[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
How can you trust "ps ax" in 3.0?
- To: misc_(_at_)_openbsd_(_dot_)_org
- Subject: How can you trust "ps ax" in 3.0?
- From: "George Shaffer" <gshaffer_(_at_)_erols_(_dot_)_com>
- Date: Tue, 11 Dec 2001 08:36:04 -5
- Reply-to: gshaffer_(_at_)_erols_(_dot_)_com
Maybe I'm naive but until 3.0 came out I thought you could count
on the output of "ps ax" to show the command line that started the
process. Now in 3.0, sendmail shows as "sendmail: accepting
connections (sendmail)" which is obviously not the command that
started it ("/usr/sbin/sendmail -L sm-mta -C/etc/mail/localhost.cf -
I can think of four things that could account for this: 1) ps has
hard coded output for sendmail, 2) a process can control how it is
displayed by ps, or 3) 2 has always been true and we just didn't
know it. If 1 is true then ps now has sample code to help an
intruder develop a ps Trojan that hides other things. 2 or 3 are
worse, because they mean any process can to at least some
degree control it's appearance in ps output, and the current
sendmail has sample code to do this. 4) I'm missing something.
In addition to md5 checksums of programs matched back to
pristine copies obtained from the original install media, I believed
that "ps ax" output was a key component of host based intrusion
detection. If I had a clean copy of ps, I should be able to count
on it to give a reasonably accurate picture of the processes
running on a system. Now I question that.
Visit your host, monkey.org