15. Loadable Module: Processes (IDM_procs.pm)

15.1. What and How

The IDM_procs module monitors root-owned processes — those which do not match a configured signature are logged:

• Proc::ProcessTable is used to access the the system's process table. Processes which do not match a configured signature (fully-pathed command-line) are logged.
  
  
• a private, statically-linked copy of Vic Abell's lsof is run periodically and any connection root-owned process which does not match a configured signature is logged:
  
  
  • a signature includes: executable path, current working directory, open devices, open files and (to-do) open network connections.

15.2. Signature Configuration and Processing

Files:

    /etc/IDM_procs/expected.<platform>.api
    /etc/IDM_procs/expected.local.api

    /etc/IDM_procs/expected.<platform>.lsof
    /etc/IDM_procs/expected.local.lsof

• local .lsof signatures take precedence — i.e., override <platform> .lsof signarures;
  
  
• currently (TO-DO), local .api signatures do NOT take precedence over <platform> signatures — a match in either set of signatures is means that a process is not logged.

15.2.1. lsof-Related Signatures

These can optionally include current working directory (CWD), executable binary (AOUT), possible open files and devices (OFILES and ODEV), and devices and files which may not be open (QFILES and QDEVS). The AOUT field helps distinguish between two (or more) different processes with the same name — see below.

An extract from expected.<platform>.lsof:

    PS: sshd
        CWD =
            "/"

        AOUT = 
            "/usr/sbin/sshd"

        ODEVS =
            "/dev/null"
            "/dev/zero"
            "/dev/ptmx"

        QDEVS =
            "/dev/zero"
            "/dev/ptmx"
                # ...user-instances of /usr/sbin/sshd open these;  the
                #    init-ed daemon does not...

        QFILES = 
                # ...user-instances of /usr/sbin/sshd open these;  the
                #    init-ed daemon does not...
             "/var/run/nscd/passwd"
             "/var/run/nscd/dbnfIX0c"
             "/var/run/nscd/group"
             "/usr/lib64/libcrypto.so.0.9.7"
             "/usr/lib64/libcrack.so.2.7"
             .
             .

        OFILES =
            "/usr/sbin/sshd"
            "/var/run/nscd/passwd"
            "/var/run/nscd/group"
            "/var/run/nscd/dbnfIX0c"
            "/usr/lib64/libcrypto.so.0.9.7"
            "/usr/lib64/libcrack.so.2.7"
            "/usr/lib64/libopensc.so.1.0.0"
            "/usr/lib64/libgssapi_krb5.so.2.2"
            "/usr/lib64/libkrb5.so.3.2"
            .
            .
            "/lib64/security/pam_warn.so"
            "/lib64/security/pam_deny.so"

An extract from expected.local.lsof:

    PS: sshd

        CWD =
            "/"

        AOUT = 
            "/opt/vdt/globus/sbin/sshd"
                # ...a modified version of sshd running on a different port
                #    which users may also access...

15.2.2. API-Related Signatures

Following is an extract from /etc/IDM_proc/expected.local.api — regular expressions can be used:

  # ------------------------------------------------------------------------------
  # -- SGE :
  # ------------------------------------------------------------------------------
  #
  EQ "/usr/local/sge6.0/bin/lx24-amd64/sge_execd"
  EQ "/usr/local/sge6.0/bin/lx24-amd64/sge_schedd"
  EQ "/usr/local/sge6.0/bin/lx24-amd64/sge_qmaster"
  MA "sge_shepherd-\d+ -bg"
  MA "/usr/local/sge6.0/default/spool/man2/job_scripts/\d+"

Processes (command-lines) found from the API are matched against signatures like this:

    foreach my $s (@{$sigs->{EQ}}) {
        my $cmndline = $proc->cmndline();    $cmndline =~ s/\s*$//;
        if ($cmndline eq $s) {return 1}
      }

    foreach my $s (@{$sigs->{MA}}) {
        my $cmndline = $proc->cmndline();    $cmndline =~ s/\s*$//;
        if ($cmndline =~ m/$s/) {return 1}
      }