OpenSUSE Linux Rants

OpenSUSE Linux Tips, tricks, how-tos, opinions, and news

My Resume  -  My LinkedIn Profile

October 10, 2006

10 Ways to Audit Processes, Users, and Connections on a Linux Box

by @ 7:01 am. Filed under General Linux, How-To, SUSE Tips & Tricks

Recently, a network that I was using had a production server on it with some problems. One minute, we could connect to it just fine and the next minute, we couldn’t. I initially got in, ran ‘top’, tailed ‘/var/log/messages’, and ran ‘ps aux’ a few times. Absolutely nothing came up as strange.

It just so happened that we were pinging the server as we were rebooting it. As the machine shut down, it was still responding to pings. Red flag. There was an IP conflict with another machine. ‘nmap’ allowed for some OS fingerprinting, which gave us a little more information about the impostor (I’ll take the time here to tell you that it was a machine running Windows – massively underwhelming surprise there).

I looked around for something that might be useful as a monitor to let me know when that kind of thing happened. I didn’t really find anything. If you have any suggestions on tools that can do this, please leave a comment and point me in the right direction. Having found nothing, I set out to see if I could write something to do this.

I was quite pleased to notice that with an easy combination of the ‘ping’, ‘arp’, and ‘nslookup’ commands in a simple PHP script, I was able to acquire the information I needed to hack out a small monitor. It isn’t quite functional yet, but now it’s just a matter of how to store and report on the data. When I have it working, I’ll post it. Again, if you know of something that can monitor ARP tables on a local machine, and email a notification when things “look funny,” please enlighten me.

This also made me a little more aware of how I’d be able to monitor things on a given box in real-time, maybe with a handful of ‘screen’ sessions while connected in remotely. I was looking for things that could answer some questions like:

I was looking for answers to these types of questions.

Searching around, it became apparent that there is a decent handful of commands, to be sure. Let’s take a look at some of these commands and a slick tool that Steve told me about. As a general rule, running these commands as root provides more information.

First of all, we have the ‘w’ command. From the man page, we learn that the purpose of this command is to “Show who is logged on and what they are doing.” Sample output is as follows:

[0908][scott@suse-linux:~]$ w
 09:08:21 up 13 days, 22:10,  3 users,  load average: 0.00, 0.06, 0.08
USER     TTY        LOGIN@   IDLE   JCPU   PCPU WHAT
scott    :0        Mon08   ?xdm?   4:50   0.10s /bin/sh /opt/kde3/bin/startkde
scott    pts/0     Mon08   24:42m  0.00s  3.60s kded [kdeinit] --new-startup
scott    pts/1     09:08    0.00s  0.02s  0.00s w
[0908][scott@suse-linux:~]$

Then there’s the ‘who’ command, which has a similar purpose, “show who is logged on.” Output:

[0939][scott@suse-linux:~]$ who
scott    :0           2006-10-09 08:26 (console)
scott    pts/0        2006-10-09 08:26
scott    pts/1        2006-10-10 09:08
[0939][scott@suse-linux:~]$

Another command will display “info on the last login of each user.” Amazingly enough, it is the ‘lastlog’ command. Output:

[0942][scott@suse-linux:~]$ lastlog
Username                Port     Latest
at                               **Never logged in**
beagleindex                      **Never logged in**
bin                              **Never logged in**
daemon                           **Never logged in**
ftp                              **Never logged in**
games                            **Never logged in**
haldaemon                        **Never logged in**
lp                               **Never logged in**
mail                             **Never logged in**
man                              **Never logged in**
mdnsd                            **Never logged in**
messagebus                       **Never logged in**
news                             **Never logged in**
ntp                              **Never logged in**
postfix                          **Never logged in**
root                    tty1     Mon Sep 25 11:17:15 -0600 2006
sshd                             **Never logged in**
suse-ncc                         **Never logged in**
uucp                             **Never logged in**
wwwrun                           **Never logged in**
scott                   :0       Mon Oct  9 08:26:04 -0600 2006
[0942][scott@suse-linux:~]$

