| Peufelon |
06-10-2011 01:28 PM |
Write your own guide
@abhijeetsamant:
If you want to create a baseline of "normal behavior" for your PC, that is a very good idea!
But I don't think any one site could possibly provide enough information for any one user--- there is simply too much variety.
I recommend that you write your own guide, specific to your PC, and keep it in an encrypted area. Many users find lightweight wikis useful for internal documentation.
Here is one method you can use:
- as root user, identify common daemons and other frequently running system processes, ip traffic, etc., using
Code:
ps -ef # what processes are running?
top # what processes are consuming the most memory, cycles?
iftop -Pn # what internet connections are open?
netstat -anp # what is happening on the LAN?
lsof # what files are open?
ss -s # how many sockets are open? how many use ipv6?
ss -ta | column # what TCP sockets are open?
ss -ua | column # what UDP sockets are open?
ss -lp | column # what sockets access which port? which use ipv6?
(read the man pages for ps, netstat, lsof, ss and adjust the flags to suit your needs)
- look in places like /etc/rc5.d and /etc/init.d/ for information about services which start at boot time, services which run daily, and so forth
- gather information about each process (in the example, "nmbd" and "fgrep") and system user using standard Linux tools:
Code:
whatis nmbd #
apropos nmbd # try to find some initial clues to what nmbd is all about
man nmbd # man pages often state the location of log and configuration files
locate nmbd | grep bin # look for the location of the executables
stat /bin/fgrep # nominal time of last access, modification (compare with your IDS)
strings /bin/fgrep #
srch_strings /bin/fgrep # print readable strings in an executable
dd if=/bin/fgrep | hexdump -C | less #
readelf -a /bin/fgrep # examine an executable
objdump -m i386 -b binary -D /bin/fgrep | less # examine it line by line
locate nmbd | greb lib # look for the location of related libraries
locate nmbd | grep log # and log files
more /etc/passwd | grep lp # who is this system user? does he have shell access?
netstat -anp | grep nmbd # what is nmbd doing right now?
lsof | grep nmbd # what library files does it have open?
- if you can find a relevant Wikipedia article, it may have more information (but remember, anyone can edit the Wikipedia to say anything):
Code:
https://secure.wikimedia.org/wikipedia/en/wiki/Special:Search/
(modify the link in the obvious way to obtain another language than English)
- if you know how to use wireshark you can also peek at interprocess communication by using its powerful filtering capabilities to display only the packets you are interested in (see also tcpdump)
- you can also list installed modules
and you can investigate kernel threads, in order to distinguish normal and abnormal kernel behavior
- you can examine BIOS and attached devices, and otherwise document your hardware
- you can document the configuration of your LAN
- collate all this information; I find it helpful to separate processes into
- daemons which run continually
- processes which run automatically at specific times (and what IP addresses they may call up)
- processes which are normally run only when you call them (and what IP addresses they may call up)
You can add more methods according to your needs.
Since "normal behavior" changes over time as new software is installed and old software is patched, and as user behavior changes, you need to update this from time to time.
The payoff is that your internal wiki can help you to quickly distinguish between normal and abnormal output in top. This can be useful in a possible emergency. |
