Created
January 26, 2022 18:19
-
-
Save akhepcat/9cea31182048194ead86a90cdb020a9c to your computer and use it in GitHub Desktop.
replacement pkexec wrapper to log pkexec attempts
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/bash | |
| # Don't forget to mv /usr/bin/pkexec /usr/bin/pkexec.bin; chmod 0 /usr/bin/pkexec.bin; before using this | |
| PATH=/bin:/usr/bin:/sbin:/usr/sbin | |
| PROG="${0##*/}" | |
| SYSLOG=localhost #change to a remote collector if you have one | |
| PID=$$ | |
| cmdline=$(tr '\0' ' ' </proc/$PPID/cmdline | tr -dc '[:print:]') | |
| logger --priority auth.alert -n ${SYSLOG} -t "${PROG}-watch" "called by $USER, PID=$PID, Parent=$PPID, cmdline=[${cmdline}]" |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
With some additional (thorny) work, this could be adapted to be a full wrapper (so that legit use of pkexec is preserved)