Log execve's, along with parent process argv?
I'm trying to figure out if I can decomission an old server. I need the information about automated processes running there. So far I tried the following:
auditctl -a exit,always -F arch=b64 -S execve -k any-commands
At log analysis stage, I discovered two pieces of context missing:
- How did those programs get executed? What process was their parent and what was its argv?
- Where did the stdin/stdout go? Ideally I'd love to see the shell command reconstructed, but I know I'm probably asking for too much, so at least having pipe descriptor ID would do (so that I can try to re-construct it with my own scripts).
How can I approach such a problem?
Solution 1:
The execve
system call replaces the current process. If a program wants to retain control after starting another program, it needs to create a new process first (using fork
or vfork
) that then calls execve
.
The open file descriptors and permissions are taken over when the program image is replaced in execve
(except those marked with the CLOEXEC
flag), so open files are inherited from the parent process during fork
, then modified between fork
and execve
(e.g. using dup2
), and then finally filtered during the execve
call.
So getting a complete picture from audit data will be difficult.