Intercept executed commands in user space?

thecowmilk · 12-26-2022, 09:21 AM

Hello, I need to know if it is possible to intercept executed commands at user space. I know that there are some methods like LD_PRELOADING and catching execve() syscall when a binary uses this but I need to know how to do this against the shell a Linux machine is running so I'd be able to intercept the commands and log them.

lvm_ · 12-26-2022, 09:28 AM

man auditd, audit.rules, auditctl... - is this what you are looking for?

thecowmilk · 12-26-2022, 09:46 AM

Quote:

Originally Posted by lvm_

man auditd, audit.rules, auditctl... - is this what you are looking for?

Yeah but I want to build it myself for educational purposes. To be honest what is the point of learning if you don't make it yourself...

syg00 · 12-27-2022, 03:00 AM

I see this was also asked on (at least) Linux Foundation.

This has to be done from kernel-space; start your journey by looking up uprobes

thecowmilk · 12-27-2022, 07:41 AM

Quote:

Originally Posted by syg00

I see this was also asked on (at least) Linux Foundation.

This has to be done from kernel-space; start your journey by looking up uprobes

Correct, I wanted to increase the chances of getting a response. It's not that I value/undervalue a forum or another. Thank for the hint! I will start looking for them

pan64 · 12-27-2022, 07:54 AM

did you check the command strace?

syg00 · 12-27-2022, 04:54 PM

I'm guessing the OP wants to trace shell internal commands. Can't be seen from strace AFAIK.

thecowmilk · 12-28-2022, 02:07 AM

Quote:

When a user opens the terminal or is in the terminal mode(CTRL + ALT + F1) he runs a command like "ls -la". The tool should be able to catch the "ls -la" command and log it as a whole in a file.

This is how the process should happen. But again I want a simple program which knows how to get executed commands by terminal/shell without 3rd-party utilities.

syg00 · 12-28-2022, 02:29 AM

Quote:

Originally Posted by thecowmilk

I want a simple program which knows how to get executed commands by terminal/shell without 3rd-party utilities.

Ain't going to happen. Without public APIs that provide access to that data, you are going to need to hook something. The tools are there, use them.

What about when the user changes terminal/shell ? - they generally process things differently.

pan64 · 12-28-2022, 02:36 AM

Quote:

Originally Posted by syg00

Ain't going to happen. Without public APIs that provide access to that data, you are going to need to hook something. The tools are there, use them.

What about when the user changes terminal/shell ? - they generally process things differently.

if it is about shell, bash -xv <script> will do that. Or at least something similar. If I understand it well.