To track executions of arbitrary scripts stored in /dev/shm that may be created by mktemp using auditd in Linux, you can add an audit rule to monitor execve system calls for files in /dev/shm. Since mktemp typically creates temporary files with unpredictable names, the rule should cover all script executions in that directory.
Ref: https://sysdig.com/blog/containers-read-only-fileless-malware/
e.g.
-a always,exit -F arch=b64 -S execve -F dir=/dev/shm -k shm_script_exec
-a always,exit -F arch=b32 -S execve -F dir=/dev/shm -k shm_script_exec
Test:
TEMP_SCRIPT=$(mktemp /dev/shm/test_script.XXXXXX)
echo '#!/bin/bash' > "$TEMP_SCRIPT"
echo 'echo "Test script executed"' >> "$TEMP_SCRIPT"
chmod +x "$TEMP_SCRIPT"
"$TEMP_SCRIPT"
Validate:
sudo ausearch -k shm_script_exec
To track executions of arbitrary scripts stored in /dev/shm that may be created by mktemp using auditd in Linux, you can add an audit rule to monitor execve system calls for files in /dev/shm. Since mktemp typically creates temporary files with unpredictable names, the rule should cover all script executions in that directory.
Ref: https://sysdig.com/blog/containers-read-only-fileless-malware/
e.g.
Test:
Validate:
sudo ausearch -k shm_script_exec