Linux exec-notify: Find Out Shell Escaping Applications [ Security Monitoring ]

by on January 6, 2011 · 0 comments· LAST UPDATED January 6, 2011

in

How do I watch or monitor applications that executed on a system and executes external programs via "bash"?

You can install a small utility called exec-notify to watch your acrobat reader or firefox or vim executing "bash -c" commands. It globally shows which programs are executed on a system. This allows to track down shell escaping problems in larger applications which execute external programs via scripts.

Install and Compile exec-notify

Type the following commands:
$ cd /tmp
$ wget http://www.suse.de/~krahmer/exec-notify.c

To compile type
$ make exec-notify
OR
$ cc exec-notify.c -o exec-notify
To run type the following command:
$ sudo ./exec-notify
Sample outputs:

[sudo] password for vivek:
sending proc connector: PROC_CN_MCAST_LISTEN... sent
Reading process events from proc connector.
Hit Ctrl-C to exit
FORK:parent(pid,tgid)=2313,2313	child(pid,tgid)=10945,2317	[/bin/sh /usr/lib/firefox-3.6.13/run-mozilla.sh /usr/lib/firefox-3.6.13/firefox-bin ]
FORK:parent(pid,tgid)=2313,2313	child(pid,tgid)=10946,2317	[/bin/sh /usr/lib/firefox-3.6.13/run-mozilla.sh /usr/lib/firefox-3.6.13/firefox-bin ]
UID:pid=1639,1639 ruid=0,euid=119
UID:pid=1639,1639 ruid=0,euid=0
FORK:parent(pid,tgid)=2313,2313	child(pid,tgid)=10947,2317	[/bin/sh /usr/lib/firefox-3.6.13/run-mozilla.sh /usr/lib/firefox-3.6.13/firefox-bin ]
EXIT:pid=10947,2317	exit code=0
FORK:parent(pid,tgid)=2313,2313	child(pid,tgid)=10948,2317	[/bin/sh /usr/lib/firefox-3.6.13/run-mozilla.sh /usr/lib/firefox-3.6.13/firefox-bin ]
EXIT:pid=10948,2317	exit code=0
EXIT:pid=10853,7953	exit code=0
EXIT:pid=10856,7953	exit code=0
EXIT:pid=10857,7953	exit code=0
EXIT:pid=10858,7953	exit code=0
EXIT:pid=10859,7953	exit code=0
EXIT:pid=10855,7953	exit code=0
EXIT:pid=10854,7953	exit code=0
EXIT:pid=10852,7953	exit code=0
FORK:parent(pid,tgid)=2412,2317	child(pid,tgid)=10949,7953	[/usr/lib/firefox-3.6.13/firefox-bin ]
FORK:parent(pid,tgid)=2412,2317	child(pid,tgid)=10950,7953	[/usr/lib/firefox-3.6.13/firefox-bin ]
FORK:parent(pid,tgid)=2412,2317	child(pid,tgid)=10951,7953	[/usr/lib/firefox-3.6.13/firefox-bin ]
FORK:parent(pid,tgid)=2412,2317	child(pid,tgid)=10952,7953	[/usr/lib/firefox-3.6.13/firefox-bin ]
FORK:parent(pid,tgid)=2412,2317	child(pid,tgid)=10953,7953	[/usr/lib/firefox-3.6.13/firefox-bin ]
FORK:parent(pid,tgid)=2412,2317	child(pid,tgid)=10954,7953	[/usr/lib/firefox-3.6.13/firefox-bin ]
FORK:parent(pid,tgid)=2412,2317	child(pid,tgid)=10955,7953	[/usr/lib/firefox-3.6.13/firefox-bin ]
FORK:parent(pid,tgid)=2412,2317	child(pid,tgid)=10956,7953	[/usr/lib/firefox-3.6.13/firefox-bin ]
FORK:parent(pid,tgid)=1639,1639	child(pid,tgid)=10957,10957	[/usr/lib/postfix/master ]
EXEC:pid=10957,tgid=10957	[Uid:	0	0	0	0]	[local -t unix ]
EXIT:pid=10957,10957	exit code=256
FORK:parent(pid,tgid)=2313,2313	child(pid,tgid)=10958,2317	[/bin/sh /usr/lib/firefox-3.6.13/run-mozilla.sh /usr/lib/firefox-3.6.13/firefox-bin ]
EXIT:pid=10958,2317	exit code=0

You can install exec-notify in /usr/local/bin directory:
$ sudo install -m 0555 -g root -o root ./exec-notify /usr/local/bin/

TwitterFacebookGoogle+PDF versionFound an error/typo on this page? Help us!

{ 0 comments… add one now }

Leave a Comment

Tagged as: , , , , , , , ,

Previous Faq:

Next Faq: