Linux exec-notify: Find Out Shell Escaping Applications [ Security Monitoring ]

How do I watch or monitor applications that executed on a system and executes external programs via "bash"?

You can install a small utility called exec-notify to watch your acrobat reader or firefox or vim executing "bash -c" commands. It globally shows which programs are executed on a system. This allows to track down shell escaping problems in larger applications which execute external programs via scripts.

Install and Compile exec-notify

Type the following commands:
$ cd /tmp
$ wget http://www.suse.de/~krahmer/exec-notify.c
To compile type
$ make exec-notify
OR
$ cc exec-notify.c -o exec-notify
To run type the following command:
$ sudo ./exec-notify
Sample outputs:

[sudo] password for vivek:
sending proc connector: PROC_CN_MCAST_LISTEN... sent
Reading process events from proc connector.
Hit Ctrl-C to exit
FORK:parent(pid,tgid)=2313,2313 child(pid,tgid)=10945,2317 [/bin/sh /usr/lib/firefox-3.6.13/run-mozilla.sh /usr/lib/firefox-3.6.13/firefox-bin ]
FORK:parent(pid,tgid)=2313,2313 child(pid,tgid)=10946,2317 [/bin/sh /usr/lib/firefox-3.6.13/run-mozilla.sh /usr/lib/firefox-3.6.13/firefox-bin ]
UID:pid=1639,1639 ruid=0,euid=119
UID:pid=1639,1639 ruid=0,euid=0
FORK:parent(pid,tgid)=2313,2313 child(pid,tgid)=10947,2317 [/bin/sh /usr/lib/firefox-3.6.13/run-mozilla.sh /usr/lib/firefox-3.6.13/firefox-bin ]
EXIT:pid=10947,2317 exit code=0
FORK:parent(pid,tgid)=2313,2313 child(pid,tgid)=10948,2317 [/bin/sh /usr/lib/firefox-3.6.13/run-mozilla.sh /usr/lib/firefox-3.6.13/firefox-bin ]
EXIT:pid=10948,2317 exit code=0
EXIT:pid=10853,7953 exit code=0
EXIT:pid=10856,7953 exit code=0
EXIT:pid=10857,7953 exit code=0
EXIT:pid=10858,7953 exit code=0
EXIT:pid=10859,7953 exit code=0
EXIT:pid=10855,7953 exit code=0
EXIT:pid=10854,7953 exit code=0
EXIT:pid=10852,7953 exit code=0
FORK:parent(pid,tgid)=2412,2317 child(pid,tgid)=10949,7953 [/usr/lib/firefox-3.6.13/firefox-bin ]
FORK:parent(pid,tgid)=2412,2317 child(pid,tgid)=10950,7953 [/usr/lib/firefox-3.6.13/firefox-bin ]
FORK:parent(pid,tgid)=2412,2317 child(pid,tgid)=10951,7953 [/usr/lib/firefox-3.6.13/firefox-bin ]
FORK:parent(pid,tgid)=2412,2317 child(pid,tgid)=10952,7953 [/usr/lib/firefox-3.6.13/firefox-bin ]
FORK:parent(pid,tgid)=2412,2317 child(pid,tgid)=10953,7953 [/usr/lib/firefox-3.6.13/firefox-bin ]
FORK:parent(pid,tgid)=2412,2317 child(pid,tgid)=10954,7953 [/usr/lib/firefox-3.6.13/firefox-bin ]
FORK:parent(pid,tgid)=2412,2317 child(pid,tgid)=10955,7953 [/usr/lib/firefox-3.6.13/firefox-bin ]
FORK:parent(pid,tgid)=2412,2317 child(pid,tgid)=10956,7953 [/usr/lib/firefox-3.6.13/firefox-bin ]
FORK:parent(pid,tgid)=1639,1639 child(pid,tgid)=10957,10957 [/usr/lib/postfix/master ]
EXEC:pid=10957,tgid=10957 [Uid: 0 0 0 0] [local -t unix ]
EXIT:pid=10957,10957 exit code=256
FORK:parent(pid,tgid)=2313,2313 child(pid,tgid)=10958,2317 [/bin/sh /usr/lib/firefox-3.6.13/run-mozilla.sh /usr/lib/firefox-3.6.13/firefox-bin ]
EXIT:pid=10958,2317 exit code=0

You can install exec-notify in /usr/local/bin directory:
$ sudo install -m 0555 -g root -o root ./exec-notify /usr/local/bin/