Process Tracking enables tracking of user and nobody processes and examines them for suspicious executables or open network ports. Its purpose is to identify potential exploit processes that are running on the server, even if they are obfuscated to appear as system services. If a suspicious process is found an alert email is sent with relevant information.
It is then the responsibility of the recipient to investigate the process further as the script takes no further action. Processes (PIDs) are only reported once unless LFD is restarted.
To ignore executables, command lines, or usernames add them to the process tracking ignore file located at /etc/csf/csf.pignore.
exe:/full/path/to/file
user:username
cmd:command linepexe:/full/path/to/file
puser:username
pcmd:command line pexe:/var/www/vhosts/.*/httpdocs/cgi-bin/script\.cgi
puser:john\d.*
pcmd:/home/.*/command\s\to\smatch\s\.pl\s.*• It is strongly recommended that you use command line ignores very carefully as any process can change what is reported to the OS. Do not list the paths to Perl or PHP as this will prevent detection of suspicious web scripts.
• This feature will NOT pickup a root compromise as root processes are ignored. You should use established IDS tools for such security considerations.
| File | Description |
|---|---|
/etc/csf/csf.conf |
PT_* configuration options. |
/etc/csf/csf.pignore |
Whitelist either usernames or full paths to binaries. |
/usr/local/csf/tpl/processtracking.txt |
The process tracking email alert template. |