cancel
Showing results for 
Search instead for 
Did you mean: 
Trevor
Starfighter Starfighter
Starfighter
  • 2,051 Views

List of all executable files - ever run

What command can I run that will provide me a list
of all the executable files, that have ever been run,
and the number of times each has been run, on my
RHEL 9.X system?

 

Trevor "Red Hat Evangelist" Chandler
Labels (3)
13 Replies
TM
Flight Engineer Flight Engineer
Flight Engineer
  • 1,562 Views

Hi,

This is a tricky one.

From history output the below command gives something that I consider an acceptable solution.

history | awk ' { print $2 } ' | sort | uniq -c

It does not account for command typed differently but clearly identical such as mv and /usr/bin/mv, it will falsely count variable assignation such NAMES='John Smith', it will clobber HERE commands spead on several lines, and piped commands on one line, ... And it supposes that history output has not been customized so that the command is just preceded with the command number.

Regards,

Tshimanga

Trevor
Starfighter Starfighter
Starfighter
  • 1,551 Views

TM, that's certainly a fantastic attempt that
you've made  However, your beautiful construct
appears to only be providing me with executable
files that have been run for a single user - the
user that runs your command.

I'm looking for a command that will display/list
ALL executable files that have ever been run
on my Linux system.

Thank you for what you did provide.  That will
be a very nice addition to my knowledgebase!

 

Trevor "Red Hat Evangelist" Chandler
Ad_astra
Flight Engineer Flight Engineer
Flight Engineer
  • 1,478 Views

Run the following commands:

sudo aureport --start this-year -x | grep "^[0-9]." | awk '{print $4}' | sort | uniq -c

The breakdown of commands is:

aureport - produces a report about executables for the specified time period. You can set this date to the date of the setup of the host machine.

grep "^[0-9]." - finds all the lines that begin with a number, to avoid empty lines, comments and headers.

awk '{print $4}' - prints the name of the executables that have been run on each line.

sort - sorts the lines in order

uniq -c - counts the occurences of unique lines.

The output will produce a list of executables and the number of times they have been run for the specified time period. In this example; the current year:

(edited output)

648 /usr/bin/su
8328 /usr/bin/sudo
89 /usr/bin/systemctl

My output does seem to have some anomalies, though. For example; grep only shows as being run once. This is incorrect as it was run many times when working on this solution. 

So, some further work is required on this problem! 

TM
Flight Engineer Flight Engineer
Flight Engineer
  • 1,420 Views

Hi @Ad_astra,

This is one is good.

I have run the below command on one of my Rocky Linux 9.2 VM, and I have realized that it does not include some commands that I know I had run as root. Commands such as dnf, mv, cp that clearly appear on root history.

aureport --start 05/15/23 13:00:00 -x | grep '^[0-9].' | awk ' { print $4 } ' | sort | uniq -c

With 2023-05-16 13:20:13.854662000 +0100 being the birth of / obtained with command "stat /".

Maybe @Trevor can just post his solution.

Regards,

Tshimanga

Ad_astra
Flight Engineer Flight Engineer
Flight Engineer
  • 1,334 Views

Hi

I've also found that using the --comm option, instead of -x, lists commands that have been run. Although, there does seem to be some duplication of the same commands/binaries that are shown using -x.

Regards

Ad_astra
Flight Engineer Flight Engineer
Flight Engineer
  • 822 Views

Hello

Will there be an answer posted to this question?

Thanks 

Trevor
Starfighter Starfighter
Starfighter
  • 774 Views

Hello Ad_astra,

Here's a little hint:  Look at something related to the Linux Audit daemon.

If you don't wish to explore this, and would rather that I just provide you
the answer, I'm happy to accommodate.

 

Trevor "Red Hat Evangelist" Chandler
0 Kudos
TM
Flight Engineer Flight Engineer
Flight Engineer
  • 699 Views

Hi @Trevor,

What I give here is my own opinion.

I feel as if we have shown interest in the topic and provided few attempts.
Obvisously those attempts clear seem incomplete.

At this stage, I will like to see your solution.

Regards,

Tshimanga

0 Kudos
Ad_astra
Flight Engineer Flight Engineer
Flight Engineer
  • 696 Views

Hi

Thanks for the hint. 

The only thing I can think of is setting the audit demon to log system calls via the logging rules:

auditctl -a exit,always -S execve

This would log commands and arguments. 

Regards 

0 Kudos
Join the discussion
You must log in to join this conversation.