0

In windows, we can monitor executed command with various ways, such as monitoring process creations with a kernel driver callback and checking if the parent is CMD or powershell, then parsing its command line to see what command has been executed.

My question is, how to do this in linux? meaning how can i write a program that monitors every executed command in most of the common shells such as bin/sh, and blocks certain commands from getting executed via command line?

Is this possible with a user-mode app? if not, then how about a kernel module?

Edit 1:

Also note that it is really important to find the parent process that executed the command in this case, for example if a benign process executed command "X" it can be completely fine, but that same executable getting executed by something else might be extremely suspicious and needs to get blocked/reviewed. Basically what is the equivalent of PsSetCreateProcessNotifyRoutineEx in Linux?

OneAndOnly
  • 1,048
  • 1
  • 13
  • 33
  • Most likely SELinux can help you – Maxim Sagaydachny Jul 22 '21 at 10:20
  • process creation syscalls are described here https://stackoverflow.com/q/4856255/1216776 – stark Jul 22 '21 at 10:21
  • @MaximSagaydachny I'm asking about writing a user mode or kernel module to solve this. Specifically for certain linux servers. we want to monitor any commands that are executed and block certain ones, for example in a ssh session. And we cant change them to SELinux. – OneAndOnly Jul 22 '21 at 13:33
  • @stark I'm asking about which APIs does linux provide in user-mode or kernel so i can monitor commands that are executed via different shells, for example in a ssh session, so i can block certain commands. – OneAndOnly Jul 22 '21 at 13:35
  • Users can be imaginative when it comes to cracking of the protection. suppose you want to block ```cp /etc/shadow ~/zzz``` command. Users could copy ```cp``` into ```zp``` and run it. they could use ```cat```, ```dd``` etc to do the same thing. Also they could uppload arbitrary binary via copy-paste with all logic being compiled into binary so command line would not show anything suspicious. Time works against you - you spend 20 hours on development of protection but users have years of tinkering. What I'm getting at is you should protect resourses instead of blocking some commands. – Maxim Sagaydachny Jul 22 '21 at 13:54
  • do you block if parent is a script? do you block if parent called exec? do you prevent user from making links? your method seems odd. – stark Jul 22 '21 at 13:58
  • the standard way to do this is a chroot – stark Jul 22 '21 at 14:00
  • @MaximSagaydachny It doesn't matter, we want to block command "x" at this point, worrying about how can it get bypassed is for later. In windows its really simple with a kernel driver, how it is done in Linux? – OneAndOnly Jul 22 '21 at 17:08
  • @stark What I'm asking is really simple, i want to block any user to execute command x, whether its from an ssh or a local user. In windows it has a very simple answer called PsSetCreateProcessNotifyRoutineEx, what is the answer in Linux? – OneAndOnly Jul 22 '21 at 17:13
  • @stark Also note that it is really important to get the parent process that executed the command in this case, for example if a benign process executed command "X" it can be completely fine, but that same executable getting executed by something else might be extremely suspicious and needs to get blocked/reviewed. Basically what is the equivalent of PsSetCreateProcessNotifyRoutineEx in Linux? – OneAndOnly Jul 22 '21 at 17:40

0 Answers0