By using user-level top, ps, and other system tools and Linux kernel protection technologies, we can comprehensively protect the security of important system processes and user processes in Linux systems from the user/kernel levels. The Bell-LaPadula model of the classic information confidentiality security model points out that the process is of the entire computer system.
By using user-level top, ps, and other system tools and Linux kernel protection technologies, we can comprehensively protect the security of important system processes and user processes in Linux systems from the user/kernel levels.
The Bell-LaPadula model, a classic information confidentiality security model, points out that a process is a subject of the entire computer system. it must take a certain level of security to act on the object. Under certain conditions, a process can operate objects such as files and databases. If a process is used for other illegal purposes, it will cause major harm to the system. In real life, many cyber hackers use Trojans to destroy computer systems and intrude into the system, without exception, these "Trojan" programs must run on machines through the process method to play a role. In addition, many destructive programs and attack techniques must destroy the legitimate processes of the target computer system, especially important system processes, so that the system cannot complete normal work or even work, in this way, the target computer system is destroyed. As a Linux system that accounts for the vast majority of the market share of servers, to ensure the security of computer systems, we must monitor and protect its processes.
User-level process monitoring tool
Linux provides who, w, ps, top, and other system calls to view process information. by using these system calls, we can clearly understand the running status and survival status of processes, so as to take appropriate measures to ensure the security of the Linux system. They are currently the most common tool for viewing process conditions in Linux. they are released along with the Linux suite and can be used after the system is installed.
1. who command: this command is mainly used to view the current online user information. The system administrator can use the who command to monitor what every login user is doing at this moment.
2. w command: this command is also used to display the user login to the system, but unlike who, w command is more powerful, it not only shows who has logged on to the system, it can also display the work that these users are currently working on. The w command is an enhanced version of the who command.
3. ps command: this command is the most basic and powerful process View command. It can be used to determine which processes are running and running, whether the processes are terminated, whether the processes are dead, and which processes are occupying excessive resources. The ps command can monitor the working status of background processes, because background processes do not communicate with standard input/output devices such as the screen keyboard. to detect the situation, you can use the ps command. The following is an example of a ps command.
The following is a reference clip:
$ Ps xPID tty stat time COMMAND5800 ttyp0 S 0: 00-bash5813 ttyp1 S 0: 00-bash5921 ttyp0 0: 00 man ps5922 ttyp0 S 0: 00 sh-c/usr/bin/gunzip-c/var/catman /cat1/ps.1.gz/5923 ttyp0 S/usr/bin/gunzip-c/var/catman/cat1/ps.1.gz5924 ttyp0 S/usr/bin/less-is5941 ttyp1 R ps x
4. top command: the basic functions of top command and ps command are the same. The current process and status of the system are displayed, but top command is a dynamic display process, you can press the buttons to refresh the current status. If you execute this command on the foreground, it excludes the foreground until the user terminates the program. More accurately, the top command provides real-time monitoring of the status of the system processor. It displays the list of CPU-most "sensitive" tasks in the system. This command can sort tasks by CPU usage, memory usage, and execution time, and many of its features can be set through interactive commands or in a custom file. The following is an example of a top command:
The following is a reference clip:
Pm up 7 min, 4 user, load average: 0.07, 0.09, 0.0629 processes: 28 sleeping, 1 running, 0 zombie, 0 stoppedCPU states: 4.5% user, 3.6% system, 0.0% nice, 91.9% idleMem: 38916 K av, 18564 K used, 20352 K free, 11660 K shrd, 1220 K buffSwap: 33228 K av, 0 K used, 33228 K free, 11820 K cachedPID user pri ni size rss share stat lib % CPU % mem time COMMAND363 root 14 0 708 708 552 R 0 8.1 1.8 0: 00 top1 root 0 0 404 404 S 0 344 0 0 03 init2 root 0 0 0 0 SW 0 0.0 0.0 kflushd3 root-12-12 0 0 0 SW <0 0.0 0.0 kswapd
Key processes to be monitored
According to the above introduction, all the commands provided by Linux can provide some information about processes. you can view the current process status of the system through them, you can also find out the processes that occupy too many system resources and end the process. Their advantages are fast, transparent, and intuitive. The following table lists common important processes in Linux (not fully listed. you can refer to the relevant documents). you can use the preceding tools to monitor these important processes in real time, and take corresponding protective measures.
System call disadvantages
The process monitoring methods and tools described above are implemented based on calling the corresponding API functions or system calls provided by the operating system. All we get is the result of interface function processing. we cannot actively obtain the information we need from the process data structure of the operating system kernel. Therefore, they have the following disadvantages:
1. traditional process monitoring methods have low operation efficiency, long response time, and poor real-time performance.
2. it is impossible to report the security status of the current system to the user in real time and efficiently. even if any illegal process in the system is running, the system cannot identify it.
3. users cannot be provided with evidence to capture behaviors of illegal processes and the activity track of the processes. When an illegal process runs and damages the system, the user finds an illegal process by checking the process list, it is also unclear what damage the process has caused to the system for a period of time from the process to the capture of such an illegal process. for example, access and modify important system files and occupy system resources. These problems have brought a lot of problems to future recovery and processing.
4. the execution of the program is in the user state and is not secure. hackers who intrude into the system can easily find the disk images of these process monitoring programs and delete or replace them, this will cause immeasurable losses to the system. This is particularly important. for example, if hackers successfully intrude into the system, they can implant the ps program they have rewritten to replace the ps program of the original system, in this way, the user cannot use this tool to learn about the illegal processes currently running in the system. no matter how hackers implant Trojans or other programs, the user cannot know and thus cannot take measures to terminate these activities. It is self-evident that such consequences are very serious. In the process monitoring program running on the kernel described below, hackers cannot or are difficult to penetrate into the kernel to destroy the process monitoring program, so that it can ensure its own security.
Based on these shortcomings, we propose the principles and technologies for real-time process monitoring in the Linux kernel. This technology involves the following steps:
First, in a "clean" system environment, the security process in the system is fully run, analyze and collect information about these processes in Linux (including the process ID, process name, executable process image, process start time, and process parent process ), form a list of system security processes as the basis for process monitoring.
Then, the monitoring Code collects information about processes running in the system in real time during process scheduling. If a process is found not in the "system security process List", The PID number, name, executable image, and other information of the process are immediately output through the terminal, or an alarm is reported to the user through sound, wait for the user to process and terminate the scheduling process during the waiting process until the user responds (allow the process or kill the process ).
In step 2, if the super user (System Administrator) releases the process, you can add the process to the "system security process list" to complete the list; if a user allows a process during use, the user's username and identity must be recorded and recorded as logs, A super user (System Administrator) is a powerful basis for reviewing user behavior or modifying the "system security process List.
In addition, if some important processes (including kswapd and bdflush) in the system security process list are not running, then, the lost information of the process will be immediately stored in a file for targeted recovery during the system recovery process. according to different situations, some of them need to be stopped immediately, recovery process, and some can be recovered on site.