+1 for Dmitry's answer above; that worked nicely for me:
auditctl -a exit,always -F arch=b64 -F a0=2 -S socket -k SOCKET
To see the resulting entries, I grep the log file for that "-k" string
grep SOCKET /var/log/audit/audit.log
To get just the interesting fields,
grep SOCKET /var/log/audit/audit.log | \
cut -d' ' -f 4- | \
sed "s|^|@\n|g;s| |\n|g" | \
grep -E "^((exe|uid|comm)=|@)" | \
tr '\n@' ' \n' |\
sort -u
(explanation: cut -d' ' -f 4- -> chop the line into fields using space (-d' ') as delimiter, show fields fourth to last ( 4- ) )
(explanation: sed "s|^|@\n|g;s| |\n|g" -> edit line, prepend '@' char-plus-newline to start of line, change spaces to newlines)
(explanation: grep -E "^((uid|comm|exe)=|@)" -> as each field of the original line is now on it's own line, pick out the interesting fields: user-id, command, executable - and the line-start '@' char.)
(explanation: tr '\n@' ' \n' -> now having only the wanted fields, turn the newlines back into spaces, and the prepended '@' back into a newline
(which rejoins the fields into one line)
(explanation: sort -u -> sort lines, show only unique lines)
gives me:
uid=0 comm="atop" exe="/usr/bin/atop"
uid=0 comm="http" exe="/usr/lib/apt/methods/http"
uid=0 comm="links" exe="/usr/bin/links"
uid=0 comm="ntpdate" exe="/usr/sbin/ntpdate"
uid=0 comm="ufdbguardd" exe="/usr/local/ufdbguard/bin/ufdbguardd"
uid=1000 comm=536F636B657420546872656164 exe="/usr/lib/firefox/firefox"
uid=1000 comm="clock-applet" exe="/usr/lib/mate-panel/clock-applet"
uid=1000 comm="pool" exe="/usr/lib/mate-panel/clock-applet"
uid=105 comm="http" exe="/usr/lib/apt/methods/http"
uid=105 comm="https" exe="/usr/lib/apt/methods/https"
uid=135 comm="unbound" exe="/usr/sbin/unbound"
uid=13 comm="squid" exe="/usr/src/squid-4-master/src/squid"
uid=1 comm="debsecan" exe="/usr/bin/python2.7"
Commands containing spaces are encoded in simple ascii-to-hex method (see audit_logging.c ). To decode, replace "FF" with "ÿ" and recode that from html to ascii :
grep SOCKET /var/log/audit/audit.log | \
cut -d' ' -f 4- | sed "s|^|@\n|g;s| |\n|g" | \
grep -E "^((exe|uid|comm)=|@)" | tr '\n@' ' \n' | \
sort -u | sed "s|^[^=]*=||g;s| [^ ]*=| |g" | \
while read U C E ; do \
echo "$C" | grep -q '"' || \
{ C=\"`echo $C | sed "s|\(..\)|\&#x\1;|g" | recode h4..u8`\" ; } ; \
echo "uid=$U comm=$C exe=$E" ;
done
(explanation: sed "s|^[^=]=||g;s| [^ ]=| |g" -> edit away the 'xxx=' part of the lines - first: line-start (^) followed by any-char-except-'=' is replaced with blank, then space followed by any-char-except-' ' replaced with space)
(explanation: while read U C E ; do ... done -> loop over each line, reading in each of out three bits of data into U,C,E (userid, command, executable))
(explanation: echo "$C" | grep -q '"' || -> test the command field to see if it contains a doublequote - if not ('||') then do the following: )
(explanation: { C=\"echo $C | sed "s|\(..\)|\&#x\1;|g" | recode h4..ascii
\" ; } -> print the command string, edit each pair of chars 'FF' to be 'ÿ', then pass through gnu 'recode' to turn them from html entities into ascii chars.)
(explanation: echo "uid=$U comm=$C exe=$E" -> print out the modified line)
This gives me output (just showing the decoded line):
uid=1000 comm="Socket Thread" exe="/usr/lib/firefox/firefox
/ j