Skip to content

Instantly share code, notes, and snippets.

Created Jan 26, 2022
What would you like to do?
replacement pkexec wrapper to log pkexec attempts
# Don't forget to mv /usr/bin/pkexec /usr/bin/pkexec.bin; chmod 0 /usr/bin/pkexec.bin; before using this
SYSLOG=localhost #change to a remote collector if you have one
cmdline=$(tr '\0' ' ' </proc/$PPID/cmdline | tr -dc '[:print:]')
logger --priority auth.alert -n ${SYSLOG} -t "${PROG}-watch" "called by $USER, PID=$PID, Parent=$PPID, cmdline=[${cmdline}]"
Copy link

With some additional (thorny) work, this could be adapted to be a full wrapper (so that legit use of pkexec is preserved)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment