Ensures system security by monitoring processes running in Linux

Article Title: ensures system security by monitoring processes running in Linux. Linux is a technology channel of the IT lab in China. Including desktop applications, Linux system management, kernel research, embedded systems, open source, and other basic categories by using a comprehensive user-level top, ps and other system tools and Linux kernel protection technology, we can comprehensively protect the security of important system processes and user processes in Linux from the user/kernel levels.

The Bell-LaPadula model, a classic information Confidentiality security model, points out that a process is a subject of the entire computer system. It must take a certain level of security to act on the object. Under certain conditions, a process can operate objects such as files and databases. If a process is used for other illegal purposes, it will cause major harm to the system. In real life, many cyber hackers use Trojans to destroy computer systems and intrude into the system, without exception, these "Trojan" programs must run on machines through the process method to play a role. In addition, many destructive programs and attack techniques must destroy the legitimate processes of the target computer system, especially important system processes, so that the system cannot complete normal work or even work, in this way, the target computer system is destroyed. As a Linux system that accounts for the vast majority of the market share of servers, to ensure the security of computer systems, we must monitor and protect its processes.

　User-level process monitoring tool

Linux provides who, w, ps, top, and other system calls to view process information. By using these system calls, we can clearly understand the running status and survival status of processes, so as to take appropriate measures to ensure the security of the Linux system. They are currently the most common tool for viewing Process Conditions in Linux. They are released along with the Linux suite and can be used after the system is installed.

1. who command: this command is mainly used to view the current online user information. The system administrator can use the who command to monitor what every login user is doing at this moment.

2. w command: this command is also used to display the user login to the system, but unlike who, w command is more powerful, it not only shows who has logged on to the system, it can also display the work that these users are currently working on. The w command is an enhanced version of the who command.

3. ps command: this command is the most basic and powerful process view command. It can be used to determine which processes are running and running, whether the processes are terminated, whether the processes are dead, and which processes are occupying excessive resources. The ps command can monitor the working status of background processes, because background processes do not communicate with standard input/output devices such as the screen keyboard. To detect the situation, you can use the ps command. The following is an example of a ps command.

　　

The following is a reference clip: $ Ps xPID tty stat time COMMAND5800 ttyp0 S 0: 00-bash5813 ttyp1 S 0: 00-bash5921 ttyp0 0: 00 man ps5922 ttyp0 S 0: 00 sh-c/usr/bin/gunzip-c/var/catman /cat1/ps.1.gz/5923 ttyp0 S/usr/bin/gunzip-c/var/catman/cat1/ps.1.gz5924 ttyp0 S/usr/bin/less-is5941 ttyp1 R ps x

4. top command: the basic functions of top command and ps command are the same. The current process and status of the system are displayed, but top command is a dynamic display process, you can press the buttons to refresh the current status. If you execute this command on the foreground, it excludes the foreground until the user terminates the program. More accurately, the top command provides real-time monitoring of the status of the system processor. It displays the list of CPU-most "sensitive" tasks in the system. This command can sort tasks by CPU usage, memory usage, and execution time, and many of its features can be set through interactive commands or in a custom file. The following is an example of a top command:

　　

The following is a reference clip: Pm up 7 min, 4 user, load average: 0.07, 0.09, 0.0629 processes: 28 sleeping, 1 running, 0 zombie, 0 stoppedCPU states: 4.5% user, 3.6% system, 0.0% nice, 91.9% idleMem: 38916 K av, 18564 K used, 20352 K free, 11660 K shrd, 1220 K buffSwap: 33228 K av, 0 K used, 33228 K free, 11820 K cachedPID user pri ni size rss share stat lib % CPU % mem time COMMAND363 root 14 0 708 708 552 R 0 8.1 1.8 0: 00 top1 root 0 0 404 404 S 0 344 0 0 03 init2 root 0 0 0 0 SW 0 0.0 0.0 kflushd3 root-12-12 0 0 0 SW <0 0.0 0.0 kswapd

　　Key processes to be monitored

According to the above introduction, all the commands provided by Linux can provide some information about processes. You can view the current process status of the system through them, you can also find out the processes that occupy too many system resources and end the process. Their advantages are fast, transparent, and intuitive. The following table lists common important processes in Linux (not fully listed. You can refer to the relevant documents). You can use the preceding tools to monitor these important processes in real time, and take corresponding protective measures.

　　System Call disadvantages

The process monitoring methods and tools described above are implemented based on calling the corresponding API functions or system calls provided by the operating system. All we get is the result of interface function processing. We cannot actively obtain the information we need from the process data structure of the operating system kernel. Therefore, they have the following Disadvantages:

1. Traditional process monitoring methods have low operation efficiency, long response time, and poor real-time performance.

2. It is impossible to report the security status of the current system to the user in real time and efficiently. Even if any illegal process in the system is running, the system cannot identify it.

[1] [2] Next page