6
How to use Auditd file access logs? (programming.dev)
submitted 3 weeks ago by ulterno@programming.dev to c/cybersecurity@sh.itjust.works
6 comments fedilink hide all child comments

cross-posted from: https://programming.dev/post/43343171

I just started checking out auditd and made a rule to log file accesses.

auditctl -a always,exit -F dir=/path/to/my/directory -F perm=rwa

From the output, I got some things that might be useful:

  • The full path of the executable
  • pid
  • Parent's pid: ppid
  • Process' current working directory cwd

Now if the process was still running when I check the logs, I could open htop and find out what exactly called the process, from the pid.
For example, say I run a git pull on a repository and find out that /usr/bin/ssh is accessing some file, I will get something like:

st
โ”” bash
    โ”” git
        โ”” ssh

I will get the full executable path of each executable (and know if the executable was not in the system directories, but in some unsafe location writeable by another user). This will give me enough context to go by.

But using this same example, what happens if I check the logs after the git operation has ended?
The git process ppid will have been lost(?) and I would have no way to know which process called ssh.

How do I solve this condition?
Ideally, I want to have the audit log contain the whole calling tree with the full executable path of each parent.

you are viewing a single comment's thread
view the rest of the comments
[-] treasure@feddit.org 2 points 3 weeks ago

As far as I am aware, auditctl records the whole process tree of an event. You can use ausearch with --pid <pid> or --ppid <pid> to work yourself all the way up the process tree.

[-] ulterno@programming.dev 1 points 3 weeks ago* (last edited 3 weeks ago)

Thanks, I'll try and see how it works.

Ok, so I did a thing with git and checked the audit log with ausearch -k test-key.
Then I got the ppid (say 2000) and then ran ausearch --pid 2000, which gave no output, while doing ausearch --pid 2000 just gave the same entries that I got from the previous one.

So, unable to get the process tree that way.
Perhaps there is some setting I am overlooking?

[-] treasure@feddit.org 2 points 3 weeks ago

Sorry, I mistakenly believed that auditctl records the process tree on event generation automatically, but that's not the case. You'll need to add a rule that records execve events.

[-] ulterno@programming.dev 1 points 3 weeks ago

Oof! Wouldn't that either end up recording everything, or require me to know beforehand, what I am looking for?

[-] treasure@feddit.org 2 points 3 weeks ago

Pretty much yes, unfortunately. Because the process calling your target process is obviously created before, you'd need to proactively log all executions. :/

[-] ulterno@programming.dev 1 points 3 weeks ago

Welp
Guess I need to look for another way for my auditing desires.

On the other hand, considering such a thing can be easily done using htop, I'd suppose it would be possible to add such a functionality to auditd (to include the whole tree and full executable paths).
I feel like this functionality has considerable merit and would make the file access rules much more useful.

this post was submitted on 14 Jan 2026
6 points (100.0% liked)

Cybersecurity

9503 readers
29 users here now

c/cybersecurity is a community centered on the cybersecurity and information security profession. You can come here to discuss news, post something interesting, or just chat with others.

THE RULES

Instance Rules

Community Rules

If you ask someone to hack your "friends" socials you're just going to get banned so don't do that.

Learn about hacking

Hack the Box

Try Hack Me

Pico Capture the flag

Other security-related communities !databreaches@lemmy.zip !netsec@lemmy.world !securitynews@infosec.pub !cybersecurity@infosec.pub !pulse_of_truth@infosec.pub

Notable mention to !cybersecuritymemes@lemmy.world

founded 2 years ago
MODERATORS
kid@sh.itjust.works
Lanky_Pomegranate530@midwest.social