If you want to see the entire login history, you can get this with ‘last’. You can limit the number of lines displayed (15 in the example), as well. Output:

[0944][scott@suse-linux:~]$ last -15
scott    pts/1                         Tue Oct 10 09:08   still logged in
scott    pts/4                         Mon Oct  9 16:49 - 16:52  (00:03)
scott    pts/6                         Mon Oct  9 14:50 - 14:56  (00:06)
scott    pts/4                         Mon Oct  9 14:49 - 14:56  (00:07)
scott    pts/7                         Mon Oct  9 12:55 - 12:58  (00:03)
scott    pts/6                         Mon Oct  9 12:53 - 12:58  (00:05)
scott    pts/4                         Mon Oct  9 12:49 - 12:59  (00:09)
scott    pts/6                         Mon Oct  9 11:13 - 11:13  (00:00)
scott    pts/4                         Mon Oct  9 11:13 - 11:14  (00:01)
scott    pts/4                         Mon Oct  9 08:39 - 08:41  (00:01)
scott    pts/2                         Mon Oct  9 08:35 - 08:35  (00:00)
scott    pts/7                         Mon Oct  9 08:35 - 08:35  (00:00)
scott    pts/17                        Mon Oct  9 08:35 - 08:35  (00:00)
scott    pts/2                         Mon Oct  9 08:34 - 08:34  (00:00)
scott    pts/16                        Mon Oct  9 08:34 - 08:35  (00:00)

wtmp begins Mon Sep 25 08:28:24 2006
[0945][scott@suse-linux:~]$

One of the cooler commands is ‘netstat’. The man page states that its purpose is to “Print network connections, routing tables, interface statistics, masquerade connections, and multicast memberships.” Experiement with the -u, -t, -a, -p, -e, and -n switches, or stick them all together:

suse-linux:/home/scott # netstat -utapen
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       User       Inode      PID/Program name
tcp        0      0 127.0.0.1:1863          0.0.0.0:*               LISTEN      1000       6725360    29228/ssh
tcp        0      0 0.0.0.0:111             0.0.0.0:*               LISTEN      0          7728       2774/portmap
tcp        0      0 127.0.0.1:2544          0.0.0.0:*               LISTEN      0          8763       3126/zmd
tcp        0      0 0.0.0.0:2803            0.0.0.0:*               LISTEN      0          8066       -
tcp        0      0 0.0.0.0:631             0.0.0.0:*               LISTEN      0          10809      3029/cupsd
tcp        0      0 127.0.0.1:25            0.0.0.0:*               LISTEN      0          8158       2987/master
tcp        0      0 192.168.0.162:2340      216.239.53.104:80       ESTABLISHED 1000       6933132    14485/firefox-bin
tcp        0      0 192.168.0.162:1023      192.168.0.161:2049      ESTABLISHED 0          6933362    -
tcp        0      0 192.168.0.162:1629      216.239.57.104:80       ESTABLISHED 1000       6933062    14485/firefox-bin
tcp        0      0 192.168.0.162:3980      202.181.132.131:80      ESTABLISHED 1000       6933068    14485/firefox-bin
tcp        0      0 192.168.0.162:3976      202.181.132.131:80      ESTABLISHED 1000       6933050    14485/firefox-bin
tcp        0      0 192.168.0.162:3973      202.181.132.131:80      ESTABLISHED 1000       6933047    14485/firefox-bin
tcp        0      0 192.168.0.162:3972      202.181.132.131:80      ESTABLISHED 1000       6933046    14485/firefox-bin
tcp        0      0 192.168.0.162:3975      202.181.132.131:80      ESTABLISHED 1000       6933049    14485/firefox-bin
tcp        0      0 192.168.0.162:3971      202.181.132.131:80      ESTABLISHED 1000       6933044    14485/firefox-bin
tcp        0      0 192.168.0.162:3970      202.181.132.131:80      ESTABLISHED 1000       6933043    14485/firefox-bin
tcp        0      0 192.168.0.162:2528      64.233.187.104:80       ESTABLISHED 1000       6933078    14485/firefox-bin
tcp        0      0 192.168.0.162:2140      65.204.194.118:22       ESTABLISHED 1000       6725356    29228/ssh
tcp        0    416 192.168.0.162:1199      192.168.0.3:22          ESTABLISHED 0          6933024    15247/ssh
tcp        0      0 ::1:1863                :::*                    LISTEN      1000       6725361    29228/ssh
tcp        0      0 :::22                   :::*                    LISTEN      0          8792       3149/sshd
tcp        0      0 ::1:25                  :::*                    LISTEN      0          8159       2987/master
udp        0      0 0.0.0.0:1024            0.0.0.0:*                           0          7686       2709/mdnsd
udp        0      0 0.0.0.0:1025            0.0.0.0:*                           0          8062       -
udp        0      0 127.0.0.1:4500          0.0.0.0:*                           0          9121       3285/racoon
udp        0      0 192.168.0.162:4500      0.0.0.0:*                           0          9119       3285/racoon
udp     9140      0 0.0.0.0:68              0.0.0.0:*                           0          7210       2652/dhcpcd
udp        0      0 0.0.0.0:5353            0.0.0.0:*                           78         6592728    2709/mdnsd
udp        0      0 0.0.0.0:111             0.0.0.0:*                           0          7727       2774/portmap
udp        0      0 127.0.0.1:500           0.0.0.0:*                           0          9120       3285/racoon
udp        0      0 192.168.0.162:500       0.0.0.0:*                           0          9118       3285/racoon
udp        0      0 0.0.0.0:631             0.0.0.0:*                           0          10810      3029/cupsd
suse-linux:/home/scott #

