How to use Auditd file access logs? (programming.dev)

submitted 1 month ago by ulterno@programming.dev to c/linux4noobs@programming.dev

0 comments fedilink hide all child comments

I just started checking out auditd and made a rule to log file accesses.

auditctl -a always,exit -F dir=/path/to/my/directory -F perm=rwa

From the output, I got some things that might be useful:

The full path of the executable
pid
Parent's pid: ppid
Process' current working directory cwd

Now if the process was still running when I check the logs, I could open htop and find out what exactly called the process, from the pid.
For example, say I run a git pull on a repository and find out that /usr/bin/ssh is accessing some file, I will get something like:

st
└ bash
    └ git
        └ ssh

I will get the full executable path of each executable (and know if the executable was not in the system directories, but in some unsafe location writeable by another user). This will give me enough context to go by.

But using this same example, what happens if I check the logs after the git operation has ended?
The git process ppid will have been lost(?) and I would have no way to know which process called ssh.

How do I solve this condition?
Ideally, I want to have the audit log contain the whole calling tree with the full executable path of each parent.

no comments (yet)

sorted by: hot top controversial new old

there doesn't seem to be anything here

this post was submitted on 02 Jan 2026

9 points (100.0% liked)

linux4noobs

3208 readers

1 users here now

linux4noobs

Noob Friendly, Expert Enabling

Whether you're a seasoned pro or the noobiest of noobs, you've found the right place for Linux support and information. With a dedication to supporting free and open source software, this community aims to ensure Linux fits your needs and works for you. From troubleshooting to tutorials, practical tips, news and more, all aspects of Linux are warmly welcomed. Join a community of like-minded enthusiasts and professionals driving Linux's ongoing evolution.

Seeking Support?

Mention your Linux distro and relevant system details.
Describe what you've tried so far.
Share your solution even if you found it yourself.
Do not delete your post. This allows other people to see possible solutions if they have a similar problem.
Properly format any scripts, code, logs, or error messages.
Be mindful to omit any sensitive information such as usernames, passwords, IP addresses, etc.

Community Rules

Keep discussions respectful and amiable. This community is a space where individuals may freely inquire, exchange thoughts, express viewpoints, and extend help without encountering belittlement. We were all a noob at one point. Differing opinions and ideas is a normal part of discourse, but it must remain civil. Offenders will be warned and/or removed.
Posts must be Linux oriented
Spam or affiliate links will not be tolerated.

founded 2 years ago

MODERATORS

PlutoParty@programming.dev