我的目标是开发一种用于教育目的的工具,用于在系统上记录命令。到目前为止,已经找到了执行此操作的原始方法,但所有这些方法都可以轻松绕过,因此我有了立即拦截命令的想法,并且我被引入了LD_PRELOADING.
我成功地编写了一个有效的 C 代码,我可以使用它来拦截从 C 程序执行的命令execve,但我想知道如何在全局级别上实现这一点。
谢谢你们,我很高兴听到你们的消息!
答案1
您可以在手册页中找到答案ld.so(8)。
There are various methods of specifying libraries to be preloaded, and these are handled in the following order: (1) The LD_PRELOAD environment variable. (2) The --preload command-line option when invoking the dynamic linker directly. (3) The /etc/ld.so.preload file (described below)....
/etc/ld.so.preload File containing a whitespace-separated list of ELF shared objects to be loaded before the program. See the discussion of LD_PRELOAD above. If both LD_PRELOAD and /etc/ld.so.preload are employed, the libraries specified by LD_PRELOAD are preloaded first. /etc/ld.so.preload has a system-wide effect, causing the specified libraries to be preloaded for all programs that are executed on the system. (This is usually undesirable, and is typically employed only as an emergency remedy, for example, as a temporary workaround to a library misconfiguration issue.)
顺便说一句,Linux内核已经有一个流程会计可以记录系统上运行的每个进程的功能。此功能的唯一缺点是它仅记录进程名称,而不记录完整的命令行和参数。
如果您确实需要完整的命令行参数,您可以使用审计框架,并配置execve系统调用规则。
auditctl -a exit,always -F arch=b64-S execve -k all-commands
然后您可以使用该ausearch工具检查系统上运行的所有命令。