14. Checking for hidden/fake/missing processes

14. Checking for hidden/fake/missing processes
Prev	Chapter 5. Configuring samhain, the host integrity monitor	Next

14. Checking for hidden/fake/missing processes

To compile with support for this option, use the configure option

./configure --enable-process-check

This module enables samhain to check for processes that are:

(a) hidden from ps, i.e. running processes that are not listed by ps,

(b) fake, i.e. listed by ps although they don't exist, and

The module works by searching the complete range of possible PIDs for processes, and comparing the list of processes thus found against the output of ps. Note that the range of possible PIDs is OS-specific, and in general must be configured by the user (except for Linux, where it is determined automatically).

Threads

	Threads
Threads (including kernel threads) may be detected as well; thus ps must be called with the proper argument such that threads are listed as well, otherwise they will be reported as hidden. On Linux, this is handled automatically by the code, for other operating systems, you can use the configuration option ProcessCheckPSArg= `arg` to set the argument to ps . E.g. OpenBSD needs ProcessCheckPSArg= `axk` such that kernel threads are listed as well.

Threads (including kernel threads) may be detected as well; thus ps must be called with the proper argument such that threads are listed as well, otherwise they will be reported as hidden. On Linux, this is handled automatically by the code, for other operating systems, you can use the configuration option ProcessCheckPSArg= arg to set the argument to ps .

E.g. OpenBSD needs ProcessCheckPSArg= axk such that kernel threads are listed as well.

	The ProcessCheckPSArg option
	Samhain expects that the first numerical column is the PID. On Linux, the PID column needs to be followed by the SPID (thread id). I.e., on Linux ProcessCheckPSArg= `-efT` will work if none of the usernames is numeric.

	OpenVZ
	The OpenVZ virtualisation has one hidden process for each visible process (within the container). If you run samhain within an OpenVZ container, use ProcessCheckIsOpenVZ= `true` to automatically avoid false positives.

14.1. Example configuration

	  [ProcessCheck]
	  #
	  # Activate (default is on)
	  #
	  ProcessCheckActive = yes
	  
	  # The severity of reports: debug/info/notice/warn/err/crit/alert
	  # (default is crit)
	  #
	  SeverityProcessCheck = crit
	  
	  # The PID range (default is 0 to 32767)
	  #
	  ProcessCheckMinPID = 0
	  ProcessCheckMaxPID = 32767
	  
	  # The interval (in seconds) for process checks (default is 300 sec)
	  #
	  ProcessCheckInterval = 300
	  
	  # Specify a process that is required to run. The argument
	  # must be a POSIX regular expression that matches the
	  # output of ps (samhain will check whether the PID in the
	  # output of 'ps' actually runs). You can use this option 
	  # multiple times. Note that each matching substring in a line
	  # from the 'ps' output is considered a successful match.
	  #
	  ProcessCheckExists = syslogd
	  
	  # The 'configure' script determines automatically
	  # the location of 'ps' as well as whether it is 
	  # Posix or BSD style. Therefore, these options may
	  # not be required. For 'ProcesscheckPSArg', note
	  # that the first numerical column must be the PID, except on
	  # Linux, where the format 'PID SPID ...' is expected
	  # (spid = thread id), as shown by 'ps -eT' or 'ps -efT'.
	  #
	  # ProcessCheckPSPath = /usr/bin/ps
	  # ProcessCheckPSArg = -e

Prev	Up	Next
13. Checking sensitive files owned by users	Home	15. Checking for open ports