Configure the tracking of processes to examine them for suspicious executables or open network ports.
juggernaut --task=lfd:tracking:process
Option |
Value | Default | Description |
---|---|---|---|
--PT_LIMIT |
<0-3600> | 0 | Enable the tracking of processes and examine them for suspicious executables or open network ports. If a suspicious process is found an alert email is sent. This option is the number of seconds a process has to be active before it is inspected. To disable this option set to 0. |
--PT_INTERVAL |
<10-3600> | 60 | The interval in seconds for how frequently processes are checked. |
--PT_SKIP_HTTP |
<1|0> | 0 | Do not enable process tracking to highlight php or perl scripts that are run. |
--PT_DELETED |
<1|0> | 0 | Report deleted binary processes. |
--PT_DELETED_ACTION |
<string> | The full path to a script that is run when a PT_DELETED event is triggered. The action script must have the execute bit and its interpreter set. | |
--PT_USERPROC |
<0-100> | 10 | Track the number of processes any given account is running at one time. If the number of processes exceeds the value of the following setting an email alert is sent with details of those processes. To disable this option set to 0. |
--PT_USERMEM |
<0-1024> | 768 | Send an alert if any user process exceeds the memory usage set (MB). To disable this option set to 0. |
--PT_USERRSS |
<digit> | 256 | Send an alert if any user process exceeds the RSS memory usage set (MB) - RAM used, not virtual. To ignore specific processes or users use Process Tracking Ignore. |
--PT_USERTIME |
<0-86400> | 1800 | Sends an alert if any user process exceeds the time usage set (in seconds). To disable this option set to 0. |
--PT_USERKILL |
<1|0> | 0 | Enable the killing of processes detected by PT_USERMEM, PT_USERTIME or PT_USERPROC. (not recommended) |
--PT_USER_ACTION |
<string> | The full path to a script that is run when a PT_USERKILL event is triggered. The action script must have the execute bit and its interpreter set. | |
--PT_LOAD |
<0-3600> | 30 | Check the PT_LOAD_AVG minute Load Average on the server every PT_LOAD seconds. If the load average is greater than or equal to PT_LOAD_LEVEL then an email alert is sent. The login falure daemon does not report high load events until PT_LOAD_SKIP seconds has passed to prevent email floods. To disable this option set to 0. |
--PT_LOAD_AVG |
<1|5|15> | 5 | The process tracking load average. |
--PT_LOAD_LEVEL |
<2-20> | 6 | The process tracking load level. |
--PT_LOAD_SKIP |
<1800-86400> | 3600 | The login failure daemon does not report subsequent high load events until PT_LOAD_SKIP seconds has passed to prevent email floods. |
--PT_APACHESTATUS |
<string> | http://localhost:7080/server-status | The Apache Server Status URL used in the load average email alert. The Apache mod_status module is required. |
--PT_LOAD_ACTION |
<string> | The full path to a script that is run when a PT_LOAD event is triggered. The action script must have the execute bit and its interpreter set. | |
--PT_FORKBOMB |
<0|100-1000> | 0 | Check the number of processes with the same session id and if greater than the value set, the whole session tree is terminated and an alert sent. |
--PT_SSHDKILL |
<1|0> | 0 | Terminate hung SSHD sessions. When under an SSHD login attack, SSHD processes are often left hung after their connecting IP addresses have been blocked. This option will terminate the SSH processes created by the blocked IP. This option is preferred over PT_SSHDHUNG. |
--PT_SSHDHUNG |
<1|0> | 0 | Terminate hung SSHD sessions. When under an SSHD login attack, SSHD processes are often left hung after their connecting IP addresses have been blocked. This option will terminate all processes with the cmdline of "sshd: unknown [net]" or "sshd: unknown [priv]" if they have been running for more than 60 seconds. |
--default |
<yes> | Reset all settings to their default values. | |
--default_option |
<option> | Reset a specific setting to its default value. | |
--restart |
<yes> | Restart the service after saving settings. |
// set the PT_LIMIT
juggernaut --task=lfd:tracking:process --PT_LIMIT=3600 --restart=yes
// reset PT_LIMIT to default
juggernaut --task=lfd:tracking:process --default_option=PT_LIMIT --restart=yes
// reset all settings back to default
juggernaut --task=lfd:tracking:process --default=yes --restart=yes