在主机入侵检测系统里,建立系统服务基线和检测系统服务进程行为,是检测恶意服务和恶意进程的关键。
只在使用systemd的Linux系统使用
建立系统服务基线
系统服务基线的建立,需要做的事情有如下几样:
-
获取所有安装的系统服务 -
获取当前系统运行级别 -
获取当前系统运行级别默认启动的服务
在主机入侵检测系统里,也可以通过system, popen, fork/execv之类的函数调用如下命令实现上面目的
systemctl list-unit-files --type=service #获取所有安装的服务
systemctl get-default #获取当前系统运行级别
systemctl list-unit-files --type=service| grep enabled #获取所有默认启动的服务,不只是当前运行级别
调用命令却有如下风险:
-
调用命令的隐患:任何一个命令在启动时,都要加载一大堆依赖的so,如果某些so不存在,命令是执行不了。如果命令执行完之后出现异常,成为僵尸进程,就会消耗大量系统句柄,导致后面一些业务进程无法启动。 -
错误的处理:由于是调用命令,命令获取数据是否异常,无法得知,对这种错误无法处理,也会导致有大量无效数据。
按照Unix哲学”一切皆文件“,上面目的完全可以通过opendir/readdir/closedir, open/read/close, readlink/realpath之类的API来实现。
-
获取所有安装的系统: systemd获取所有安装的系统服务,是按顺序遍历service文件。
/etc/systemd/system
/run/systemd/system
/usr/local/lib/systemd/system
/usr/lib/systemd/system
列举一下这些目录的内容:
[root@bogon-agent ~]# ls /etc/systemd/system/*.service
/etc/systemd/system/dbus-org.freedesktop.nm-dispatcher.service /etc/systemd/system/display-manager.service /etc/systemd/system/kibana.service /etc/systemd/system/wazuh-agent.service
[root@bogon-agent ~]# ls /run/systemd/system/*.service
ls: cannot access /run/systemd/system/*.service: No such file or directory
[root@bogon-agent ~]# ls /usr/local/lib/systemd/system/*.service
ls: cannot access /usr/local/lib/systemd/system/*.service: No such file or directory
[root@bogon-agent ~]# ls /usr/lib/systemd/system/*.service
/usr/lib/systemd/system/abrt-ccpp.service /usr/lib/systemd/system/ipsec.service /usr/lib/systemd/system/[email protected]
/usr/lib/systemd/system/abrtd.service /usr/lib/systemd/system/irqbalance.service /usr/lib/systemd/system/systemd-binfmt.service
/usr/lib/systemd/system/abrt-oops.service /usr/lib/systemd/system/kdump.service /usr/lib/systemd/system/systemd-bootchart.service
/usr/lib/systemd/system/abrt-pstoreoops.service /usr/lib/systemd/system/kmod-static-nodes.service /usr/lib/systemd/system/systemd-firstboot.service
/usr/lib/systemd/system/abrt-vmcore.service /usr/lib/systemd/system/lightdm.service /usr/lib/systemd/system/systemd-fsck-root.service
/usr/lib/systemd/system/abrt-xorg.service /usr/lib/systemd/system/lvm2-lvmetad.service /usr/lib/systemd/system/[email protected]
/usr/lib/systemd/system/accounts-daemon.service /usr/lib/systemd/system/lvm2-lvmpolld.service /usr/lib/systemd/system/systemd-halt.service
/usr/lib/systemd/system/alsa-restore.service /usr/lib/systemd/system/lvm2-monitor.service /usr/lib/systemd/system/[email protected]
/usr/lib/systemd/system/alsa-state.service /usr/lib/systemd/system/[email protected] /usr/lib/systemd/system/systemd-hibernate.service
/usr/lib/systemd/system/arp-ethers.service /usr/lib/systemd/system/[email protected] /usr/lib/systemd/system/systemd-hostnamed.service
/usr/lib/systemd/system/atd.service /usr/lib/systemd/system/[email protected] /usr/lib/systemd/system/systemd-hwdb-update.service
/usr/lib/systemd/system/auditd.service /usr/lib/systemd/system/mdcheck_continue.service /usr/lib/systemd/system/systemd-hybrid-sleep.service
/usr/lib/systemd/system/[email protected] /usr/lib/systemd/system/mdcheck_start.service /usr/lib/systemd/system/systemd-importd.service
/usr/lib/systemd/system/blk-availability.service /usr/lib/systemd/system/mdmonitor-oneshot.service /usr/lib/systemd/system/systemd-initctl.service
/usr/lib/systemd/system/brandbot.service /usr/lib/systemd/system/mdmonitor.service /usr/lib/systemd/system/systemd-journal-catalog-update.service
/usr/lib/systemd/system/canberra-system-bootup.service /usr/lib/systemd/system/[email protected] /usr/lib/systemd/system/systemd-journald.service
/usr/lib/systemd/system/canberra-system-shutdown-reboot.service /usr/lib/systemd/system/messagebus.service /usr/lib/systemd/system/systemd-journal-flush.service
/usr/lib/systemd/system/canberra-system-shutdown.service /usr/lib/systemd/system/microcode.service /usr/lib/systemd/system/systemd-kexec.service
/usr/lib/systemd/system/[email protected] /usr/lib/systemd/system/mongod.service /usr/lib/systemd/system/systemd-localed.service
/usr/lib/systemd/system/chronyd.service /usr/lib/systemd/system/multipathd.service /usr/lib/systemd/system/systemd-logind.service
/usr/lib/systemd/system/chrony-wait.service /usr/lib/systemd/system/NetworkManager-dispatcher.service /usr/lib/systemd/system/systemd-machined.service
/usr/lib/systemd/system/[email protected] /usr/lib/systemd/system/NetworkManager.service /usr/lib/systemd/system/systemd-machine-id-commit.service
/usr/lib/systemd/system/console-getty.service /usr/lib/systemd/system/NetworkManager-wait-online.service /usr/lib/systemd/system/systemd-modules-load.service
/usr/lib/systemd/system/console-shell.service /usr/lib/systemd/system/nginx.service /usr/lib/systemd/system/[email protected]
/usr/lib/systemd/system/containerd.service /usr/lib/systemd/system/[email protected] /usr/lib/systemd/system/systemd-poweroff.service
/usr/lib/systemd/system/[email protected] /usr/lib/systemd/system/[email protected] /usr/lib/systemd/system/systemd-quotacheck.service
/usr/lib/systemd/system/cpupower.service /usr/lib/systemd/system/[email protected] /usr/lib/systemd/system/systemd-random-seed.service
/usr/lib/systemd/system/crond.service /usr/lib/systemd/system/plymouth-halt.service /usr/lib/systemd/system/systemd-readahead-collect.service
/usr/lib/systemd/system/dbus-org.freedesktop.hostname1.service /usr/lib/systemd/system/plymouth-kexec.service /usr/lib/systemd/system/systemd-readahead-done.service
/usr/lib/systemd/system/dbus-org.freedesktop.import1.service /usr/lib/systemd/system/plymouth-poweroff.service /usr/lib/systemd/system/systemd-readahead-drop.service
/usr/lib/systemd/system/dbus-org.freedesktop.locale1.service /usr/lib/systemd/system/plymouth-quit.service /usr/lib/systemd/system/systemd-readahead-replay.service
