Linux exec-notify: Find Out Shell Escaping Applications [ Security Monitoring ]

The exec-notify tool is used to monitor applications for attempts to escape from a restricted shell environment on a Linux system. When exec-notify is installed and enabled, it intercepts calls to the exec function and sends a notification to a configured destination, such as syslog or a remote server, when an application attempts to execute a command that is not allowed by the restricted shell.

To use exec-notify, you will need to install the tool on your Linux system and configure it to monitor the applications you want to track. Here is an example of how you can install and configure exec-notify on a CentOS or Red Hat Enterprise Linux (RHEL) system:

1. Install the exec-notify package using yum:

sudo yum install exec-notify

2. Enable the exec-notify service:

sudo systemctl enable exec-notify

3. Start the exec-notify service:

sudo systemctl start exec-notify

4. Configure exec-notify to send notifications to the syslog service:

echo "notify-to syslog" | sudo tee -a /etc/exec-notify.conf

5. (Optional) Configure exec-notify to send notifications to a remote server using the notify-to option:

echo "notify-to remote_server:port"