Join Log in
Score:7
George Y avatar Server

How to log executions of specific commands on Linux no matter where it came from?

vn flag
George Y

Dangerous commands like rm , kill and systemctl stop can be hidden outside bash inputs - i.e. - a malicious user can easily hide them inside a python script using os module and just run the python script as a proxy to hide what they really intended to harm, and the bash history or anything like that will only leave the record that they run python3 [the malicious script].py before they delete that script to hide what they really did.

What I want to do is log those critical commands (any commands beyond the 3 is welcomed to point out) each time they got executed, no matter where it came from. And the log must not be disposable by any user except for root.

894
2 + 3
U880D avatar
ca flag
U880D
Sounds like you want to implement auditing in your system, [Configure Linux system auditing with auditd](https://www.redhat.com/sysadmin/configure-linux-auditing-auditd).
6
Reply
George Y avatar
vn flag
George Y
@U880D I tried auditd once and it occupies 80% of cpu. It was a disaster.
0
Reply
Ángel avatar
pk flag
Ángel
The `os` module doesn't run the `rm`, `kill`, etc. commands. They call directly the syscalls for the desired goal. E.g. to delete a file you use either the syscall `unlink` or `unlinkat`, and that's what `rm` calls as well.
2
Reply
Score:8
Romeo Ninov avatar Server
in flag
Romeo Ninov

You can use auditd and monitor file operations/system calls to remove files/directories. The rules will be something like:

-a exit,always -S unlink -S rmdir -k Remove_dir_file

Of course you can add other calls of specific files monitoring in rules like for kill:

-a exit,always -F arch=b64 -S kill -k Kill_Process
+ 2
George Y avatar
vn flag
George Y
Hi Romeo! I have also found that a simple copy of some command would also work i.e. `cp copy /usr/bin/rm ./` and `./rm` functions just like the orignal `rm`. Is there a mechanism to monitor `cp` and `mv` on these executable files?
0
Reply
Romeo Ninov avatar
in flag
Romeo Ninov
@GeorgeY, yes, you can just add rule with proper system calls names after `-S`
3
Reply
Score:0
asktyagi avatar Server
in flag
asktyagi

Step 1 : Find command location

which <command>

Step 2: Get acl by getfacl <command path>

Step 3: Use setfacl to set acl for allowed users

Setp 4: All permission issues logs will be available in audit logs in /var/log folder normally.

Hope this will help.

Edit:

I was under impression that question is to handle commands via programme (not considered low level code).

We can get all failed open call with below auditctl(If configured to monitor/logged)

To see unsuccessful open calls:
auditctl -a exit,always -S open -F success=0

So, sequence will be set the acls for files/commands and log the failed system calls via auditd so we can checkout logs. By this way we can get who tried to execute which command or syscall.

Note: I am not considering condition if programme is executed with root.

+ 9
HBruijn avatar
in flag
HBruijn
This really makes no sense in the context of the question as [python os](https://docs.python.org/3/library/os.html) doesn't necessarily execute `command` by calling the `command` executable ; for example rather than calling `/usr/bin/kill` there is [`os.kill()`](https://docs.python.org/3/library/os.html#os.kill) which implements sending signals to an application
2
Reply
asktyagi avatar
in flag
asktyagi
My understanding was with question that he asked Linux commands execution via python.
0
Reply
George Y avatar
vn flag
George Y
@HBruijn `import os, kill kill([PID], signal.SIGSTOP)` does not kill the process, especially when `kill` needs `sudo` privilege
0
Reply
muru avatar
id flag
muru
@GeorgeY that doesn't change if you do `os.system("kill [PID]")`, though.
1
Reply
mx flag
Barmar
The OP's question seems to be based on a misunderstanding that the only way to emulate these commands in a program is with `os.system()`, not things like `os.kill()` and `os.unlink()`.
0
Reply
George Y avatar
vn flag
George Y
@Barmar : unless you are the root user, you cannot kill any program not started by yourself by simply using os.kill([pid]) or os.system('kill [pid]'), because you need a word `sudo` at the beginning.
0
Reply
mx flag
Barmar
@GeorgeY True, that's an exception.
0
Reply
George Y avatar
vn flag
George Y
@asktyagi I cannot find the log you suggested in `/var/log` and anything I found close to that is the `/var/log/audit/audit.log with words like `exe="/usr/sbin/sshd"`
0
Reply
asktyagi avatar
in flag
asktyagi
@GeorgeY I updated my answer, I think you can get what you want with `auditd` and `acls`. thanks to @Romeo for adding details about auditd.
0
Reply
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.