Ensures system security by monitoring processes in Linux

Source: Internet
Author: User
Article Title: ensures system security by monitoring processes in Linux. Linux is a technology channel of the IT lab in China. Includes basic categories such as desktop applications, Linux system management, kernel research, embedded systems, and open source.

By using user-level top, ps, and other system tools and Linux kernel protection technologies, we can comprehensively protect the security of important system processes and user processes in Linux systems from the user/kernel levels.

The Bell-LaPadula model, a classic information Confidentiality security model, points out that a process is a subject of the entire computer system. It must take a certain level of security to act on the object. Under certain conditions, a process can operate objects such as files and databases. If the process is used for other illegal purposes, it will bring significant harm to the system. In real life, many cyber hackers use Trojans to destroy computer systems and intrude into the system, without exception, these "Trojan" programs must run on machines through the process method to play a role. In addition, many destructive programs and attack techniques must destroy the legitimate processes of the target computer system, especially important system processes, so that the system cannot complete normal work or even work, in this way, the target computer system is destroyed. As a Linux system that accounts for the vast majority of the market share of servers, to ensure the security of computer systems, we must monitor and protect its processes.

  User-level process monitoring tool

Linux provides who, w, ps, top, and other system calls to view process information. By using these system calls, we can clearly understand the running status and survival status of processes, so as to take appropriate measures to ensure the security of the Linux system. They are currently the most common tool for viewing Process Conditions in Linux. They are released along with the Linux suite and can be used after the system is installed.

1. who command: this command is mainly used to view the current online user information. The system administrator can use the who command to monitor what every login user is doing at this moment.

2. w command: this command is also used to display the user login to the system, but unlike who, w command is more powerful, it can not only show who logged on to the system, it can also display the work that these users are currently working on. The w command is an enhanced version of the who command.

3. ps command: this command is the most basic and powerful process view command. It can be used to determine which processes are running and running, whether the processes are terminated, whether the processes are dead, and which processes are occupying excessive resources. The ps command can monitor the working status of background processes, because background processes do not communicate with standard input/output devices such as the screen keyboard. To detect the situation, you can use the ps command. The following is an example of a ps command.

$ Ps x

PID TTY STAT TIME COMMAND

5800 ttyp0 S-bash

5813 ttyp1 S-bash

5921 ttyp0 S man ps

5922 ttyp0 S sh-c/usr/bin/gunzip-c/var/catman/cat1/ps.1.gz/

5923 ttyp0 S/usr/bin/gunzip-c/var/catman/cat1/ps.1.gz

5924 ttyp0 S/usr/bin/less-is

5941 ttyp1 R ps x

4. top command: the basic functions of top command and ps command are the same. It displays the current process and status of the system, but top command is a dynamic display process, you can press the buttons to refresh the current status. If you execute this command on the foreground, it excludes the foreground until the user terminates the program. More accurately, the top command provides real-time monitoring of the status of the system processor. It displays the list of CPU-most "sensitive" tasks in the system. This command can sort tasks by CPU usage, memory usage, and execution time, and many of its features can be set through interactive commands or in a custom file. The following is an example of a top command:

Pm up 7 min, 4 user, load average: 0.07, 0.09, 0.06

29 processes: 28 sleeping, 1 running, 0 zombie, 0 stopped

CPU states: 4.5% user, 3.6% system, 0.0% nice, 91.9% idle

Mem: 38916 K av, 18564 K used, 20352 K free, 11660 K shrd, 1220 K buff

Swap: 33228 K av, 0 K used, 33228 K free, 11820 K cached

Pid user pri ni size rss share stat lib % CPU % MEM TIME COMMAND

363 root 14 0 708 708 552 R 0 8.1 1.8 0: 00 top

1 root 0 0 404 404 344 S 0 0.0 0: 03 init

2 root 0 0 0 0 SW 0 0.0 0.0 kflushd

3 root-12-12 0 0 0 SW <0 0.0 0.0 kswapd

  Key processes to be monitored

According to the above introduction, all the commands provided by Linux can provide some information about processes. You can view the current process status of the system through them, you can also find out the processes that occupy too many system resources and end the process. Their advantages are fast, transparent, and intuitive. The following table lists common important processes in Linux (not fully listed. You can refer to the relevant documents). You can use the preceding tools to monitor these important processes in real time, and take corresponding protective measures. The content of the above articles are reproduced on the network or site member original, "Linux-cn.com does not make any guarantee for the content of the article.

  System Call disadvantages

The process monitoring methods and tools described above are implemented based on calling the corresponding API functions or system calls provided by the operating system. All we get is the result of interface function processing. We cannot actively obtain the information we need from the process data structure of the operating system kernel. Therefore, they have the following Disadvantages:

1. Traditional process monitoring methods have low operation efficiency, long response time, and poor real-time performance.

2. It is impossible to report the security status of the current system to the user in real time and efficiently. Even if any illegal process is running in the system, the system cannot identify it.

3. users cannot be provided with evidence to capture the behaviors of illegal processes and the activity track of the processes. When an illegal process runs and damages the system, the user finds an illegal process by checking the process list, it is also unclear what damage the process has caused to the system for a period of time from the process to the capture of such an illegal process. For example, access and modify important system files and occupy system resources. These problems have brought a lot of problems to future recovery and processing.

4. the execution of programs in user mode is not secure. hackers who intrude into the system can easily find the disk images of these process monitoring programs and delete or replace them, this will cause immeasurable losses to the system. This is particularly important. For example, if hackers successfully intrude into the system, they can implant the ps program they have rewritten to replace the ps program of the original system, in this way, the user cannot use this tool to learn about the illegal processes currently running in the system. No matter how hackers implant Trojans or other programs, the user cannot know and thus cannot take measures to terminate these activities. It is self-evident that such consequences are very serious. In the process monitoring program running on the kernel described below, hackers cannot or are difficult to penetrate into the kernel to destroy the process monitoring program, so that it can ensure its own security.

Based on these shortcomings, we propose the principles and technologies for real-time process monitoring in the Linux kernel. This technology involves the following steps:

First, in a "clean" system environment, the security process in the system is fully run, analyze and collect information about these processes in Linux (including the process ID, process name, executable process image, process start time, and process parent process ), form a list of system security processes as the basis for Process Monitoring.

Then, the monitoring code collects information about processes running in the system in real time during process scheduling. If a process is found not in the "system security process list", the PID number, name, executable image, and other information of the process are immediately output through the terminal, or an alarm is reported to the user through sound, wait for the user to process and terminate the scheduling process during the waiting process until the user responds (allow the process or kill the process ).

In step 2, if the super user (System Administrator) releases the process, you can add the process to the "System Security Process List" to complete the list; if a general user allows a process during use, the user's username and identity must be recorded and recorded as logs, A Super User (System Administrator) is a powerful basis for reviewing user behavior or modifying the "System Security Process List.

In addition, if some important processes (including kswapd and bdflush) in the system security process list are not running, then, the lost information of the process will be immediately stored in the file for targeted recovery during the system recovery process. According to different situations, some of them need to be stopped immediately, recovery process, and some can be recovered on site. (T004) the content of the above articles are reproduced on the network or site member original, "Linux-cn.com does not make any guarantee for the content of the article.

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.