How to use Auditd file access logs? (programming.dev)

submitted 3 weeks ago by ulterno@programming.dev to c/cybersecurity@sh.itjust.works

6 comments fedilink hide all child comments

cross-posted from: https://programming.dev/post/43343171

I just started checking out auditd and made a rule to log file accesses.

auditctl -a always,exit -F dir=/path/to/my/directory -F perm=rwa

From the output, I got some things that might be useful:

The full path of the executable
pid
Parent's pid: ppid
Process' current working directory cwd

Now if the process was still running when I check the logs, I could open htop and find out what exactly called the process, from the pid.
For example, say I run a git pull on a repository and find out that /usr/bin/ssh is accessing some file, I will get something like:

st
└ bash
    └ git
        └ ssh

I will get the full executable path of each executable (and know if the executable was not in the system directories, but in some unsafe location writeable by another user). This will give me enough context to go by.

But using this same example, what happens if I check the logs after the git operation has ended?
The git process ppid will have been lost(?) and I would have no way to know which process called ssh.

How do I solve this condition?
Ideally, I want to have the audit log contain the whole calling tree with the full executable path of each parent.

you are viewing a single comment's thread
view the rest of the comments

[-] treasure@feddit.org 2 points 3 weeks ago

Sorry, I mistakenly believed that auditctl records the process tree on event generation automatically, but that's not the case. You'll need to add a rule that records execve events.

[-] ulterno@programming.dev 1 points 3 weeks ago

Oof! Wouldn't that either end up recording everything, or require me to know beforehand, what I am looking for?

[-] treasure@feddit.org 2 points 3 weeks ago

Pretty much yes, unfortunately. Because the process calling your target process is obviously created before, you'd need to proactively log all executions. :/

[-] ulterno@programming.dev 1 points 3 weeks ago

Welp
Guess I need to look for another way for my auditing desires.

On the other hand, considering such a thing can be easily done using htop, I'd suppose it would be possible to add such a functionality to auditd (to include the whole tree and full executable paths).
I feel like this functionality has considerable merit and would make the file access rules much more useful.

this post was submitted on 14 Jan 2026

6 points (100.0% liked)

Cybersecurity

9503 readers

29 users here now

c/cybersecurity is a community centered on the cybersecurity and information security profession. You can come here to discuss news, post something interesting, or just chat with others.

THE RULES

Instance Rules

Be respectful. Everyone should feel welcome here.
No bigotry - including racism, sexism, ableism, homophobia, transphobia, or xenophobia.
No Ads / Spamming.
No pornography.

Community Rules

Idk, keep it semi-professional?
Nothing illegal. We're all ethical here.
Rules will be added/redefined as necessary.

If you ask someone to hack your "friends" socials you're just going to get banned so don't do that.

Learn about hacking

Hack the Box

Try Hack Me

Pico Capture the flag

Other security-related communities !databreaches@lemmy.zip !netsec@lemmy.world !securitynews@infosec.pub !cybersecurity@infosec.pub !pulse_of_truth@infosec.pub

Notable mention to !cybersecuritymemes@lemmy.world

founded 2 years ago

MODERATORS

kid@sh.itjust.works

Lanky_Pomegranate530@midwest.social