Process Tracking

Process Tracking enables tracking of user and nobody processes and examines them for suspicious executables or open network ports. Its purpose is to identify potential exploit processes that are running on the server, even if they are obfuscated to appear as system services. If a suspicious process is found an alert email is sent with relevant information.

It is then the responsibility of the recipient to investigate the process further as the script takes no further action. Processes (PIDs) are only reported once unless LFD is restarted.

Process Tracking Ignore

To ignore executables, command lines, or usernames add them to the process tracking ignore file located at /etc/csf/csf.pignore.

Format

exe:/full/path/to/file
user:username
cmd:command line

Perl Regex Format

pexe:/full/path/to/file
puser:username
pcmd:command line 

Perl Regex Format Example

pexe:/var/www/vhosts/.*/httpdocs/cgi-bin/script\.cgi
puser:john\d.*
pcmd:/home/.*/command\s\to\smatch\s\.pl\s.*

• It is strongly recommended that you use command line ignores very carefully as any process can change what is reported to the OS. Do not list the paths to Perl or PHP as this will prevent detection of suspicious web scripts.
• This feature will NOT pickup a root compromise as root processes are ignored. You should use established IDS tools for such security considerations.

Related Files

File Description
/etc/csf/csf.conf PT_* configuration options.
/etc/csf/csf.pignore Whitelist either usernames or full paths to binaries.
/usr/local/csf/tpl/processtracking.txt The process tracking email alert template.

Related Pages