6

Is there any way to watch for a new process with name 'X' starting in python (ideally) or bash? I know that I can look at running processes, but that is not fast enough for my needs. The only think that I can think of is some how hooking into the new process, and registering that, but how?

More background: I am part of a CCDC team (http://www.nationalccdc.org/) and am on the blue team. The premise of the competition is to give students a network to defend against professional pen testers to help the next generation of security experts be better. What I want to do is load this python script on the linux boxs and watch for certain commands that are being run, that likely would only be used by the red team, for example the 'chattr' command. Ideally I would like to be able to provide the script a list of processes to watch. I can figure out that part but do not know how to watch for a process spawning.

Any direction is appreciated. Thank you.

HoldOffHunger
  • 18,769
  • 10
  • 104
  • 133
Trcx
  • 4,164
  • 6
  • 30
  • 30

2 Answers2

4

I know of no way for a process which does not have root privileges to be notified when a process is started via any means on a fully-running Linux system. If polling isn't fast enough, you're going to have to do some serious hackery.

If you've got root, this is possible. If not, I can't see it.

With root, you could set a system-wide replacement of the fork and exec system calls which provides you with your desired notification. This could be in the kernel, or it could be an LD_PRELOAD hack.

This applies not just to Python; even with a C program, I don't know of an "inotify for process creation".

Borealid
  • 95,191
  • 9
  • 106
  • 122
  • Thank you for the direction! This sounds like what I want to do. We do have root access to the boxes. The entire competition is run through VMs. – Trcx Feb 05 '12 at 05:45
  • @Trcx Ooh, if you have root you can implement a MAC system like SELinux and keep them out totally. – Borealid Feb 05 '12 at 06:06
  • The problem is that I don't have the programming knowledge on how to do that, but that's what google is for. >_> Thank you. – Trcx Feb 05 '12 at 16:29
1

I have not tested this idea, but on Linux each process is given a directory under /proc/<it's process id>/ If you opened an inotify on directory creation in /proc you might be able to track creation of process directories and then see if /proc/<dir>/cmdline matches the process your looking for. This is just a thought, hope it helps!

john-charles
  • 1,417
  • 4
  • 17
  • 30
  • 2
    This was my thinking as well. Unfortunately, it would seem that since procfs is not a real fs, it doesn't inotify of new directories :( – nfirvine Feb 07 '12 at 16:57