Analyzing Processes With Autrace - Novell LINUX ENTERPRISE DESKTOP 11 - SECURITY GUIDE 17-03-2009 Manual

Search by Hostname
View records related to a certain remote hostname with ausearch -hn
hostname, for example, ausearch -hn jupiter.example.com. You
can use a hostname, fully qualified domain name, or numeric network address.
Search by Key Field
View records that contain a certain key assigned in the audit rule set to identify
events of a particular type. Use the ausearch -k key_field, for example,
ausearch -k CFG_etc to display any records containing the CFG_etc key.
Search by Word
View records that contain a certain string assigned in the audit rule set to identify
events of a particular type. The whole string will be matched on filename, hostname,
and terminal. Use the ausearch -w word.
Limit a Search to a Certain Time Frame
Use -ts and -te to limit the scope of your searches to a certain time frame. The
-ts option is used to specify the start date and time and the -te option is used to
specify the end date and time. These options can be combined with any of the
above, except the -a option. The use of these options is similar to use with aureport.

30.7 Analyzing Processes with autrace

In addition to monitoring your system using the rules you set up, you can also perform
dedicated audits of individual processes using the autrace command. autrace works
similarly to the strace command, but gathers slightly different information. The
output of autrace is written to /var/log/audit/audit.log and does not look
any different from the standard audit log entries.
When performing an autrace on a process, make sure that any audit rules are purged
from the queue to avoid these rules clashing with the ones autrace adds itself. Delete
the audit rules with the auditctl -D command. This stops all normal auditing.
Understanding Linux Audit 367