Another way to view information on running processes is with the ‘ps’ command. Add in the ‘auxf’ options for extra goodness. Because of the amount of output that this command generates, I will only include a small snippet here:

suse-linux:/home/scott # ps auxf
USER       PID %CPU %MEM    VSZ   RSS TTY      STAT START   TIME COMMAND
root         1  0.0  0.0    720    68 ?        Ss   Sep26   0:01 init [5]
root         2  0.0  0.0      0     0 ?        SN   Sep26   0:02 [ksoftirqd/0]
root         3  0.0  0.0      0     0 ?        S<   Sep26   0:02 [events/0]
root         4  0.0  0.0      0     0 ?        S<   Sep26   0:00 [khelper]
root         5  0.0  0.0      0     0 ?        S<   Sep26   0:00 [kthread]
root         7  0.0  0.0      0     0 ?        S<   Sep26   0:14  \_ [kblockd/0]
root         8  0.0  0.0      0     0 ?        S<   Sep26   0:00  \_ [kacpid]
root        67  0.0  0.0      0     0 ?        S<   Sep26   0:00  \_ [kseriod]
root       109  0.0  0.0      0     0 ?        S<   Sep26   0:00  \_ [aio/0]
root       314  0.0  0.0      0     0 ?        S<   Sep26   0:00  \_ [cqueue/0]
root       352  0.0  0.0      0     0 ?        S<   Sep26   0:00  \_ [kpsmoused]
root       700  0.0  0.0      0     0 ?        S<   Sep26   0:00  \_ [ata/0]
root       709  0.0  0.0      0     0 ?        S<   Sep26   0:00  \_ [scsi_eh_0]
root       710  0.0  0.0      0     0 ?        S<   Sep26   0:00  \_ [scsi_eh_1]
root       742  0.0  0.0      0     0 ?        S<   Sep26   0:22  \_ [reiserfs/0]
root      1163  0.0  0.0      0     0 ?        S<   Sep26   0:00  \_ [khubd]
root      1278  0.0  0.0      0     0 ?        S<   Sep26   0:00  \_ [shpchpd]
root      2908  0.0  0.0      0     0 ?        S<   Sep26   0:00  \_ [kauditd]
root      2943  0.0  0.0      0     0 ?        S<   Sep26   0:00  \_ [rpciod/0]
root     18915  0.0  0.0      0     0 ?        S<   Sep27   0:00  \_ [cifsoplockd]
root     18916  0.0  0.0      0     0 ?        S<   Sep27   0:00  \_ [cifsdnotifyd]
root     24503  0.0  0.0      0     0 ?        S    Oct03   0:07  \_ [pdflush]
root     24504  0.0  0.0      0     0 ?        S    Oct03   0:08  \_ [pdflush]
root       108  0.0  0.0      0     0 ?        S    Sep26   0:14 [kswapd0]
root       822  0.0  0.0   1860   284 ?        S<s  Sep26   0:00 /sbin/udevd --daemon
root      1965  0.0  0.0   1892   452 ?        Ss   Sep26   0:00 /sbin/syslog-ng
root      1968  0.0  0.0   1664   256 ?        Ss   Sep26   0:00 /sbin/klogd -c 1 -x -x
root      2009  0.0  0.0   1796   220 ?        Ss   Sep26   0:00 /sbin/resmgrd
100       2011  0.0  0.1   3416   576 ?        Ss   Sep26   0:02 /usr/bin/dbus-daemon --system
root      2048  0.0  0.0   1644   144 ?        Ss   Sep26   0:00 /sbin/acpid
root      2091  0.0  0.2   4400  1212 ?        Ss   Sep26   0:02 /usr/sbin/hald --daemon=yes --retain-privileges
root      2466  0.0  0.0   1816   132 ?        S    Sep26   0:00  \_ hald-addon-acpi
root      2572  0.0  0.0   1816   140 ?        S    Sep26   0:53  \_ hald-addon-storage
root      2591  0.0  0.0   2932   304 ?        S    Sep26   0:00 /opt/kde3/bin/kdm
root     21894  0.1  6.0  40372 31284 tty7     Ss+  Oct06   9:30  \_ /usr/X11R6/bin/X -br -nolisten tcp :0 vt7 -auth /var/lib/xdm/authdir/authfiles/A:0-P
root     21895  0.0  0.0   3984   352 ?        S    Oct06   0:00  \_ -:0
scott    28134  0.0  0.0   4044   284 ?        Ss   Oct09   0:00      \_ /bin/sh /opt/kde3/bin/startkde
scott    28179  0.0  0.0   4392   252 ?        Ss   Oct09   0:00          \_ ssh-agent /bin/bash /etc/X11/xinit/xinitrc
scott    28232  0.0  0.0   1504   116 ?        S    Oct09   0:00          \_ kwrapper ksmserver
(etcetera)
suse-linux:/home/scott #

There is also ‘top’:

top - 11:51:08 up 14 days, 52 min,  3 users,  load average: 0.17, 0.18, 0.07
Tasks:  97 total,   2 running,  95 sleeping,   0 stopped,   0 zombie
Cpu(s):  0.7% us,  0.0% sy,  0.0% ni, 99.3% id,  0.0% wa,  0.0% hi,  0.0% si
Mem:    515636k total,   458484k used,    57152k free,    61080k buffers
Swap:  1052216k total,    38060k used,  1014156k free,   143860k cached