/usr/lib/systemd/system/dbus-org.freedesktop.login1.service /usr/lib/systemd/system/plymouth-quit-wait.service /usr/lib/systemd/system/systemd-reboot.service
/usr/lib/systemd/system/dbus-org.freedesktop.machine1.service /usr/lib/systemd/system/plymouth-read-write.service /usr/lib/systemd/system/systemd-remount-fs.service
/usr/lib/systemd/system/dbus-org.freedesktop.timedate1.service /usr/lib/systemd/system/plymouth-reboot.service /usr/lib/systemd/system/[email protected]
/usr/lib/systemd/system/dbus.service /usr/lib/systemd/system/plymouth-start.service /usr/lib/systemd/system/systemd-shutdownd.service
/usr/lib/systemd/system/debug-shell.service /usr/lib/systemd/system/plymouth-switch-root.service /usr/lib/systemd/system/systemd-suspend.service
/usr/lib/systemd/system/dm-event.service /usr/lib/systemd/system/polkit.service /usr/lib/systemd/system/systemd-sysctl.service
/usr/lib/systemd/system/docker.service /usr/lib/systemd/system/postfix.service /usr/lib/systemd/system/systemd-timedated.service
/usr/lib/systemd/system/dracut-cmdline.service /usr/lib/systemd/system/quotaon.service /usr/lib/systemd/system/systemd-tmpfiles-clean.service
/usr/lib/systemd/system/dracut-initqueue.service /usr/lib/systemd/system/rc-local.service /usr/lib/systemd/system/systemd-tmpfiles-setup-dev.service
/usr/lib/systemd/system/dracut-mount.service /usr/lib/systemd/system/rdisc.service /usr/lib/systemd/system/systemd-tmpfiles-setup.service
/usr/lib/systemd/system/dracut-pre-mount.service /usr/lib/systemd/system/redis-sentinel.service /usr/lib/systemd/system/systemd-udevd.service
/usr/lib/systemd/system/dracut-pre-pivot.service /usr/lib/systemd/system/redis.service /usr/lib/systemd/system/systemd-udev-settle.service
/usr/lib/systemd/system/dracut-pre-trigger.service /usr/lib/systemd/system/rescue.service /usr/lib/systemd/system/systemd-udev-trigger.service
/usr/lib/systemd/system/dracut-pre-udev.service /usr/lib/systemd/system/rhel-autorelabel-mark.service /usr/lib/systemd/system/systemd-update-done.service
/usr/lib/systemd/system/dracut-shutdown.service /usr/lib/systemd/system/rhel-autorelabel.service /usr/lib/systemd/system/systemd-update-utmp-runlevel.service
/usr/lib/systemd/system/ebtables.service /usr/lib/systemd/system/rhel-configure.service /usr/lib/systemd/system/systemd-update-utmp.service
/usr/lib/systemd/system/elasticsearch.service /usr/lib/systemd/system/rhel-dmesg.service /usr/lib/systemd/system/systemd-user-sessions.service
/usr/lib/systemd/system/emergency.service /usr/lib/systemd/system/rhel-domainname.service /usr/lib/systemd/system/systemd-vconsole-setup.service
/usr/lib/systemd/system/firewalld.service /usr/lib/systemd/system/rhel-import-state.service /usr/lib/systemd/system/tcsd.service
/usr/lib/systemd/system/flatpak-system-helper.service /usr/lib/systemd/system/rhel-loadmodules.service /usr/lib/systemd/system/[email protected]
/usr/lib/systemd/system/fstrim.service /usr/lib/systemd/system/rhel-readonly.service /usr/lib/systemd/system/trace-cmd.service
/usr/lib/systemd/system/geoclue.service /usr/lib/systemd/system/rsyslog.service /usr/lib/systemd/system/tuned.service
/usr/lib/systemd/system/[email protected] /usr/lib/systemd/system/[email protected] /usr/lib/systemd/system/udisks2.service
/usr/lib/systemd/system/halt-local.service /usr/lib/systemd/system/[email protected] /usr/lib/systemd/system/unbound-anchor.service
/usr/lib/systemd/system/initrd-cleanup.service /usr/lib/systemd/system/sshd-keygen.service /usr/lib/systemd/system/upower.service
/usr/lib/systemd/system/initrd-parse-etc.service /usr/lib/systemd/system/sshd.service /usr/lib/systemd/system/usbmuxd.service
/usr/lib/systemd/system/initrd-switch-root.service /usr/lib/systemd/system/[email protected] /usr/lib/systemd/system/vgauthd.service
/usr/lib/systemd/system/initrd-udevadm-cleanup-db.service /usr/lib/systemd/system/svnserve.service /usr/lib/systemd/system/vmtoolsd.service
/usr/lib/systemd/system/iprdump.service /usr/lib/systemd/system/systemd-ask-password-console.service /usr/lib/systemd/system/[email protected]
/usr/lib/systemd/system/iprinit.service /usr/lib/systemd/system/systemd-ask-password-plymouth.service /usr/lib/systemd/system/wpa_supplicant.service
/usr/lib/systemd/system/iprupdate.service /usr/lib/systemd/system/systemd-ask-password-wall.service /usr/lib/systemd/system/xl2tpd.service
-
获取当前系统运行级别:
systemd是通过软链接获取真实的运行级别,优先级由上到下/etc/systemd/system/default.target
/run/systemd/system/default.target
/usr/local/lib/systemd/system/default.target
/usr/lib/systemd/system/default.target通过
systemctl获取当前系统级别[root@bogon-agent ~]# systemctl get-default
multi-user.target通过软链接获取当前系统级别,可见结果是相符的,而且优先级确实如上所述
[root@bogon-agent ~]# ls -l /etc/systemd/system/default.target
lrwxrwxrwx. 1 root root 41 Mar 31 2020 /etc/systemd/system/default.target -> /usr/lib/systemd/system/multi-user.target
[root@bogon-agent ~]# ls -l /usr/lib/systemd/system/default.target
lrwxrwxrwx. 1 root root 16 Nov 27 17:11 /usr/lib/systemd/system/default.target -> graphical.target -
获取当前系统运行级别默认启动的服务:采用下面步骤,可以获取精确的结果
root@bogon-agent ~]# cat /etc/systemd/system/default.target
# This file is part of systemd.
#
# systemd is free software; you can redistribute it and/or modify it
# under the terms of the GNU Lesser General Public License as published by
# the Free Software Foundation; either version 2.1 of the License, or
# (at your option) any later version.
[Unit]
Description=Multi-User System
Documentation=man:systemd.special(7)
Requires=basic.target
Conflicts=rescue.service rescue.target
After=basic.target rescue.service rescue.target
AllowIsolate=yes -
获取实际
target文件对应的target.wants目录,如目前是multi-user.target,那么相应目录是multi-user.target.wants。这些目录里软链接指向的service文件,就是默认启动的系统服务。root@bogon-agent ~]# ls -l /etc/systemd/system/multi-user.target.wants/
