[Cialug] Linux Processes
Barry Von Ahsen
vonahsen at gmail.com
Wed Apr 7 16:47:51 UTC 2021
looks like field 4 in /proc/<pid>/stat is the parent process ID (ppid)
https://man7.org/linux/man-pages/man5/proc.5.html
checking against a couple of known "good" privilege dropping daemons, not sure about hard-core TSR processes. you'd still need to get the UID of that PID, then remove priviledged/POSIX accounts, but closer. (perhaps this is what you meant by "clear way")
root at mail:~# ps wwwwaux |grep "apache\|postfix"
root 1119 0.0 2.2 345140 10996 ? Ss Mar25 0:48 /usr/sbin/apache2 -k start
www-data 1124 0.0 0.0 19912 396 ? Ss Mar25 0:35 /usr/bin/htcacheclean -d 120 -p /var/cache/apache2/mod_cache_disk -l 300M -n
root 2010 0.0 0.1 67388 768 ? Ss Mar25 0:09 /usr/lib/postfix/sbin/master -w
postfix 2022 0.0 0.3 74172 1724 ? S Mar25 0:03 qmgr -l -t unix -u
postfix 2246 0.0 0.4 88288 2360 ? S Mar25 0:04 tlsmgr -l -t unix -u -c
www-data 10074 0.0 7.6 356412 37876 ? S 06:25 0:29 /usr/sbin/apache2 -k start
www-data 10167 0.1 8.0 356648 39880 ? S 06:33 0:40 /usr/sbin/apache2 -k start
www-data 10169 0.0 8.1 357192 39928 ? S 06:33 0:35 /usr/sbin/apache2 -k start
www-data 10687 0.0 7.4 356344 36840 ? S 09:02 0:22 /usr/sbin/apache2 -k start
www-data 10977 0.1 7.3 356396 36348 ? S 10:09 0:31 /usr/sbin/apache2 -k start
www-data 10978 0.1 8.3 357028 41116 ? S 10:09 0:37 /usr/sbin/apache2 -k start
www-data 10979 0.1 7.6 356360 37576 ? S 10:09 0:29 /usr/sbin/apache2 -k start
www-data 10980 0.1 7.4 356308 36676 ? S 10:09 0:25 /usr/sbin/apache2 -k start
www-data 10981 0.1 7.6 356428 37456 ? S 10:09 0:33 /usr/sbin/apache2 -k start
www-data 10985 0.1 7.4 356500 36816 ? S 10:09 0:35 /usr/sbin/apache2 -k start
postfix 12047 0.0 0.9 73816 4828 ? S 15:37 0:00 pickup -l -t unix -u -c
root 12342 0.0 0.2 15320 1068 pts/0 S+ 16:32 0:00 grep --color=auto apache\|postfix
root at mail:~# awk '{print $4}' /proc/10074/stat
1119
root at mail:~# awk '{print $4}' /proc/2022/stat
2010
root at mail:~#
dc mentioned pstree, pstree -u shows "UID changes", here's how it looks for a sshd tree (invoked as pstree -p -u):
├─sshd(31802)───sshd(38133)───sshd(38160,barry)───bash(38161)───su(38164,root)───bash(38167)───pstree(38187)
and for another "well-behaved" daemon:
├─named(29079,bind)─┬─{named}(29111)
│ ├─{named}(29112)
│ ├─{named}(29113)
│ ├─{named}(29114)
│ ├─{named}(29115)
│ ├─{named}(29116)
│ └─{named}(29117)
both of those trees hang off of systemd / pid1
-barry
> On Apr 7, 2021, at 9:12 AM, Todd Walton <tdwalton at gmail.com> wrote:
>
> I really wish Linux had a clear way of showing what processes start just
> because they're standard stuff, and what processes are running because an
> admin made them run.
>
> * The processes that are in square brackets are kernel threads. They
> represent real work being done, but they're not *really* "processes".
> * Then you always see background stuff like dbus and gpg-agent and cups. I
> might want to know they're running, but not normally.
> * The desktop environment always starts up a ton of stuff. I'd like all
> those to be grouped together as part of one thing.
> * If httpd is running then that's definitely a Thing Of Interest. postfix,
> haproxy, php-fpm, etc. Those are things I want to be front and center by
> default.
>
> I haven't figured out an easy and effective way of getting just what I
> want. Of knowing what's running because it's supposed to be, and what's
> running just because it supports something else. This usually is an issue
> when I get into a server that I didn't set up, but now I'm doing forensics
> trying to figure out what the heck is going on.
>
> --
> Todd
> _______________________________________________
> Cialug mailing list
> Cialug at cialug.org
> https://www.cialug.org/cgi-bin/mailman/listinfo/cialug
More information about the Cialug
mailing list