Linux exec-notify: Find Out Shell Escaping Applications [ Security Monitoring ]

How do I watch or monitor applications that executed on a system and executes external programs via “bash”?

You can install a small utility called exec-notify to watch your acrobat reader or firefox or vim executing “bash -c” commands. It globally shows which programs are executed on a system. This allows to track down shell escaping problems in larger applications which execute external programs via scripts.


Install and Compile exec-notify

Type the following commands:
$ cd /tmp
$ wget

To compile type
$ make exec-notify
$ cc exec-notify.c -o exec-notify
To run type the following command:
$ sudo ./exec-notify
Sample outputs:

[sudo] password for vivek: 
sending proc connector: PROC_CN_MCAST_LISTEN... sent
Reading process events from proc connector.
Hit Ctrl-C to exit
FORK:parent(pid,tgid)=2313,2313	child(pid,tgid)=10945,2317	[/bin/sh /usr/lib/firefox-3.6.13/ /usr/lib/firefox-3.6.13/firefox-bin ]
FORK:parent(pid,tgid)=2313,2313	child(pid,tgid)=10946,2317	[/bin/sh /usr/lib/firefox-3.6.13/ /usr/lib/firefox-3.6.13/firefox-bin ]
UID:pid=1639,1639 ruid=0,euid=119
UID:pid=1639,1639 ruid=0,euid=0
FORK:parent(pid,tgid)=2313,2313	child(pid,tgid)=10947,2317	[/bin/sh /usr/lib/firefox-3.6.13/ /usr/lib/firefox-3.6.13/firefox-bin ]
EXIT:pid=10947,2317	exit code=0
FORK:parent(pid,tgid)=2313,2313	child(pid,tgid)=10948,2317	[/bin/sh /usr/lib/firefox-3.6.13/ /usr/lib/firefox-3.6.13/firefox-bin ]
EXIT:pid=10948,2317	exit code=0
EXIT:pid=10853,7953	exit code=0
EXIT:pid=10856,7953	exit code=0
EXIT:pid=10857,7953	exit code=0
EXIT:pid=10858,7953	exit code=0
EXIT:pid=10859,7953	exit code=0
EXIT:pid=10855,7953	exit code=0
EXIT:pid=10854,7953	exit code=0
EXIT:pid=10852,7953	exit code=0
FORK:parent(pid,tgid)=2412,2317	child(pid,tgid)=10949,7953	[/usr/lib/firefox-3.6.13/firefox-bin ]
FORK:parent(pid,tgid)=2412,2317	child(pid,tgid)=10950,7953	[/usr/lib/firefox-3.6.13/firefox-bin ]
FORK:parent(pid,tgid)=2412,2317	child(pid,tgid)=10951,7953	[/usr/lib/firefox-3.6.13/firefox-bin ]
FORK:parent(pid,tgid)=2412,2317	child(pid,tgid)=10952,7953	[/usr/lib/firefox-3.6.13/firefox-bin ]
FORK:parent(pid,tgid)=2412,2317	child(pid,tgid)=10953,7953	[/usr/lib/firefox-3.6.13/firefox-bin ]
FORK:parent(pid,tgid)=2412,2317	child(pid,tgid)=10954,7953	[/usr/lib/firefox-3.6.13/firefox-bin ]
FORK:parent(pid,tgid)=2412,2317	child(pid,tgid)=10955,7953	[/usr/lib/firefox-3.6.13/firefox-bin ]
FORK:parent(pid,tgid)=2412,2317	child(pid,tgid)=10956,7953	[/usr/lib/firefox-3.6.13/firefox-bin ]
FORK:parent(pid,tgid)=1639,1639	child(pid,tgid)=10957,10957	[/usr/lib/postfix/master ]
EXEC:pid=10957,tgid=10957	[Uid:	0	0	0	0]	[local -t unix ]
EXIT:pid=10957,10957	exit code=256
FORK:parent(pid,tgid)=2313,2313	child(pid,tgid)=10958,2317	[/bin/sh /usr/lib/firefox-3.6.13/ /usr/lib/firefox-3.6.13/firefox-bin ]
EXIT:pid=10958,2317	exit code=0

You can install exec-notify in /usr/local/bin directory:
$ sudo install -m 0555 -g root -o root ./exec-notify /usr/local/bin/

🐧 Get the latest tutorials on SysAdmin, Linux/Unix, Open Source/DevOps topics:
CategoryList of Unix and Linux commands
File Managementcat
FirewallAlpine Awall CentOS 8 OpenSUSE RHEL 8 Ubuntu 16.04 Ubuntu 18.04 Ubuntu 20.04
Network Utilitiesdig host ip nmap
OpenVPNCentOS 7 CentOS 8 Debian 10 Debian 8/9 Ubuntu 18.04 Ubuntu 20.04
Package Managerapk apt
Processes Managementbg chroot cron disown fg jobs killall kill pidof pstree pwdx time
Searchinggrep whereis which
User Informationgroups id lastcomm last lid/libuser-lid logname members users whoami who w
WireGuard VPNAlpine CentOS 8 Debian 10 Firewall Ubuntu 20.04

0 comments… add one

Leave a Reply

Your email address will not be published.

Use HTML <pre>...</pre>, <code>...</code> and <kbd>...</kbd> for code samples.