total 0
lrwxrwxrwx. 1 root root 41 Sep 30 2019 abrt-ccpp.service -> /usr/lib/systemd/system/abrt-ccpp.service
lrwxrwxrwx. 1 root root 43 Sep 30 2019 abrt-vmcore.service -> /usr/lib/systemd/system/abrt-vmcore.service
lrwxrwxrwx. 1 root root 38 Feb 3 17:46 docker.service -> /usr/lib/systemd/system/docker.service
lrwxrwxrwx. 1 root root 42 Sep 30 2019 irqbalance.service -> /usr/lib/systemd/system/irqbalance.service
lrwxrwxrwx. 1 root root 37 Sep 30 2019 kdump.service -> /usr/lib/systemd/system/kdump.service
lrwxrwxrwx. 1 root root 41 Sep 30 2019 mdmonitor.service -> /usr/lib/systemd/system/mdmonitor.service
lrwxrwxrwx. 1 root root 46 Sep 30 2019 NetworkManager.service -> /usr/lib/systemd/system/NetworkManager.service
lrwxrwxrwx. 1 root root 39 Jun 17 2020 postfix.service -> /usr/lib/systemd/system/postfix.service
lrwxrwxrwx. 1 root root 40 Sep 30 2019 remote-fs.target -> /usr/lib/systemd/system/remote-fs.target
lrwxrwxrwx. 1 root root 46 Sep 30 2019 rhel-configure.service -> /usr/lib/systemd/system/rhel-configure.service
lrwxrwxrwx. 1 root root 39 Sep 30 2019 rsyslog.service -> /usr/lib/systemd/system/rsyslog.service
lrwxrwxrwx. 1 root root 36 Sep 30 2019 sshd.service -> /usr/lib/systemd/system/sshd.service
lrwxrwxrwx. 1 root root 37 Sep 30 2019 tuned.service -> /usr/lib/systemd/system/tuned.service
lrwxrwxrwx. 1 root root 40 Sep 30 2019 vmtoolsd.service -> /usr/lib/systemd/system/vmtoolsd.service
lrwxrwxrwx. 1 root root 39 Apr 22 2020 wazuh-agent.service -> /etc/systemd/system/wazuh-agent.service
[root@bogon-agent ~]# ls -l /usr/lib/systemd/system/multi-user.target.wants/
total 0
lrwxrwxrwx. 1 root root 15 Nov 27 17:11 dbus.service -> ../dbus.service
lrwxrwxrwx. 1 root root 15 Nov 27 17:11 getty.target -> ../getty.target
lrwxrwxrwx. 1 root root 24 Nov 27 17:11 plymouth-quit.service -> ../plymouth-quit.service
lrwxrwxrwx. 1 root root 29 Nov 27 17:11 plymouth-quit-wait.service -> ../plymouth-quit-wait.service
lrwxrwxrwx. 1 root root 33 Nov 27 17:11 systemd-ask-password-wall.path -> ../systemd-ask-password-wall.path
lrwxrwxrwx. 1 root root 25 Nov 27 17:11 systemd-logind.service -> ../systemd-logind.service
lrwxrwxrwx. 1 root root 39 Nov 27 17:11 systemd-update-utmp-runlevel.service -> ../systemd-update-utmp-runlevel.service
lrwxrwxrwx. 1 root root 32 Nov 27 17:11 systemd-user-sessions.service -> ../systemd-user-sessions.service -
根据
target文件内容,找出它所依赖的其它target,不断重复第1,2步,直到获取所有的service文件(看Requires和Wants字段)
检测系统服务进程行为
在建立服务基线后,就需要获取服务的动态情况,就是要看有多少服务在运行,每个服务下面有多少进程在运行。而且获取动作要定时执行,和上一次结果进行比对,从而发现异常。
在主机入侵检测系统,可以通过调用命令方式来获取:
-
获取所有运行的服务
systemctl list-units --type=service --state=running
-
对每个运行的服务获取它的进程
systemctl status <service name>
调用命令的风险,上面已经讲过了,还是按照Linux哲学的方式来做,使用opendir/readdir/closedir, open/read/close, readlink/realpath的API读取文件吧。
读取文件有两种实现方式。一种是从sys文件系统,一种是从proc文件系统。
sys文件系统
