Skip to content

Instantly share code, notes, and snippets.

@akhepcat
Created January 26, 2022 18:19
Show Gist options
  • Save akhepcat/9cea31182048194ead86a90cdb020a9c to your computer and use it in GitHub Desktop.
Save akhepcat/9cea31182048194ead86a90cdb020a9c to your computer and use it in GitHub Desktop.
replacement pkexec wrapper to log pkexec attempts
#!/bin/bash
# Don't forget to mv /usr/bin/pkexec /usr/bin/pkexec.bin; chmod 0 /usr/bin/pkexec.bin; before using this
PATH=/bin:/usr/bin:/sbin:/usr/sbin
PROG="${0##*/}"
SYSLOG=localhost #change to a remote collector if you have one
PID=$$
cmdline=$(tr '\0' ' ' </proc/$PPID/cmdline | tr -dc '[:print:]')
logger --priority auth.alert -n ${SYSLOG} -t "${PROG}-watch" "called by $USER, PID=$PID, Parent=$PPID, cmdline=[${cmdline}]"
@roycewilliams
Copy link

With some additional (thorny) work, this could be adapted to be a full wrapper (so that legit use of pkexec is preserved)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment