One comment on “Logging the Creation of Shell Processes

  1. A quick postscript:

    The proper way to do it would be to use the UNIX auditing software — auditd — as that will also catch the creation of rogue shells that are uploaded by an attacker (started from weird locations, like /dev/ for instance).

    Modifying the source code though, as shown here, will have the advantage of sending syslog messages which can then be routed to a remote system (which is a tad harder with auditd log data, or it was the last time that I tried).

Leave a Reply