Sysfs是Linux内核提供的伪文件系统,它通过虚拟文件将有关各种内核子系统、硬件设备和相关设备驱动程序的信息从内核的设备模型导出到用户空间。由于systemd是基于Linux cgroup实现,所以,systemd维护服务的动态信息的目录是在/sys/fs/cgroup/systemd,可以看到这个目录下的内容如下:
root@bogon-agent ~]# ls -l /sys/fs/cgroup/systemd
total 0
-rw-r--r--. 1 root root 0 Feb 2 18:44 cgroup.clone_children
--w--w--w-. 1 root root 0 Feb 2 18:44 cgroup.event_control
-rw-r--r--. 1 root root 0 Feb 2 18:44 cgroup.procs
-r--r--r--. 1 root root 0 Feb 2 18:44 cgroup.sane_behavior
-rw-r--r--. 1 root root 0 Feb 2 18:44 notify_on_release
-rw-r--r--. 1 root root 0 Feb 2 18:44 release_agent
drwxr-xr-x. 59 root root 0 Feb 4 15:30 system.slice
-rw-r--r--. 1 root root 0 Feb 2 18:44 tasks
drwxr-xr-x. 3 root root 0 Feb 2 18:44 user.slice
由于系统服务是在system.slice,看一下这个目录下的内容
[root@bogon-agent ~]# ls -l /sys/fs/cgroup/systemd/system.slice/
total 0
drwxr-xr-x. 2 root root 0 Feb 2 18:44 alsa-state.service
drwxr-xr-x. 2 root root 0 Feb 2 18:44 blk-availability.service
drwxr-xr-x. 2 root root 0 Feb 2 18:44 boot.mount
-rw-r--r--. 1 root root 0 Feb 2 18:44 cgroup.clone_children
--w--w--w-. 1 root root 0 Feb 2 18:44 cgroup.event_control
-rw-r--r--. 1 root root 0 Feb 2 18:44 cgroup.procs
drwxr-xr-x. 2 root root 0 Feb 2 18:44 dbus.service
drwxr-xr-x. 2 root root 0 Feb 2 18:44 dev-centos-swap.swap
drwxr-xr-x. 2 root root 0 Feb 2 18:44 dev-disk-byx2did-dmx2dnamex2dcentosx2dswap.swap
drwxr-xr-x. 2 root root 0 Feb 2 18:44 dev-disk-byx2did-dmx2duuidx2dLVMx2d7W0pngW1aS8qk9Uh0L0z8kX9DoBeSXwfhbjy4N5JP27EhAIvcYCEBxlME9FauIOj.swap
drwxr-xr-x. 2 root root 0 Feb 2 18:44 dev-disk-byx2duuid-7ac36476x2d90a8x2d40e8x2d9fb2x2d89d975f0ad75.swap
drwxr-xr-x. 2 root root 0 Feb 2 18:44 dev-dmx2d1.swap
drwxr-xr-x. 2 root root 0 Feb 2 18:44 dev-hugepages.mount
drwxr-xr-x. 2 root root 0 Feb 2 18:44 dev-mapper-centosx2dswap.swap
drwxr-xr-x. 2 root root 0 Feb 2 18:44 dev-mqueue.mount
drwxr-xr-x. 2 root root 0 Feb 2 18:44 irqbalance.service
drwxr-xr-x. 2 root root 0 Feb 2 18:44 kdump.service
drwxr-xr-x. 2 root root 0 Feb 2 18:44 kmod-static-nodes.service
drwxr-xr-x. 2 root root 0 Feb 2 18:44 lvm2-lvmetad.service
drwxr-xr-x. 2 root root 0 Feb 2 18:44 lvm2-monitor.service
drwxr-xr-x. 2 root root 0 Feb 2 18:44 mnt-hgfs.mount
drwxr-xr-x. 2 root root 0 Feb 2 18:44 -.mount
drwxr-xr-x. 2 root root 0 Feb 2 18:44 NetworkManager.service
drwxr-xr-x. 2 root root 0 Feb 2 18:44 NetworkManager-wait-online.service
drwxr-xr-x. 2 root root 0 Feb 2 18:44 network.service
-rw-r--r--. 1 root root 0 Feb 2 18:44 notify_on_release
drwxr-xr-x. 2 root root 0 Feb 2 18:44 polkit.service
drwxr-xr-x. 2 root root 0 Feb 2 18:44 postfix.service
drwxr-xr-x. 2 root root 0 Feb 4 10:56 proc-sys-fs-binfmt_misc.mount
drwxr-xr-x. 2 root root 0 Feb 2 18:44 rhel-dmesg.service
drwxr-xr-x. 2 root root 0 Feb 2 18:44 rhel-domainname.service
drwxr-xr-x. 2 root root 0 Feb 2 18:44 rhel-import-state.service
drwxr-xr-x. 2 root root 0 Feb 2 18:44 rhel-readonly.service