  PID USER      PR  NI  VIRT  RES  SHR S %CPU %MEM    TIME+  COMMAND
21894 root      15   0  168m  30m 3980 R  0.7  6.1   9:41.42 X
    1 root      16   0   720   68   40 S  0.0  0.0   0:01.44 init
    2 root      34  19     0    0    0 S  0.0  0.0   0:02.62 ksoftirqd/0
    3 root      10  -5     0    0    0 S  0.0  0.0   0:02.04 events/0
    4 root      11  -5     0    0    0 S  0.0  0.0   0:00.00 khelper
    5 root      10  -5     0    0    0 S  0.0  0.0   0:00.00 kthread
    7 root      10  -5     0    0    0 S  0.0  0.0   0:14.01 kblockd/0
    8 root      20  -5     0    0    0 S  0.0  0.0   0:00.00 kacpid
   67 root      10  -5     0    0    0 S  0.0  0.0   0:00.00 kseriod
  108 root      15   0     0    0    0 S  0.0  0.0   0:14.37 kswapd0
  109 root      19  -5     0    0    0 S  0.0  0.0   0:00.00 aio/0
  314 root      16  -5     0    0    0 S  0.0  0.0   0:00.00 cqueue/0
  352 root      11  -5     0    0    0 S  0.0  0.0   0:00.00 kpsmoused
  700 root      11  -5     0    0    0 S  0.0  0.0   0:00.00 ata/0
  709 root      11  -5     0    0    0 S  0.0  0.0   0:00.00 scsi_eh_0
  710 root      11  -5     0    0    0 S  0.0  0.0   0:00.00 scsi_eh_1
  742 root      10  -5     0    0    0 S  0.0  0.0   0:22.08 reiserfs/0
  822 root      12  -4  1860  284  228 S  0.0  0.1   0:00.15 udevd
 1163 root      10  -5     0    0    0 S  0.0  0.0   0:00.00 khubd
 1278 root      11  -5     0    0    0 S  0.0  0.0   0:00.00 shpchpd
 1965 root      15   0  1892  452  324 S  0.0  0.1   0:00.08 syslog-ng
 1968 root      15   0  1664  256  192 S  0.0  0.0   0:00.00 klogd
 2009 root      16   0  1796  220  216 S  0.0  0.0   0:00.01 resmgrd
 2011 messageb  15   0  3416  576  444 S  0.0  0.1   0:02.88 dbus-daemon
 2048 root      16   0  1644  144  140 S  0.0  0.0   0:00.00 acpid
 2091 root      15   0  4400 1212  884 S  0.0  0.2   0:02.86 hald
 2466 root      25   0  1816  132  128 S  0.0  0.0   0:00.00 hald-addon-acpi
 2572 root      15   0  1816  140  124 S  0.0  0.0   0:53.57 hald-addon-stor
 2591 root      15   0  2932  304  260 S  0.0  0.1   0:00.01 kdm
 2652 root      16   0  1544  128   92 S  0.0  0.0   0:00.00 dhcpcd
 2709 mdnsd     15   0  2220  384  308 S  0.0  0.1   0:00.52 mdnsd
 2774 nobody    16   0  1560  220  164 S  0.0  0.0   0:00.01 portmap
 2908 root      10  -5     0    0    0 S  0.0  0.0   0:00.00 kauditd
 2930 root      13  -3  9984  336  264 S  0.0  0.1   0:00.00 auditd
 2943 root      10  -5     0    0    0 S  0.0  0.0   0:00.00 rpciod/0
 2944 root      19   0     0    0    0 S  0.0  0.0   0:00.00 lockd
 2987 root      16   0  5060  436  348 S  0.0  0.1   0:00.07 master
 3021 root      16   0  1808  268  220 S  0.0  0.1   0:00.05 cron
 3029 lp        15   0  7240  448  308 S  0.0  0.1   0:00.44 cupsd
 3100 root      15   0  107m  972  644 S  0.0  0.2   0:04.83 nscd
 3149 root      17   0  4952  152  148 S  0.0  0.0   0:00.09 sshd
 3223 root      16   0  4264  708  588 S  0.0  0.1   0:00.63 powersaved
 3285 root      15   0  3680  248  152 S  0.0  0.0   0:00.00 racoon
 3293 root      17   0  1960  212  208 S  0.0  0.0   0:00.00 mingetty
 3294 root      17   0  1960  196  192 S  0.0  0.0   0:00.00 mingetty
 3295 root      17   0  1960  196  192 S  0.0  0.0   0:00.00 mingetty
 3296 root      17   0  1960  196  192 S  0.0  0.0   0:00.00 mingetty
 3297 root      17   0  1960  196  192 S  0.0  0.0   0:00.00 mingetty

