[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

How can you trust "ps ax" in 3.0?

To: misc_(_at_)_openbsd_(_dot_)_org
Subject: How can you trust "ps ax" in 3.0?
From: "George Shaffer" <gshaffer_(_at_)_erols_(_dot_)_com>
Date: Tue, 11 Dec 2001 08:36:04 -5
Reply-to: gshaffer_(_at_)_erols_(_dot_)_com

Maybe I'm naive but until 3.0 came out I thought you could count 
on the output of "ps ax" to show the command line that started the 
process.  Now in 3.0, sendmail shows as "sendmail: accepting 
connections (sendmail)" which is obviously not the command that 
started it ("/usr/sbin/sendmail -L sm-mta -C/etc/mail/localhost.cf -
bd -q30m").

I can think of four things that could account for this: 1) ps has 
hard coded output for sendmail, 2) a process can control how it is 
displayed by ps, or 3) 2 has always been true and we just didn't 
know it.  If 1 is true then ps now has sample code to help an 
intruder develop a ps Trojan that hides other things.  2 or 3 are 
worse, because they mean any process can to at least some 
degree control it's appearance in ps output, and the current 
sendmail has sample code to do this.  4) I'm missing something.

In addition to md5 checksums of programs matched back to 
pristine copies obtained from the original install media, I believed 
that "ps ax" output was a key component of host based intrusion 
detection.  If I had a clean copy of ps, I should be able to count 
on it to give a reasonably accurate picture of the processes 
running on a system.  Now I question that.

Comments?

George Shaffer
GeodSoft, LLC
http://GeodSoft.com

Follow-Ups:
- Re: How can you trust "ps ax" in 3.0?
  - From: Daniel Hartmeier

Prev by Date: cxref, anyone?
Next by Date: RE: How can you trust "ps ax" in 3.0?
Previous by thread: cxref, anyone?
Next by thread: Re: How can you trust "ps ax" in 3.0?
Index(es):
- Date
- Thread

Visit your host, monkey.org