2

My goal:

To receive events from the kernel when a file/script is opened for execution with the absolute path of the file (or maybe the working directory, to resolve the absolute path of the file).

  • I don't want to get events on every file opened.

  • I have tried listening to the trace point event sched:sched_process_exec and see when the process is an interpreter but the filename is not always shown and when it does it's only the relative path, so there is no way for me to check if the file is from the type i am looking for (script).

  • I am aware that there is the option to set the FAN_OPEN_EXEC flag with fanotify but that is only for newer kernels (>5.0) and i need something for older kernels as well (also not sure it will work on files, according to the documentation).

Any ideas?

faraopera
  • 21
  • 2
  • Maybe [this blog post about ptrace and strace](https://blog.nelhage.com/2010/08/write-yourself-an-strace-in-70-lines-of-code/) would help you; it has code examples. – 9000 Sep 03 '19 at 17:27
  • 1
    Shell interpreters open files to interpret them the same way vi opens files to edit them, the kernel won't see any difference. Or do you only care about scripts that are being invoked via a `execve()` on the script itself? It seems to me that instrumenting the interpreter (for instance using `~/.zshenv` for `zsh` or `$BASHENV` for bash) may be a better approach if you want to consider all the cases of a shell interpreting a script. – Stéphane Chazelas Sep 03 '19 at 17:27
  • @StéphaneChazelas, what i mean is indeed to track execve(at) system calls but what i need is the full path of the file that is opened by the interpreter (or any other process). – faraopera Sep 04 '19 at 10:06
  • Then maybe you can just use the audit system (auditd, auditctl) and log the execve() system calls. – Stéphane Chazelas Sep 04 '19 at 10:10

0 Answers0