CIT 480: Securing Computer Systems
Lab #4: Processes
Name: _____________________
1: Introduction
If your Kali VM is already up and running, login to the student account on the VM via ssh. It does not
matter whether you use a command line or GUI ssh client. If your VM is not currently up, use the
vSphere web client to start your VM before logging into it via ssh. Some of the commands in this lab
can result in large amounts of amount. If the output is longer than 20 lines, report only the first 20 lines
of output in your answer.
2: Processes
2.1: When ssh'ed into the server, how many processes are you running? Include the output of the
command below, along with the answer to the question.
$ ps
2.2: Examine a tree of all processes, then find the processes created starting with your initial ssh login.
Which process is the parent of your other processes? Which processes are the children?
$ ps xjf
2.3: How many proccesses is the entire system running? Don’t count by hand. Pipe the output of ps to
a command that will do the count for you. What is the PID of init?
$ ps ax
2.4: Examine a tree of all processes. Note that you may need to widen your terminal window to see the
entire output of this command. Using the information in the PPID (parent PID) column, which
processes are immediate children of init?
$ ps axjf
2.5: Let's view process activity with the top command next. In order that we have something
interesting to see, run John the Ripper in the background using the shell's & operator. After john is
started, run top. What are the three highest CPU processes? Copy and paste the output of top for
those processes into the box below.
$ su
# john –-wordlist=/usr/share/dict/american-english /etc/shadow &
# top
Pressing h(elp) in top will show all of the possible commands. Experiment with the sorting and
information options to see how much you can learn from using top. Once you're done, use the
command shown by h for exiting top.
3: Open Files
The lsof (list open files) command shows which files (and network connections) are in use by which
processes. This command is useful for both system administration and security tasks. If you're looking
for a configuration or log file, you can run lsof to see which files are in use by the server process in
which you are interested. Similarly, if you suspect a program of being a backdoor or storing
unauthorized data, you can use lsof to look for unauthorized network connections or hidden files.
As the output of lsof is wide, you may want to open a 132-column terminal instead of an 80-column
terminal for the following questions.
3.1: Identify the PID of your bash process with the ps command, then find its open files using lsof. List
the output of the lsof command below.
$ sudo -s
# lsof -p YOUR_BASH_PID
3.2: What are the 3 types of files found in your listing above as specified by the TYPE column in lsof's
output? What is the meaning of each type? Read the man page for lsof if you need help.
3.4: Identify the PID of the ssh process for your ssh connection that is running under your UID. The
other process associated with your connection is running with root's UID and has [priv] listed in its
name—ssh divides its privileged and unprivilged operations for security, following the secure design
principle called “separation of privilege.” Run lsof on this PID and include the output below.
# lsof -p YOUR_SSH_PID
3.5: What are the types of files found in the listing directly above as specified by the TYPE column in
lsof's output? What is the meaning of the types that you did not describe above for bash?
3.6: Using the lsof output for ssh, identify the client machine connecting to your VM via ssh. Include
both the network identifier of the client and the line of output from lsof you used to find it.
4: /proc
The proc filesystem mounted at /proc is not a filesystem in the traditional sense—there is nothing in
this filesystem stored permanently on disk or elsewhere. Instead, the proc filesystem provides a view
into the current state of the kernel and the processes running on the machine. It follows the usual rules
of UNIX filesystems, including access control. As you might imagine, write access is forbidden to
users other than root in most cases. There are two types of files found under /proc. There are
directories with numeric names; these describe the process whose PID is the directory name. The other
directories have alphanumeric names and refer to aspects of kernel memory.
Before starting this section, exit your root shell from section 3.
4.1: Examine the process directories under /proc. How many of them are there? Don’t count by hand.
Pipe the output of your command to another command that will do the counting for you.
$ ls -d /proc/[0-9]*
4.2: Identify the PID of your bash process, then examine the contents of its directory. Include the
output of the command in the box below.
$ cd /proc/YOUR_BASH_PID
$ ls -l
4.3: What command line was used to start your bash?
$ cat cmdline; echo
4.4: What is the current working directory of bash?
$ ls -ld cwd
4.5: What executable file was used by exec() to start the bash process?
$ ls -ld exe
4.6: What is the current value of the LANG and LOGNAME environment variables in the bash
process? Note that while cat can show the output, it will appear all on one line. The tr(anslate)
command can convert the NULL byte separators to newlines, allowing you to see one variable per line.
$ cat environ
$ tr ‘\0’‘\n’<environ
4.7: The bash process was under our direct control, so we already knew the answers to the questions
above. Let's examine a different process about which we know little at the moment. Start the Apache
server and find one of its PIDs, then examine the contents of its directory. Using what you learned
above, list the command line, current working directory, and executable file used by this process.
# service apache2 start
# ps auxw | grep apache
# cd /proc/PID
4.8: The fd subdirectory of each process's directory contains symbolic links to all of the files that are
currently open in that process. The names of the links are small integers, which are the file descriptors
open in the process. We have used these numbers in the past when doing I/O redirection, e.g.
2>/dev/null to get rid of STDERR output is a common example.
What files are currently in use by Apache? Do not include pipe or device files in your list.
# cd fd
# ls -l
4.9: One or more of the files appears to be a log file. Using the tail command, list the last few entries
of the log file below.
# tail LOGFILE
Stop the Apache web server process after finishing the questions in this section.
# service apache2 stop
5: Submitting the Lab
Bring a printed copy of the lab at the beginning of the class period after the class in which you begin
this lab. Online students will submit the lab via the Blackboard LMS.