Linux – Monitoring what program calls an executable file

executablefileslinuxmonitoring

I want to know what program calls a particular executable, including when that executable is used as an interpreter via a shebang line.

This is not quite the same problem as knowing what program accesses a particular file. For example, auditctl -w /usr/bin/myprogram tells me that the program is being executed by… itself, since the audit event is generated after the successful execve call.

One option is to replace the executable by a wrapper program, like this…

#!/bin/sh
logger "$0: executed by uid=$(id -u) ruid=$(id -ur) cmd=$(ps -o args= -p $PPID)"
exec "$0.real" "$@"

But this requires moving the actual file, which is disruptive (the file can't be read-only, it clashes with modifications made by a package manager, etc.). And it doesn't work if the program is used as an interpreter for a script, because shebang doesn't nest. (In that case, auditctl -w /usr/bin/interpreter does give a useful result, but I want a solution that works for both cases.) It also doesn't work for setuid programs if /bin/sh is bash since bash drops privileges.

How can I monitor executions of a particular executable including uses of the executable as a shebang interpreter, and in particular log useful information about the calling process (not just the PPID but at least the process name or the parent executable path, ideally also the invoking user and arguments)? Preferably without replacing the file with a wrapper. A Linux-specific solution is fine.

Best Answer

This would be hacky, but if it's a dynamically linked executable, you could set up a global preload in /etc/ld.so.preload which would only trigger a logging hook if it detected you were in the right executable.

Something like:

#define _XOPEN_SOURCE
#include <stdio.h>
#include <string.h>
#include <unistd.h>

#define TARGET "/some_executable"

__attribute__((constructor)) 
static void 
logger(int argc, char** argv){ 
    /*catch own argv right here and parent's later from /proc */

    static char buf[sizeof(TARGET)];

    readlink("/proc/self/exe", buf, sizeof(buf)-1);

    if ( 0==strcmp(TARGET, buf)){
        /* ... */
        syslog(/*...*/);
    }
}

The obvious disadvantage of this approach is it would slightly delay the execution of each dynamically linked executable on your system, but my measurements indicate the delay is quite small (<1ms where fork+exec costs about 2ms).

As for the dropped permission problem, you could have a small setuid-root binary that will unconditionally read and echo its grandparents proc files (the status file, most likely), possibly if and only if its parent is the executable whose parents you want to log. You could then spawn that setuid executable inside your logging hook to obtain the info on the executables parent (grandparent of the setuid helper).

Related Solutions

Linux file access monitoring

Unless you have extremely unusual logging policies in place, who accessed what file is not logged (that would be a huge amount of information). You can find out who was logged in at what time in the system logs; the last command gives you login history, and other logs such as /var/log/auth.log will tell you how users authenticated and from where they logged in (which terminal, or which host if remotely).

The date at which a file was last read is called its access time, or atime for short. All unix filesystems can store it, but many systems don't record it, because it has a (usually small) performance penalty. ls -ltu /path/to/file or stat /path/to/file shows the file's access time.

If a user accessed the file and wasn't trying to hide his tracks, his shell history (e.g. ~/.bash_history) may have clues.

To find out what or who has a file open now, use lsof /path/to/file.

To log what happens to a file in the future, there are a few ways:

Use inotifywait. inotifywait -me access /path/to will print a line /path/to/ ACCESS file when someone reads file. This interface won't tell you who accessed the file; you can call lsof /path/to/file as soon as this line appears, but there's a race condition (the access may be over by the time lsof gets going).
LoggedFS is a stackable filesystem that provides a view of a filesystem tree, and can perform fancier logging of all accesses through that view. To configure it, see LoggedFS configuration file syntax.
You can use Linux's audit subsystem to log a large number of things, including filesystem accesses. Make sure the auditd daemon is started, then configure what you want to log with auditctl. Each logged operation is recorded in /var/log/audit/audit.log (on typical distributions). To start watching a particular file:
```
  auditctl -w /path/to/file
```
If you put a watch on a directory, the files in it and its subdirectories recursively are also watched.

Live program output monitoring tool

Try watch. From the manpage:

Name

watch - execute a program periodically, showing output fullscreen

Synopsis
watch [-dhvt] [-n <seconds>] [--differences[=cumulative]] [--help] [--interval=<seconds>] [--no-title] [--version] <command>
Description

watch runs command repeatedly, displaying its output (the first screenfull). This allows you to watch the program output change over time. By default, the program is run every 2 seconds; use -n or --interval to specify a different interval.

The -d or --differences flag will highlight the differences between successive updates. The --cumulative option makes highlighting "sticky", presenting a running display of all positions that have ever changed. [...]

watch will run until interrupted.

Note that "realtime" would have to be approximated by "once a second" (for example) here...

Best Answer

Related Solutions

Linux file access monitoring

Live program output monitoring tool

Related Question