drwxr-xr-x. 2 root root 0 Feb 2 18:44 rsyslog.service
drwxr-xr-x. 2 root root 0 Feb 2 18:55 run-user-1000.mount
drwxr-xr-x. 2 root root 0 Feb 2 18:44 sshd.service
drwxr-xr-x. 2 root root 0 Feb 2 18:44 sys-fs-fuse-connections.mount
drwxr-xr-x. 2 root root 0 Feb 2 18:44 sys-kernel-config.mount
drwxr-xr-x. 2 root root 0 Feb 2 18:44 sys-kernel-debug.mount
drwxr-xr-x. 2 root root 0 Feb 2 18:44 systemd-journald.service
drwxr-xr-x. 2 root root 0 Feb 2 18:44 systemd-journal-flush.service
drwxr-xr-x. 2 root root 0 Feb 2 18:44 systemd-logind.service
drwxr-xr-x. 2 root root 0 Feb 2 18:44 systemd-modules-load.service
drwxr-xr-x. 2 root root 0 Feb 2 18:44 systemd-random-seed.service
drwxr-xr-x. 2 root root 0 Feb 2 18:44 systemd-remount-fs.service
drwxr-xr-x. 2 root root 0 Feb 2 18:44 systemd-sysctl.service
drwxr-xr-x. 2 root root 0 Feb 2 18:44 systemd-tmpfiles-setup-dev.service
drwxr-xr-x. 2 root root 0 Feb 2 18:44 systemd-tmpfiles-setup.service
drwxr-xr-x. 2 root root 0 Feb 2 18:44 systemd-udevd.service
drwxr-xr-x. 2 root root 0 Feb 2 18:44 systemd-udev-trigger.service
drwxr-xr-x. 2 root root 0 Feb 2 18:44 systemd-update-utmp.service
drwxr-xr-x. 2 root root 0 Feb 2 18:44 systemd-user-sessions.service
drwxr-xr-x. 2 root root 0 Feb 2 18:44 systemd-vconsole-setup.service
drwxr-xr-x. 3 root root 0 Feb 2 18:44 system-getty.slice
drwxr-xr-x. 2 root root 0 Feb 2 18:44 system-lvm2x2dpvscan.slice
drwxr-xr-x. 2 root root 0 Feb 2 18:44 system-selinuxx2dpolicyx2dmigratex2dlocalx2dchanges.slice
-rw-r--r--. 1 root root 0 Feb 2 18:44 tasks
drwxr-xr-x. 2 root root 0 Feb 2 18:44 tuned.service
drwxr-xr-x. 2 root root 0 Feb 2 18:44 vgauthd.service
drwxr-xr-x. 2 root root 0 Feb 2 18:44 vmtoolsd.service
drwxr-xr-x. 2 root root 0 Feb 2 18:44 vmware-tools.service
drwxr-xr-x. 2 root root 0 Feb 2 18:44 wazuh-agent.service
拿最后wazuh-agent.service来看
[root@bogon-agent ~]# ls -l /sys/fs/cgroup/systemd/system.slice/wazuh-agent.service/
total 0
-rw-r--r--. 1 root root 0 Feb 2 18:44 cgroup.clone_children
--w--w--w-. 1 root root 0 Feb 2 18:44 cgroup.event_control
-rw-r--r--. 1 root root 0 Feb 2 18:44 cgroup.procs
-rw-r--r--. 1 root root 0 Feb 2 18:44 notify_on_release
-rw-r--r--. 1 root root 0 Feb 2 18:44 tasks
其中cgroup.procs文件就是存着该服务启动的进程ID
[root@bogon-agent ~]# cat /sys/fs/cgroup/systemd/system.slice/wazuh-agent.service/cgroup.procs
1788
1850
1915
2143
2230
对照一下命令的输出
[root@bogon-agent ~]# systemctl status wazuh-agent.service
● wazuh-agent.service - Wazuh agent
Loaded: loaded (/etc/systemd/system/wazuh-agent.service; enabled; vendor preset: disabled)
Active: active (running) since Tue 2021-02-02 18:44:22 CST; 1 day 21h ago
Tasks: 26
Memory: 2.2M
CGroup: /system.slice/wazuh-agent.service
├─1788 /var/ossec/bin/ossec-execd
├─1850 /var/ossec/bin/ossec-agentd
├─1915 /var/ossec/bin/ossec-syscheckd
├─2143 /var/ossec/bin/ossec-logcollector
└─2230 /var/ossec/bin/wazuh-modulesd