You can also watch the system log with the ‘tail’ command. An example is as follows:

suse-linux:/home/scott # tail -f /var/log/messages
Oct 10 09:51:15 suse-linux kernel: device eth0 left promiscuous mode
Oct 10 09:53:38 suse-linux kernel: device eth0 entered promiscuous mode
Oct 10 09:54:39 suse-linux kernel: device eth0 left promiscuous mode
Oct 10 09:57:47 suse-linux kernel: device eth0 entered promiscuous mode
Oct 10 10:04:14 suse-linux kernel: device eth0 left promiscuous mode
Oct 10 10:06:00 suse-linux kernel: device eth0 entered promiscuous mode
Oct 10 10:28:18 suse-linux syslog-ng[1965]: STATS: dropped 0
Oct 10 11:17:46 suse-linux kernel: device eth0 left promiscuous mode
Oct 10 11:28:18 suse-linux syslog-ng[1965]: STATS: dropped 0
Oct 10 11:43:38 suse-linux su: (to root) scott on /dev/pts/3
  

It is a good idea to leave this window open as it refreshes automatically as more information is added to the log file.

Lastly, it is possible to view the open files by a user or process with ‘lsof’. Open files by process 14865:

suse-linux:/home/scott # lsof -p 14865
COMMAND   PID USER   FD   TYPE DEVICE    SIZE   NODE NAME
bash    14865 root  cwd    DIR    3,7    2760      4 /home/scott
bash    14865 root  rtd    DIR    3,6     568      2 /
bash    14865 root  txt    REG    3,6  501804 109334 /bin/bash
bash    14865 root  mem    REG    0,0              0 [heap] (stat: No such file or directory)
bash    14865 root  mem    REG    3,6  217016  60456 /var/run/nscd/passwd
bash    14865 root  mem    REG    3,6  208464  17233 /usr/lib/locale/en_US.utf8/LC_CTYPE
bash    14865 root  mem    REG    3,6  880086  17234 /usr/lib/locale/en_US.utf8/LC_COLLATE
bash    14865 root  mem    REG    3,6 1404242  13934 /lib/libc-2.4.so
bash    14865 root  mem    REG    3,6   13814  13940 /lib/libdl-2.4.so
bash    14865 root  mem    REG    3,6  288188  17765 /lib/libncurses.so.5.5
bash    14865 root  mem    REG    3,6   26696  18379 /lib/libhistory.so.5.1
bash    14865 root  mem    REG    3,6  189436  18381 /lib/libreadline.so.5.1
bash    14865 root  mem    REG    3,6      54  17208 /usr/lib/locale/en_US.utf8/LC_NUMERIC
bash    14865 root  mem    REG    3,6    2451  15037 /usr/lib/locale/en_US.utf8/LC_TIME
bash    14865 root  mem    REG    3,6     286  15036 /usr/lib/locale/en_US.utf8/LC_MONETARY
bash    14865 root  mem    REG    3,6      52  17198 /usr/lib/locale/en_US.utf8/LC_MESSAGES/SYS_LC_MESSAGES
bash    14865 root  mem    REG    3,6      34  17039 /usr/lib/locale/en_US.utf8/LC_PAPER
bash    14865 root  mem    REG    3,6      77  17001 /usr/lib/locale/en_US.utf8/LC_NAME
bash    14865 root  mem    REG    3,6     155  15033 /usr/lib/locale/en_US.utf8/LC_ADDRESS
bash    14865 root  mem    REG    3,6      59  17000 /usr/lib/locale/en_US.utf8/LC_TELEPHONE
bash    14865 root  mem    REG    3,6      23  17002 /usr/lib/locale/en_US.utf8/LC_MEASUREMENT
bash    14865 root  mem    REG    3,6   25404  50721 /usr/lib/gconv/gconv-modules.cache
bash    14865 root  mem    REG    3,6     373  15034 /usr/lib/locale/en_US.utf8/LC_IDENTIFICATION
bash    14865 root  mem    REG    3,6  124463  13927 /lib/ld-2.4.so
bash    14865 root    0u   CHR  136,1              3 /dev/pts/1
bash    14865 root    1u   CHR  136,1              3 /dev/pts/1
bash    14865 root    2u   CHR  136,1              3 /dev/pts/1
bash    14865 root    4r   REG    3,7    4097  50837 /home/scott/.fonts.cache-2
bash    14865 root  255u   CHR  136,1              3 /dev/pts/1
suse-linux:/home/scott #

