Skip to content

Instantly share code, notes, and snippets.

@akhepcat
Created Jan 26, 2022
Embed
What would you like to do?
replacement pkexec wrapper to log pkexec attempts
#!/bin/bash
# Don't forget to mv /usr/bin/pkexec /usr/bin/pkexec.bin; chmod 0 /usr/bin/pkexec.bin; before using this
PATH=/bin:/usr/bin:/sbin:/usr/sbin
PROG="${0##*/}"
SYSLOG=localhost #change to a remote collector if you have one
PID=$$
cmdline=$(tr '\0' ' ' </proc/$PPID/cmdline | tr -dc '[:print:]')
logger --priority auth.alert -n ${SYSLOG} -t "${PROG}-watch" "called by $USER, PID=$PID, Parent=$PPID, cmdline=[${cmdline}]"
@roycewilliams
Copy link

roycewilliams commented Jan 26, 2022

With some additional (thorny) work, this could be adapted to be a full wrapper (so that legit use of pkexec is preserved)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment