CIT 480: Securing Computer Systems Lab #4: Processes Name: _____________________ 1: Introduction If your Kali VM is already up and running, login to the student account on the VM via ssh. It does not matter whether you use a command line or GUI ssh client. If your VM is not currently up, use the vSphere web client to start your VM before logging into it via ssh. Some of the commands in this lab can result in large amounts of amount. If the output is longer than 20 lines, report only the first 20 lines of output in your answer. 2: Processes 2.1: When ssh'ed into the server, how many processes are you running? Include the output of the command below, along with the answer to the question. $ ps 2.2: Examine a tree of all processes, then find the processes created starting with your initial ssh login. Which process is the parent of your other processes? Which processes are the children? $ ps xjf 2.3: How many proccesses is the entire system running? Don’t count by hand. Pipe the output of ps to a command that will do the count for you. What is the PID of init? $ ps ax 2.4: Examine a tree of all processes. Note that you may need to widen your terminal window to see the entire output of this command. Using the information in the PPID (parent PID) column, which processes are immediate children of init? $ ps axjf 2.5: Let's view process activity with the top command next. In order that we have something interesting to see, run John the Ripper in the background using the shell's & operator. After john is started, run top. What are the three highest CPU processes? Copy and paste the output of top for those processes into the box below. $ su # john –-wordlist=/usr/share/dict/american-english /etc/shadow & # top Pressing h(elp) in top will show all of the possible commands. Experiment with the sorting and information options to see how much you can learn from using top. Once you're done, use the command shown by h for exiting top. 3: Open Files The lsof (list open files) command shows which files (and network connections) are in use by which processes. This command is useful for both system administration and security tasks. If you're looking for a configuration or log file, you can run lsof to see which files are in use by the server process in which you are interested. Similarly, if you suspect a program of being a backdoor or storing unauthorized data, you can use lsof to look for unauthorized network connections or hidden files. As the output of lsof is wide, you may want to open a 132-column terminal instead of an 80-column terminal for the following questions. 3.1: Identify the PID of your bash process with the ps command, then find its open files using lsof. List the output of the lsof command below. $ sudo -s # lsof -p YOUR_BASH_PID 3.2: What are the 3 types of files found in your listing above as specified by the TYPE column in lsof's output? What is the meaning of each type? Read the man page for lsof if you need help. 3.4: Identify the PID of the ssh process for your ssh connection that is running under your UID. The other process associated with your connection is running with root's UID and has [priv] listed in its name—ssh divides its privileged and unprivilged operations for security, following the secure design principle called “separation of privilege.” Run lsof on this PID and include the output below. # lsof -p YOUR_SSH_PID 3.5: What are the types of files found in the listing directly above as specified by the TYPE column in lsof's output? What is the meaning of the types that you did not describe above for bash? 3.6: Using the lsof output for ssh, identify the client machine connecting to your VM via ssh. Include both the network identifier of the client and the line of output from lsof you used to find it. 4: /proc The proc filesystem mounted at /proc is not a filesystem in the traditional sense—there is nothing in this filesystem stored permanently on disk or elsewhere. Instead, the proc filesystem provides a view into the current state of the kernel and the processes running on the machine. It follows the usual rules of UNIX filesystems, including access control. As you might imagine, write access is forbidden to users other than root in most cases. There are two types of files found under /proc. There are directories with numeric names; these describe the process whose PID is the directory name. The other directories have alphanumeric names and refer to aspects of kernel memory. Before starting this section, exit your root shell from section 3. 4.1: Examine the process directories under /proc. How many of them are there? Don’t count by hand. Pipe the output of your command to another command that will do the counting for you. $ ls -d /proc/[0-9]* 4.2: Identify the PID of your bash process, then examine the contents of its directory. Include the output of the command in the box below. $ cd /proc/YOUR_BASH_PID $ ls -l 4.3: What command line was used to start your bash? $ cat cmdline; echo 4.4: What is the current working directory of bash? $ ls -ld cwd 4.5: What executable file was used by exec() to start the bash process? $ ls -ld exe 4.6: What is the current value of the LANG and LOGNAME environment variables in the bash process? Note that while cat can show the output, it will appear all on one line. The tr(anslate) command can convert the NULL byte separators to newlines, allowing you to see one variable per line. $ cat environ $ tr ‘\0’‘\n’<environ 4.7: The bash process was under our direct control, so we already knew the answers to the questions above. Let's examine a different process about which we know little at the moment. Start the Apache server and find one of its PIDs, then examine the contents of its directory. Using what you learned above, list the command line, current working directory, and executable file used by this process. # service apache2 start # ps auxw | grep apache # cd /proc/PID 4.8: The fd subdirectory of each process's directory contains symbolic links to all of the files that are currently open in that process. The names of the links are small integers, which are the file descriptors open in the process. We have used these numbers in the past when doing I/O redirection, e.g. 2>/dev/null to get rid of STDERR output is a common example. What files are currently in use by Apache? Do not include pipe or device files in your list. # cd fd # ls -l 4.9: One or more of the files appears to be a log file. Using the tail command, list the last few entries of the log file below. # tail LOGFILE Stop the Apache web server process after finishing the questions in this section. # service apache2 stop 5: Submitting the Lab Bring a printed copy of the lab at the beginning of the class period after the class in which you begin this lab. Online students will submit the lab via the Blackboard LMS.