Open files by user ‘postfix’:

suse-linux:/home/scott # lsof -u postfix
COMMAND   PID    USER   FD   TYPE     DEVICE    SIZE    NODE NAME
pickup  15122 postfix  cwd    DIR        3,6     384   42756 /var/spool/postfix
pickup  15122 postfix  rtd    DIR        3,6     568       2 /
pickup  15122 postfix  txt    REG        3,6   10412   42441 /usr/lib/postfix/pickup
pickup  15122 postfix  mem    REG        0,0               0 [heap] (stat: No such file or directory)
pickup  15122 postfix  mem    REG        3,6  217016   60458 /var/run/nscd/group
pickup  15122 postfix  mem    REG        3,6  217016   60456 /var/run/nscd/passwd
pickup  15122 postfix  mem    REG        3,6  100331   13960 /lib/libpthread-2.4.so
pickup  15122 postfix  mem    REG        3,6   13814   13940 /lib/libdl-2.4.so
pickup  15122 postfix  mem    REG        3,6 1404242   13934 /lib/libc-2.4.so
pickup  15122 postfix  mem    REG        3,6   74278   13962 /lib/libresolv-2.4.so
pickup  15122 postfix  mem    REG        3,6   87850   13945 /lib/libnsl-2.4.so
pickup  15122 postfix  mem    REG        3,6  931232   18430 /usr/lib/libdb-4.3.so
pickup  15122 postfix  mem    REG        3,6 1208240   33727 /usr/lib/libcrypto.so.0.9.8
pickup  15122 postfix  mem    REG        3,6  246884  221993 /usr/lib/libssl.so.0.9.8
pickup  15122 postfix  mem    REG        3,6   85772   23833 /usr/lib/libsasl2.so.2.0.21
pickup  15122 postfix  mem    REG        3,6  179596   18503 /usr/lib/libpcre.so.0.0.1
pickup  15122 postfix  mem    REG        3,6   58310   37480 /usr/lib/liblber-2.3.so.0.2.7
pickup  15122 postfix  mem    REG        3,6  255945   37482 /usr/lib/libldap-2.3.so.0.2.7
pickup  15122 postfix  mem    REG        3,6  152580   42426 /usr/lib/libpostfix-util.so.1.0.1
pickup  15122 postfix  mem    REG        3,6  158192   42417 /usr/lib/libpostfix-global.so.1.0.1
pickup  15122 postfix  mem    REG        3,6   22676   42420 /usr/lib/libpostfix-master.so.1.0.1
pickup  15122 postfix  mem    REG        3,6  124463   13927 /lib/ld-2.4.so
pickup  15122 postfix    0u   CHR        1,3            2228 /dev/null
pickup  15122 postfix    1u   CHR        1,3            2228 /dev/null
pickup  15122 postfix    2u   CHR        1,3            2228 /dev/null
pickup  15122 postfix    3r  FIFO        0,5            8265 pipe
pickup  15122 postfix    4w  FIFO        0,5            8265 pipe
pickup  15122 postfix    5u  unix 0xd8df8080         6722083 socket
pickup  15122 postfix    6u  FIFO        3,6           46668 /var/spool/postfix/public/pickup
pickup  15122 postfix    7u  unix 0xd8df8980         6931500 socket
qmgr    28927 postfix  cwd    DIR        3,6     384   42756 /var/spool/postfix
qmgr    28927 postfix  rtd    DIR        3,6     568       2 /
qmgr    28927 postfix  txt    REG        3,6   45508   42771 /usr/lib/postfix/qmgr
qmgr    28927 postfix  mem    REG        0,0               0 [heap] (stat: No such file or directory)
qmgr    28927 postfix  mem    REG        3,6  217016   60458 /var/run/nscd/group
qmgr    28927 postfix  mem    REG        3,6  217016   60456 /var/run/nscd/passwd
qmgr    28927 postfix  mem    REG        3,6  100331   13960 /lib/libpthread-2.4.so
qmgr    28927 postfix  mem    REG        3,6   13814   13940 /lib/libdl-2.4.so
qmgr    28927 postfix  mem    REG        3,6 1404242   13934 /lib/libc-2.4.so
qmgr    28927 postfix  mem    REG        3,6   74278   13962 /lib/libresolv-2.4.so
qmgr    28927 postfix  mem    REG        3,6   87850   13945 /lib/libnsl-2.4.so
qmgr    28927 postfix  mem    REG        3,6  931232   18430 /usr/lib/libdb-4.3.so
qmgr    28927 postfix  mem    REG        3,6 1208240   33727 /usr/lib/libcrypto.so.0.9.8
qmgr    28927 postfix  mem    REG        3,6  246884  221993 /usr/lib/libssl.so.0.9.8
qmgr    28927 postfix  mem    REG        3,6   85772   23833 /usr/lib/libsasl2.so.2.0.21
qmgr    28927 postfix  mem    REG        3,6  179596   18503 /usr/lib/libpcre.so.0.0.1
qmgr    28927 postfix  mem    REG        3,6   58310   37480 /usr/lib/liblber-2.3.so.0.2.7
qmgr    28927 postfix  mem    REG        3,6  255945   37482 /usr/lib/libldap-2.3.so.0.2.7
qmgr    28927 postfix  mem    REG        3,6  152580   42426 /usr/lib/libpostfix-util.so.1.0.1
qmgr    28927 postfix  mem    REG        3,6  158192   42417 /usr/lib/libpostfix-global.so.1.0.1
qmgr    28927 postfix  mem    REG        3,6   22676   42420 /usr/lib/libpostfix-master.so.1.0.1
qmgr    28927 postfix  mem    REG        3,6  124463   13927 /lib/ld-2.4.so
qmgr    28927 postfix    0u   CHR        1,3            2228 /dev/null
qmgr    28927 postfix    1u   CHR        1,3            2228 /dev/null
qmgr    28927 postfix    2u   CHR        1,3            2228 /dev/null
qmgr    28927 postfix    3r  FIFO        0,5            8265 pipe
qmgr    28927 postfix    4w  FIFO        0,5            8265 pipe
qmgr    28927 postfix    5u  unix 0xc4b5ae00         6722087 socket
qmgr    28927 postfix    6u  FIFO        3,6           47906 /var/spool/postfix/public/qmgr
qmgr    28927 postfix    7u  unix 0xdb47be00         6722148 socket
suse-linux:/home/scott # 

