You are not logged in.

#1 2018-10-16 14:12:54

Thanos24
Member
Registered: 2018-10-16
Posts: 2

Monitoring specific commands

Hello there,

Currently i am interested in a specific feature regarding the monitoring of certain commands and mailing an email alert as a consequence to myself when they are used on the system.
I was wondering if anyone has ever made a solution, be it a script or chain of programs or a complete program that does provide this feature.
Also looked into to the most monitoring tools on the wiki but none of them provide the feature i am looking for (or maybe i haven't looked that good wink )
Could someone push me in the right direction? smile

Your help is appreciated!

Offline

#2 2018-10-16 14:28:15

Trilby
Inspector Parrot
Registered: 2011-11-29
Posts: 20,424
Website

Re: Monitoring specific commands

Can you be more specific?  Do you want reports of when you are using commands in an interactive shell?  This could be done with a function overriding the name of the command, e.g.:

mv() {
   /bin/mv "$@"
   email-command "just executed mv $@"
}

If, in contrast, you want to monitor for anyone else, or any other process trying to run a command, you could use an inotify watch - but it may not be practical to get the exact command used (just when the binary was 'exec'ed).

You could potentially move the binary and replace it with a script - this is much like the function example above, but more general/global, of course one could still directly execute whatever you renamed the command to if they could find it.

Further, these just address binary executables.  One can also compile their own code that makes equivalent system calls to link/unlink files (to stick with the `mv` example) which would get around any binary renaming you had done.

However, I suspect this is a bit of an X-Y question.  What are you trying to get emails about.  There is likely a much more direct way to get the information you need.


"UNIX is simple and coherent..." - Dennis Ritchie, "GNU's Not UNIX" -  Richard Stallman

Offline

#3 2018-10-16 14:45:47

Thanos24
Member
Registered: 2018-10-16
Posts: 2

Re: Monitoring specific commands

I mean for a way to see if a command for example passwd is executed on the system and chain that to an alert which i get by email for example or logging which says hey this command is used,with a time stamp.
Your example for mv is the best one i guess which resembles my meaning. I am going to use it for keeping track of suspicious behaviour.

Offline

#4 2018-10-16 14:59:21

V1del
Forum Moderator
Registered: 2012-10-16
Posts: 5,671

Re: Monitoring specific commands

This is pretty literally the use case for the just enabled audit framework: https://wiki.archlinux.org/index.php/Audit_framework

Offline

#5 2018-10-16 15:24:32

Trilby
Inspector Parrot
Registered: 2011-11-29
Posts: 20,424
Website

Re: Monitoring specific commands

No, the script for the `mv` example would completely fail to detect what you want to detect.  You do not want to log when you run the command, but when potentially someone else does.

But more importantly, do you really care if/when someone attempts to use the passwd command, or do you just want to know when the content of /etc/passwd is changed?  There are many (attempted) uses of the passwd command that would not actually change anything, and there are many ways to change entries in /etc/passwd without using the passwd command.  The `passwd` command is a userspace utility to help change a user password: do you really want to know when that specific userspace tool is invoked, or do you want to detect when passwords are changed?


"UNIX is simple and coherent..." - Dennis Ritchie, "GNU's Not UNIX" -  Richard Stallman

Offline

Board footer

Powered by FluxBB