Auditing Linux processes: The Deep Dive!
by Michael Boelen
https://linux-audit.com/auditing-linux-processes/
| Notes |
|---|
| Linux |
| operating system |
| process |
| system administrator |
| ps command |
| ps -ef |
| ps aux |
| POSIX |
| BSD |
| init |
| parent process, child process |
| every process except init has a parent |
| /proc filesystem |
| /proc/pid/cmdline |
| command line |
| /proc/pid/exe |
| symlink |
| proc/pid/fd directory |
| file descriptor |
| socket |
| system call |
| fopen |
| proc/pid/fdinfo directory |
| open() flags: read-only, append, write, … |
| /proc/pid/syscall displays last performed syscall of a process |
| Linux audit framework |
| syscall ID |
| ausyscall |
| x86_64 |
| quick and dirty syscall id lookup: unistd_64.h, grep for syscall ID |
| uname -m |
| uname command |
| /proc/pid/stack displays the stack of a process |
| Lynis |