Goal: catching a rogue or unknown process(es) that last miliseconds on an "idle system"
Has anybody a better idea than the script below?
(I mean other than rkhunter. I mean any process, without going SEL: it is for home usage)
I was trying to do that with top and ps, but could not think of any clever way to do it.
Then I tried to overload the cpu with glxgears and yes, to slow down things. Just a daft idea.
Finally with the script I found that it was gkrellm outputing an alert in a konsole with no --noclose option.
Run the script in an empty directory
It really works only if you are not creating new processes...
On my PC I could tell this was happening from time to time only (I know it is kind of normal
I suppose these are sleeping processes)
Code:
root 13858 14159 0 17:51 ? 00:00:00 kded [kdeinit] kded
+user1 14202 20771 0 17:51 ? 00:00:00 /sbin/ip route show
+user1 14204 20771 0 17:51 ? 00:00:00 [net_applet]
+root 14309 14159 0 17:51 ? 00:00:00 [ifconfig] <defunct>
+root 14310 14159 0 17:51 ? 00:00:00 [iwconfig] <defunct>
+root 14311 14159 0 17:51 ? 00:00:00 kded [kdeinit] kded
+user1 14766 20852 0 17:51 ? 00:00:00 /sbin/route -n
Code:
#!/bin/bash
# output ps -eaf to a series of file (until <ctrl><c>
# size difference is indicative of odd processes
# Handle analyse by diff after
# version 0.0b by Emmanuel_uk
#Bug yes: survey duration is limited by duration of ps + loop + write to disk rather than rest_time_microsec
# You may want to run rm -vf basename_outputfile*; nameoscript.sh to get rid of files
#could not implement duration_survey_second being fractional
rest_time_microsec=2000 #Between 2 outputs
duration_survey_second=1
basename_outputfile="test4rogue" #at least 5 chars
i=0 #file index
let "max_iter=$duration_survey_second*1000*1000/$rest_time_microsec"
echo $max_iter" ps captures will take place"
yes | while read line | [ $i -le $max_iter ]; #looping around until ctrl-c
do
(( i++ ));
case ${#i} in
1) pading="000000";;
2) pading="00000";;
3) pading="0000";;
4) pading="00";;
5) pading="0";;
6) pading="";;
esac
filename=$basename_outputfile$pading$i
ps -eaf > $filename #Saving output to file i
usleep $rest_time_microsec
done
# list all the files stating with basename_outputfile, sorting by size, taking the smallest
refsize_file=$( ls -l "$basename_outputfile"* | awk '{print $5}' | sort -u | head -n1 )
echo "refsize_file is "$refsize_file" bytes?"
#Lets get a filename which has size refsize_file
# Taking field size and filename, only the first matching size, now gettting its name
ref_filename=$( ls -l "$basename_outputfile"* | awk '{print $5" "$9}' | grep --max-count=1 $refsize_file | awk '{print $2}' )
#sanity check
if [ "${ref_filename:0:4}" != "${basename_outputfile:0:4}" ]; then echo "filename error: cannot locate a ref ps output"; exit 1; fi
echo "The ref_filename is "$ref_filename
echo "These files are not the same size as "$ref_filename
ls -l "$basename_outputfile"* | grep -v $refsize_file
ls -l "$basename_outputfile"* | grep -v $refsize_file | awk '{print $9}' | while read line
do
echo "--------- "$line" ----------"
diff -ru $ref_filename $line #display some diff
done
exit 0
catching a rogue or unknown process that last miliseconds on an "idle system"
