Log execve's, along with parent process argv?

Question

I'm trying to figure out if I can decomission an old server. I need the information about automated processes running there. So far I tried the following:

auditctl -a exit,always -F arch=b64  -S execve -k any-commands

At log analysis stage, I discovered two pieces of context missing:

How did those programs get executed? What process was their parent and what was its argv?
Where did the stdin/stdout go? Ideally I'd love to see the shell command reconstructed, but I know I'm probably asking for too much, so at least having pipe descriptor ID would do (so that I can try to re-construct it with my own scripts).

How can I approach such a problem?

That information isn't available in the execve system call. Perhaps you should be tracking other syscalls, like clone or open. — Michael Hampton, Aug 02 '21 at 14:17

score 1 · Answer 1 · answered Aug 02 '21 at 14:31

The execve system call replaces the current process. If a program wants to retain control after starting another program, it needs to create a new process first (using fork or vfork) that then calls execve.

The open file descriptors and permissions are taken over when the program image is replaced in execve (except those marked with the CLOEXEC flag), so open files are inherited from the parent process during fork, then modified between fork and execve (e.g. using dup2), and then finally filtered during the execve call.

So getting a complete picture from audit data will be difficult.

Log execve's, along with parent process argv?

1 Answers1