a repository and find out that /usr/bin/ssh is accessing some file, I will get something like:
st
└ bash
└ git
└ ssh
I will get the full executable path of each executable (and know if the executable was not in the system directories, but in some unsafe location writeable by another user). This will give me enough context to go by.
But using this same example, what happens if I check the logs after the git operation has ended?
The git process ppid will have been lost(?) and I would have no way to know which process called ssh.
How do I solve this condition?
Ideally, I want to have the audit log contain the whole calling tree with the full executable path of each parent.
Pretty much yes, unfortunately. Because the process calling your target process is obviously created before, you’d need to proactively log all executions. :/
Welp
Guess I need to look for another way for my auditing desires.
On the other hand, considering such a thing can be easily done using
htop, I’d suppose it would be possible to add such a functionality toauditd(to include the whole tree and full executable paths).I feel like this functionality has considerable merit and would make the file access rules much more useful.