Linux – How to track executables created by the user on Linux

linuxmonitoringprocess

Using Linux, I would like to track the executables that are executed in my name, including the whole command line (in practice, every exec*() done as my own user). A program I do not control is supposed, in order to handle a task, to execute the program I pass in, but I want make sure it does so, and what options it uses. The program I don't control is sneaky, and seems to change behavior depending on the name of the program it is supposed to execute for the task, so I can't pass in a shell script that would log the info and invoke the real program.

Is it possible for me to be informed of all exec*()s done as my user on the system on Linux, including full command line? Short of running ps in a loop, that is. I'd rather do it directly on the system on which I work and not require root access, but if need be I can spawn a system on which I have root access, install the programs and investigate there.

Using Ubuntu 12.4 LTS.

Best Answer

You need to configure auditd to record execve events. Example on RHEL5:

[root@ditirlns01 ~]# auditctl -a always,entry -S execve
WARNING - 32/64 bit syscall mismatch, you should specify an arch
[root@ditirlns01 ~]#

I ignore the arch warning and it doesn't seem to matter but you can use -F arch=b64 or -F arch=b32 to set it if you want.

The result of the above is:

[root@ditirlns01 ~]# ls /tmp/whatever
ls: /tmp/whatever: No such file or directory
[root@ditirlns01 ~]# grep whatever /var/log/audit/audit.log
type=EXECVE msg=audit(1386797915.232:5527206): argc=3 a0="ls" a1="--color=tty" a2="/tmp/whatever"
type=EXECVE msg=audit(1386797927.133:5527241): argc=3 a0="grep" a1="whatever" a2="/var/log/audit/audit.log"
[root@ditirlns01 ~]#

That's obviously quick and dirty but that's the basics of how you do it. What you need to do exactly probably depends heavily on what you're trying to do exactly. You can reduce audit flow using various filters in the auditctl command but I don't know any of that information so I don't know what to include. If you need something more specific, I'd suggest you either check the man page or post a comment to this answer and I'll update it some more.

Hope that helps push you in the right direction.

EDIT:

Since your question involves looking at a particular user I can show you that:

[root@ditirlns01 ~]# auditctl -a always,entry -S execve -F euid=16777216
WARNING - 32/64 bit syscall mismatch, you should specify an arch

Identical to the above, but only execve's by someone running with the effective user ID of 16777216 will get logged. If you need to specify the user's loginuid value (who they initially logged into the system as) then you filter by auid instead:

[root@ditirlns01 ~]# auditctl -a always,entry -S execve -F auid=16777216
WARNING - 32/64 bit syscall mismatch, you should specify an arch

AUID/loginuid filters would be useful for example if the user will do a su or sudo to root. In that situation there will be a lot of stuff running as root, but you're only concerned with the stuff that got kicked off by the user in question. auditctl also lets you stack filters so you can filter by both euid and auid:

[root@ditirlns01 ~]# auditctl -a always,entry -S execve -F auid=16777216 -F euid=0
WARNING - 32/64 bit syscall mismatch, you should specify an arch
[root@ditirlns01 ~]# ls /tmp/nashly -ltar
ls: /tmp/nashly: No such file or directory
[root@ditirlns01 ~]# grep nashly /var/log/audit/audit.log
type=EXECVE msg=audit(1386798635.199:5529285): argc=4 a0="ls" a1="--color=tty" a2="/tmp/nashly" a3="-ltar"
type=EXECVE msg=audit(1386798646.048:5529286): argc=3 a0="grep" a1="nashly" a2="/var/log/audit/audit.log"

Related Solutions

Linux – program needs to be run as root by any user and can be located anywhere

With a caveat, the "right way" to allow a program to have root privileges and be run by any user, is to use setuid and setgid flags passed to chmod. This tutorial explain the process. You must be root to apply the setuid or setgid flags, and the program must be owned by root.

The caveat is that it is extremely insecure to allow a user to run a program with root privileges. Any exploit in the programs code can allow an ordinary user to obtain root privileges. Many linux exploits throughout the years have exploited a buggy setuid binary to obtain privilege escalation.

For informational and educational purposes only, here's how you do it:

chown root /usr/bin/myprogram
chmod u+s /usr/bin/myprogram

But, as others have said above, don't do this!

Linux Processes – How to Track Newly Created Processes

If kprobes are enabled in the kernel you can use execsnoop from perf-tools:

In first terminal:

% while true; do uptime; sleep 1; done

In another terminal:

% git clone https://github.com/brendangregg/perf-tools.git
% cd perf-tools
% sudo ./execsnoop
Tracing exec()s. Ctrl-C to end.
Instrumenting sys_execve
   PID   PPID ARGS
 83939  83937 cat -v trace_pipe
 83938  83934 gawk -v o=1 -v opt_name=0 -v name= -v opt_duration=0 [...]
 83940  76640 uptime
 83941  76640 sleep 1
 83942  76640 uptime
 83943  76640 sleep 1
 83944  76640 uptime
 83945  76640 sleep 1
^C
Ending tracing...

Best Answer

Related Solutions

Linux – program needs to be run as root by any user and can be located anywhere

Linux Processes – How to Track Newly Created Processes

Related Question