One comment on “Logging the Creation of Shell Processes

  1. A quick postscript:

    The proper way to do it would be to use the UNIX auditing software — auditd — as that will also catch the creation of rogue shells that are uploaded by an attacker (started from weird locations, like /dev/ for instance).

    Modifying the source code though, as shown here, will have the advantage of sending syslog messages which can then be routed to a remote system (which is a tad harder with auditd log data, or it was the last time that I tried).

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s