It is essential to identify network services running on a UNIX host as a part of any review. To do this, the reviewer needs to understand the relationship between active network services, local services running on the host and be able to identify network behavior that occurs as a result of this interaction. There are a number of tools available for any UNIX system that the reviewer needs to be familiar with.
Netstat
Netstat lists all active connections as well as the ports where processes are listening for connections. The command, "netstat -p -a -inet" (or the equivalent on other UNIX'es) will print a listing of this information. Not all UNIX versions support the "netstat —p" option for netstat. In this case other tools may be used.
Lsof
The command, "lsof" allows the reviewer to list all open files where "An open file may be a regular file, a directory, a block special file, a character special file, an executing text reference, a library, or a stream or network file".
LSOF is available from ftp://vic.cc.purdue.edu/pub/tools/unix/lsof/lsof.tar.gz
Ps
The command, "ps" reports a snapshot of the current processes running on UNIX host. Some Examples from the "ps" man page of one UNIX system are listed below.
To see every process on the system using standard syntax:
- ps -e
- ps -ef
- ps -eF
- ps -ely
To see every process on the system using BSD syntax:
- ps ax
- ps axu
To print a process tree:
- ps -ejH
- ps axjf
To get info about threads:
- ps -eLf
- ps axms
To get security info:
- ps -eo euser,ruser,suser,fuser,f,comm,label
- ps axZ
- ps -eM
To see every process running as root (real & effective ID) in user format:
- ps -U root -u root u
To see every process with a user-defined format:
- ps -eo pid,tid,class,rtprio,ni,pri,psr,pcpu,stat,wchan:14,comm
- ps axo stat,euid,ruid,tty,tpgid,sess,pgrp,ppid,pid,pcpu,comm
- ps -eopid,tt,user,fname,tmout,f,wchan
Print only the process IDs of syslogd:
- ps -C syslogd -o pid=
Print only the name of PID 42:
- ps -p 42 -o comm=
Craig Wright is a Director with Information Defense in Australia. He holds both the GSE-Malware and GSE-Compliance certifications from GIAC and completed the GSE as well. He is a perpetual student with numerous post graduate degrees including an LLM specializing in international commercial law and ecommerce law, A Masters Degree in mathematical statistics from Newcastle as well as working on his 4th IT focused Masters degree (Masters in System Development) from Charles Stuart University where he lectures subjects in a Masters degree in digital forensics. He is writing his second doctorate, a PhD on the quantification of information system risk at CSU.