With these types of commands, it becomes much more possible to determine what is going on with a given machine. Especially when you use the information from one command as input to the others. As a final note, my good bud Steve told me about this one tool, called whowatch that will give you some of this information real-time and refreshes continuously. It was helpful and useful to me, and I do recommend it.

These are the majority of useful tools and commands that I found to get detailed real-time information about who is doing what from where on a given box. I’m interested in any additional thoughts or suggestions that anyone may have on this. Leave a comment with such info, that all may benefit.

2 Responses to “10 Ways to Audit Processes, Users, and Connections on a Linux Box”

  1. Frederik Van Poucke Says:

    there’s usefull info with :

    -dmesg
    -pstree

    and and all of the tools in combination with grep or xargs

    e.g

    ps -ef|grep amarok
    find -print|xargs grep -i somestring

    Cheers.

  2. Scott Morris Says:

    Frederik Van Poucke, huh?! Hey, weren’t you the guy that won second place on our Desktop Shootout (http://www.novell.com/coolsolutions/feature/16573.html) competition? Great to hear from you. Thanks for the suggestions.

OpenSUSE Linux Rants
Official OpenSUSE Linux Site

internal links:

categories:

SUSE Resources

search blog:

archives:

March 2022
S M T W T F S
« Feb    
 12345
6789101112
13141516171819
20212223242526
2728293031  

59 queries. 0.331 seconds