[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Tiger-devel] [RFC] check_finddeleted
|
From: |
Nicolas François |
|
Subject: |
Re: [Tiger-devel] [RFC] check_finddeleted |
|
Date: |
Fri, 30 Jan 2004 00:20:01 +0100 |
|
User-agent: |
Mutt/1.5.5.1+cvs20040105i |
Hello all,
sorry for my late response.
I finally submitted a task:
https://savannah.nongnu.org/task/?func=detailitem&item_id=3073
(I'm the anonymous submitter. I don't know what happended, I thought I
was logged in)
A real tiger script is now available.
> > A - servers using a deleted file are more critical
[...]
> > Those classes would be reported as:
> > * FAIL the process "name" (pid,user,group?) of the server "name"
> > (pid,user,group?) is using a deleted file.
> > * WARN the process "name" (pid,user,group?) is using a deleted file.
> > Should we report the group?
>
> group as in process id group?
That's what I implemented, but it's probably not what I really wanted.
group, as in /etc/group, combined with user will show the
permissions of the process.
> > B - Which name of process to report
> > Actually, depending on the class, either the 8 letters truncated
> > command name from lsof is reported, or the executable name with
> > arguments (from ps -o cmd).
>
> This is not completely portable either :( This fails on HP-UX.
>
> $ ps -o cmd
> ps: illegal option -- o
> usage: ps [-edaflP] [-u ulist] [-g glist] [-p plist] [-t tlist] [-R
> prmgroup]
>
> I can get this to work by the following:
>
> $ export UNIX95=1
> $ ps -o args
>
> but the output is truncated to a certain length. The only way I know of
> to get the full command length is only available in HP-UX 11.11 where
> they added a -x option to the ps command.
My current implementation only use the non-truncated command provided
by lsof (all characters from proc or user structure, according to the
man page).
> As different side note ... the command-line can be changed, so ps is not
> the best way to get the process name. There are a several programs that
> I know of that do this ... sshd, postgres, etc.
>
> $ ps -e -o cmd | grep sshd
> /usr/sbin/sshd
> sshd: rbrad [priv]
> sshd: address@hidden/4
> grep sshd
>
> $ ps -e -o cmd | grep postgres:
> postgres: stats buffer process
> postgres: stats collector process
> postgres: rbrad vsm [local] idle
> grep postgres:
>
> Not sure if this matters ... but wanted let you know there might be
> problems on other operating systems and with some programs.
Thanks for the feedback.
This issue is also mentioned here:
http://www.hackinglinuxexposed.com/articles/20020521.html
I will later test if it's possible to make a script that compare ps
output and executable names (and perhaps other infos). I was aware that
such check could produce a lot of false positives (scripts). There is
apparently even more.
> > Is a pure shell code preferable?
>
> It make it easier to port and is more inline with the tiger philsophy,
> but honestly doesn't matter to me.
I will try to convert my script. It should be OK.
> There is 1 bug in the tools you should be aware of (I sent a private
> email to Javi with this info already) but the new task link does not
> work. Use this link to add a new task:
>
> https://savannah.nongnu.org/task/?group=tiger&func=additem
It's probably fixed now. The "Submit a Task" link points to
https://savannah.nongnu.org/task/?func=additem&group=tiger
Regards,
--
Nekral