In addition to monitoring your system using the rules you set up, you can
also perform dedicated audits of individual processes using the
autrace command. autrace works similarly to the
strace command, but gathers slightly different
information. The output of autrace is written to
/var/log/audit/audit.log
and does not look any
different from the standard audit log entries.
When performing an autrace on a process, make sure that any audit rules
are purged from the queue to avoid these rules clashing with the ones
autrace adds itself. Delete the audit rules with the auditctl
-D
command. This stops all normal auditing.
auditctl -D No rules autrace /usr/bin/less /etc/sysconfig/auditd Waiting to execute: /usr/bin/less Cleaning up... No rules Trace complete. You can locate the records with 'ausearch -i -p 7642'
Always use the full path to the executable to track with autrace. After the trace is complete, autrace provides the event ID of the trace, so you can analyze the entire data trail with ausearch. To restore the audit system to use the audit rule set again, just restart the audit daemon with rcauditd restart.