I know I can view the open files of a process using lsof at that moment in time on my Linux machine. However, a process can open, alter and close a file so quickly that I won’t be able to see it when monitoring it using standard shell scripting (e.g. watch) as explained in “monitor open process files on linux (real-time)”.
So, I think I’m looking for a simple way of auditing a process and see what it has done over the time passed. It would be great if it’s also possible to see what network connections it (tried to) make and to have the audit start before the process got time to run without the audit being started.
Ideally, I would like to do this:
sh $ audit-lsof /path/to/executable 4530.848254 OPEN read /etc/myconfig 4530.848260 OPEN write /var/log/mylog.log 4540.345986 OPEN read /home/gert/.ssh/id_rsa <-- suspicious 4540.650345 OPEN socket TCP ::1:34895 -> 1.2.3.4:80 | [...] 4541.023485 CLOSE /home/gert/.ssh/id_rsa <-- would have missed 4541.023485 CLOSE socket TCP ::1:34895 -> 1.2.3.4:80 | this when polling
Would this be possible using strace and some flags to not see every system call?
Answers:
Thank you for visiting the Q&A section on Magenaut. Please note that all the answers may not help you solve the issue immediately. So please treat them as advisements. If you found the post helpful (or not), leave a comment & I’ll get back to you as soon as possible.
Method 1
Running it with
strace -e trace=open,openat,close,read,write,connect,accept your-command-here
would probably be sufficient.
You’ll need to use the -o option to put strace’s output somewhere other than the console, if the process can print to stderr. If your process forks, you’ll also need -f or -ff.
Oh, and you might want -t as well, so you can see when the calls happened.
Note, you may need to tweak the function call list depending on what your process does – I needed to add getdents for example, to get better sample using ls:
$ strace -t -e trace=open,openat,close,read,getdents,write,connect,accept ls >/dev/null
...
09:34:48 open("/etc/ld.so.cache", O_RDONLY) = 3
09:34:48 close(3) = 0
09:34:48 open("/lib64/libselinux.so.1", O_RDONLY) = 3
09:34:48 read(3, "177ELF2113>1<a href="https://getridbug.com/cdn-cgi/l/email-protection" class="__cf_email__" data-cfemail="cbfb8b9d">[email protected]</a>"..., 832) = 832
09:34:48 close(3) = 0
...
09:34:48 open("/proc/filesystems", O_RDONLY) = 3
09:34:48 read(3, "nodevtsysfsnnodevtrootfsnnodevtb"..., 1024) = 366
09:34:48 read(3, "", 1024) = 0
09:34:48 close(3) = 0
09:34:48 open("/usr/lib/locale/locale-archive", O_RDONLY) = 3
09:34:48 close(3) = 0
09:34:48 open(".", O_RDONLY|O_NONBLOCK|O_DIRECTORY|O_CLOEXEC) = 3
09:34:48 getdents(3, /* 5 entries */, 32768) = 144
09:34:48 getdents(3, /* 0 entries */, 32768) = 0
09:34:48 close(3) = 0
09:34:48 write(1, "file-Anfile-Bnfile-Cn", 21) = 21
09:34:48 close(1) = 0
09:34:48 close(2) = 0
All methods was sourced from stackoverflow.com or stackexchange.com, is licensed under cc by-sa 2.5, cc by-sa 3.0 and cc by-sa 4.0