Tracing web shell attack with Linux audit system

Question

I tried to trace web shell attack using Linux audit system. Following is the rule I appended.

-a exit,always -F arch=b64 -F gid=nginx -S execve

(using nginx)

With this setting, I can trace commands not 'pwd', but 'ls', 'cat'.

What are differences those had? And how can I trace all commands thoroughly?

Dark Falcon · Accepted Answer · 2016-12-15T02:32:04.787

-1

Things like pwd are shell built-ins and do not involve the creation of another process, and thus no call to execve. The built-in commands supported depend on the shell you're using. Here are the built-ins supported by bash.

I would recommend that you either run a modified version of the shell or that you trace something else, such as network traffic, if you really wish to capture all activity. Without more details on why you wish to capture this information, it is difficult to recommend an approach.

edited Dec 15 '16 at 02:32

answered Dec 15 '16 at 02:26

Dark Falcon

43,592
5
83
98

You realize that my answer will be moved if the question is moved, right? You realize that I voted to have this question moved? No reason to downvote for that. – Dark Falcon Dec 15 '16 at 02:35
I know your answer will move but no, I didn't know you voted to move. How would I know since you made no mention of it being in the wrong place? – Carey Gregory Dec 15 '16 at 02:36
Add a sentence educating the OP and I'll retract the downvote – Carey Gregory Dec 15 '16 at 02:38
So that useless sentence can move with the answer? – Dark Falcon Dec 15 '16 at 02:38
So add a comment and tell the user yourself. Otherwise, if the community doesn't move it, perhaps it doesn't need to be moved. – Dark Falcon Dec 15 '16 at 02:40

Tracing web shell attack with Linux audit system

1 Answers1