Using Autrace to Audit Linux Processes

The Autrace utility is a command-line auditing solution for operating system processes that logs system events. It’s used to keep track of key events like the OS shutting down unexpectedly, network configuration changes, system file access privileges being edited, and so on. With the exception of CentOS, the application is part of the auditd package, which is not installed by default on a Linux desktop.

We will tell you how to audit on a server running Ubuntu Server 18.04.

Preliminary preparation

Installing the utility:

sudo apt-get install auditd audispd-plugins

The process will take no more than four minutes.

The product configuration is stored in the /etc/audit/auditd.conf file. For editing, we use a text editor, such as Nano or Vi.

How to run an audit

In general, the command looks like this:

autrace –r name_program [keys]

name_program – the name of the product being checked;
keys – additional options available to the utility.

The r key limits the data that is collected by the utility. When activated, autrace will collect only those logs that are necessary for analysis by the specified parameters.

Let’s take an example: the DF program monitors the resources of the file structure.

Run an audit for the service:

sudo autrace -r /bin/df –h

The utility will start monitoring DF operations:

Audit Autrace

Screenshot #1. Audit example.

To view detailed information, use the built-in log. It is opened via the ausearch command. Depending on the program being audited, the syntax of the command varies. In our example in the image above, it is highlighted in red.

We type in the terminal without quotes:

ausearch –I –p 7946

As a result, detailed information on the log will appear on the monitor. The syntax for the ausearch command is as follows:

ausearch –i –p <id>

The id key is the numeric value of the process, which is available after the autrace command is invoked.
The -p switch tells the utility the identifier by which the log is searched, and the -i option interprets numeric values.

If detailed tracing is needed, we use a different syntax:

ausearch -p 7946 --raw | aureport -i –f

, where the -f switch informs about files and sockets, and the raw combination specifies the format of the output report.

To display information depending on the day, write:

ausearch -p 7946 --raw | aureport -i -f

As you can easily see, the value 7946 is the process ID that is used in the example article.


Welcome to the world of DomainRooster, where roosters (and hens) rule the roost! We're a one-stop shop for all your entrepreneurial needs, bringing together domain names and website hosting, and all the tools you need to bring your ideas to life. With our help, you'll soar to new heights and hatch great success. Think of us as your trusty sidekick, always there to lend a wing and help you navigate the sometimes-complex world of domain names and web hosting. Our team of roosters are experts in their fields and are always on hand to answer any questions and provide guidance. So why wait? Sign up today and join the ranks of the world's greatest entrepreneurs. With DomainRooster, the sky's the limit! And remember, as the saying goes, "Successful people do what unsuccessful people are not willing to do." So don't be afraid to take that leap of faith - DomainRooster is here to help you reach for the stars. Caw on!