15. Loadable Module: Processes (IDM_procs.pm)

15.1. What and How

The IDM_procs module monitors root-owned processes — those which do not match a configured signature are logged:

15.2. Signature Configuration and Processing

All paths in this section are relative to <sids_root>.

Files:

    /etc/IDM_procs/expected.<platform>.api
    /etc/IDM_procs/expected.local.api

    /etc/IDM_procs/expected.<platform>.lsof
    /etc/IDM_procs/expected.local.lsof
The platform files should contain a set of signatures appropriate for a default installation of the platform/OS; the local files should include signatures for local modification and additions to the system.

15.2.1. lsof-Related Signatures

These can optionally include current working directory (CWD), executable binary (AOUT), possible open files and devices (OFILES and ODEV), and devices and files which may not be open (QFILES and QDEVS). The AOUT field helps distinguish between two (or more) different processes with the same name — see below.

An extract from expected.<platform>.lsof:

    PS: sshd
        CWD =
            "/"

        AOUT = 
            "/usr/sbin/sshd"

        ODEVS =
            "/dev/null"
            "/dev/zero"
            "/dev/ptmx"

        QDEVS =
            "/dev/zero"
            "/dev/ptmx"
                # ...user-instances of /usr/sbin/sshd open these;  the
                #    init-ed daemon does not...

        QFILES = 
                # ...user-instances of /usr/sbin/sshd open these;  the
                #    init-ed daemon does not...
             "/var/run/nscd/passwd"
             "/var/run/nscd/dbnfIX0c"
             "/var/run/nscd/group"
             "/usr/lib64/libcrypto.so.0.9.7"
             "/usr/lib64/libcrack.so.2.7"
             .
             .

        OFILES =
            "/usr/sbin/sshd"
            "/var/run/nscd/passwd"
            "/var/run/nscd/group"
            "/var/run/nscd/dbnfIX0c"
            "/usr/lib64/libcrypto.so.0.9.7"
            "/usr/lib64/libcrack.so.2.7"
            "/usr/lib64/libopensc.so.1.0.0"
            "/usr/lib64/libgssapi_krb5.so.2.2"
            "/usr/lib64/libkrb5.so.3.2"
            .
            .
            "/lib64/security/pam_warn.so"
            "/lib64/security/pam_deny.so"

An extract from expected.local.lsof:

    PS: sshd

        CWD =
            "/"

        AOUT = 
            "/opt/vdt/globus/sbin/sshd"
                # ...a modified version of sshd running on a different port
                #    which users may also access...

15.2.2. API-Related Signatures

Following is an extract from /etc/IDM_proc/expected.local.api — regular expressions can be used:

  # ------------------------------------------------------------------------------
  # -- SGE :
  # ------------------------------------------------------------------------------
  #
  EQ "/usr/local/sge6.0/bin/lx24-amd64/sge_execd"
  EQ "/usr/local/sge6.0/bin/lx24-amd64/sge_schedd"
  EQ "/usr/local/sge6.0/bin/lx24-amd64/sge_qmaster"
  MA "sge_shepherd-\d+ -bg"
  MA "/usr/local/sge6.0/default/spool/man2/job_scripts/\d+"

Processes (command-lines) found from the API are matched against signatures like this:

    foreach my $s (@{$sigs->{EQ}}) {
        my $cmndline = $proc->cmndline();    $cmndline =~ s/\s*$//;
        if ($cmndline eq $s) {return 1}
      }

    foreach my $s (@{$sigs->{MA}}) {
        my $cmndline = $proc->cmndline();    $cmndline =~ s/\s*$//;
        if ($cmndline =~ m/$s/) {return 1}
      }


...previousup (conts)next...



About this document:

Produced from the SGML: /home/isd/public_html/_cheesewire/_reml_grp/index.reml
On: 4/9/2006 at 17:35:44
Options: reml2 -i noindex -l long -o html -p multiple