可以看到是相符的。
但并不是在/sys/fs/cgroup/systemd/system.slice/的服务都是运行的,比如systemd-vconsole-setup.service
[root@bogon-agent ~]# systemctl status systemd-vconsole-setup.service
● systemd-vconsole-setup.service - Setup Virtual Console
Loaded: loaded (/usr/lib/systemd/system/systemd-vconsole-setup.service; static; vendor preset: disabled)
Active: active (exited) since Tue 2021-02-02 18:44:06 CST; 1 day 21h ago
Docs: man:systemd-vconsole-setup.service(8)
man:vconsole.conf(5)
Main PID: 107 (code=exited, status=0/SUCCESS)
Tasks: 0
Memory: 0B
CGroup: /system.slice/systemd-vconsole-setup.service
再通过看一下/sys/fs/cgroup/systemd/system.slice/systemd-vconsole-setup.service/cgroup.procs
[root@bogon-agent ~]# cat /sys/fs/cgroup/systemd/system.slice/systemd-vconsole-setup.service/cgroup.procs
[root@bogon-agent ~]#
可见,通过读sysfs的方法是很精准的。不过,这个方法需要定时扫描,来确认每个服务里的进程是否有所变动,会面临到频次的问题:频次太高影响系统性能,太低可能进程变动捕获不了。
proc文件系统
又到proc文件系统这个老相好了。由于systemd是基于cgroup,就看一下每个进程的cgroup文件。
像
[root@bogon-agent ~]# systemctl status wazuh-agent.service
● wazuh-agent.service - Wazuh agent
Loaded: loaded (/etc/systemd/system/wazuh-agent.service; enabled; vendor preset: disabled)
Active: active (running) since Tue 2021-02-02 18:44:22 CST; 1 day 21h ago
Tasks: 26
Memory: 2.2M
CGroup: /system.slice/wazuh-agent.service
├─1788 /var/ossec/bin/ossec-execd
├─1850 /var/ossec/bin/ossec-agentd
├─1915 /var/ossec/bin/ossec-syscheckd
├─2143 /var/ossec/bin/ossec-logcollector
└─2230 /var/ossec/bin/wazuh-modulesd
看一下2230和2143的cgroup文件
[root@bogon-agent ~]# cat /proc/2230/cgroup
11:freezer:/
10:cpuset:/
9:pids:/system.slice/wazuh-agent.service
8:cpuacct,cpu:/system.slice/wazuh-agent.service
7:memory:/system.slice/wazuh-agent.service
6:blkio:/system.slice/wazuh-agent.service
5:hugetlb:/
4:perf_event:/
3:net_prio,net_cls:/
2:devices:/system.slice/wazuh-agent.service
1:name=systemd:/system.slice/wazuh-agent.service
[root@bogon-agent ~]# cat /proc/2143/cgroup
11:freezer:/
10:cpuset:/
9:pids:/system.slice/wazuh-agent.service
8:cpuacct,cpu:/system.slice/wazuh-agent.service
7:memory:/system.slice/wazuh-agent.service
6:blkio:/system.slice/wazuh-agent.service
5:hugetlb:/
4:perf_event:/
3:net_prio,net_cls:/
2:devices:/system.slice/wazuh-agent.service
1:name=systemd:/system.slice/wazuh-agent.service
可以看到是属于wazuh-agent.service。
再看一个
[root@bogon-agent ~]# cat /proc/1434/cgroup
11:freezer:/
10:cpuset:/
9:pids:/system.slice/vmware-tools.service
8:cpuacct,cpu:/system.slice/vmware-tools.service
7:memory:/system.slice/vmware-tools.service
6:blkio:/system.slice/vmware-tools.service
5:hugetlb:/
4:perf_event:/
3:net_prio,net_cls:/
2:devices:/system.slice/vmware-tools.service
1:name=systemd:/system.slice/vmware-tools.service
可以看到是属于vmware-tools.service
用proc文件系统这个方法,也是非常精准,而且,它还可以和进程实时监控一起,实时监控服务的状态和服务里进程的变动,一有异动,可以实时告警。
暗号:nov-29
原文始发于微信公众号(debugeeker):最后防线:Linux系统服务检测
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论