You are not logged in.
I was working with htop just now, adjusting the UI to my needs etc etc. Very neat tool, it shows you list of processes and kthread (kernels threads)
This is more of a monitoring scenario. I don't know if its worth doing, if it will have any benefits in long run. My idea was, that I will have a list of known processes / kthreads under home directory, and if a new process / kthread appears (we will know if its new by comparing what's in the list under home dir), it will push notification onto your screen. So you can run
notify-send "unknown process started: BAD_PROCESS.sh"
So we can push notification, but how can we trigger this notification? I used the AI tool ChatGPT to get some answers:
- one suggestion is to run periodic checks, for example bash script every minute - I would like to avoid time-based solutions if this needs to detect 24/7
- I asked if it can be avoided using periodic checks, the answer was
You can use PathChanged to monitor changes in a specific directory where kernel threads are created (e.g., /proc directory).
This refers to systemd service. Is second scenario with systemd a good idea to implement, or are there alternatives to accomplish similar?
I guess this will not protect you from the actual harm if you download malicious package, its more of an information for the user that something is happening if its not expected
On the other hand, what if the package runs malicious python code, it will use a python process which is under known processes list.. so perhaps it defeats the purpose of doing this
Last edited by dab9966 (2024-11-29 21:02:17)
Offline
My idea was, that I will have a list of known processes / kthreads under home directory
Processes/threads aren't run under directories. Process node in /proc has symlink to pathname its initial image is loaded from (/proc/<pid>/exe). Kthread run in kernel space and has no corresponding userspace executable.
and if a new process / kthread appears, it will push notification onto your screen.
What problem would it solve?
You can use PathChanged to monitor changes in a specific directory where kernel threads are created (e.g., /proc directory).
This refers to systemd service. Is second scenario with systemd a good idea to implement, or are there alternatives to accomplish similar?
procfs is a pseudo-filesystem, inotify won't work with it.
From systemd.path(5):
Internally, path units use the inotify(7) API to monitor file systems. Due to that, it suffers by the same limitations as inotify
From inotify(7):
various pseudo-filesystems such as /proc, /sys, and /dev/pts are not monitorable with inotify.
I guess this will not protect you from the actual harm if you download malicious package, its more of an information for the user that something is happening if its not expected
On the other hand, what if the package runs malicious python code, it will use a python process which is under known processes list.. so perhaps it defeats the purpose of doing this
Are you looking for something like Audit framework or AppArmor?
Offline
dab9966 wrote:My idea was, that I will have a list of known processes / kthreads under home directory
Processes/threads aren't run under directories. Process node in /proc has symlink to pathname its initial image is loaded from (/proc/<pid>/exe). Kthread run in kernel space and has no corresponding userspace executable.
dab9966 wrote:and if a new process / kthread appears, it will push notification onto your screen.
What problem would it solve?
dab9966 wrote:You can use PathChanged to monitor changes in a specific directory where kernel threads are created (e.g., /proc directory).
This refers to systemd service. Is second scenario with systemd a good idea to implement, or are there alternatives to accomplish similar?
procfs is a pseudo-filesystem, inotify won't work with it.
From systemd.path(5):Internally, path units use the inotify(7) API to monitor file systems. Due to that, it suffers by the same limitations as inotify
From inotify(7):
various pseudo-filesystems such as /proc, /sys, and /dev/pts are not monitorable with inotify.
dab9966 wrote:I guess this will not protect you from the actual harm if you download malicious package, its more of an information for the user that something is happening if its not expected
On the other hand, what if the package runs malicious python code, it will use a python process which is under known processes list.. so perhaps it defeats the purpose of doing thisAre you looking for something like Audit framework or AppArmor?
Hello, sorry for late response. The general idea was an insipration for processes alerts from https://github.com/evilsocket/opensnitch, that is based on network alerting. As you have pointed out, AppArmor should be more than sufficient at controlling your environment. I am marking this as solved
Offline