lfd_pl - split of /proc/pid/stat resulting in wrong uptime
Posted: 03 Apr 2013, 08:50
Hi,
I am getting false positives from lfd - for example:
Subject: lfd on host: Suspicious process running under user userxxx
Time: Wed Apr 3 06:48:46 2013 +0200
PID: 23607 (Parent PID:29421)
Account: userxxx
Uptime: 9147571 seconds
Executable: /usr/local/cpanel/3rdparty/perl/514/bin/perl
CAUSE
The Uptime used in calculations is parent (PID 1) uptime - due to splitting /proc/$pid/stat on space
AFFECTING
In best scenario I am getting false positive notifications
In worst scenarion it can erroneously kill all children of init
younger then 1800 second just because their process name has space inside
for example (in /proc/$pid/stat)
(cpdavd - accept)
(spamd child)
SOLUTION
have the jiffies determinig routine (in lfd_pl or wherever else in CFS/LFD)
to recognize \(.*?\) as single field in /proc/$pid/stat
EXAMPLES
Example with process having space in name (bad result)
# cat /proc/29421/stat
29421 (cpdavd - accept) S 1 29418 29366 0 -1 4202560 28433 473714 0 34 7 19 30696 1010 15 0 1 0 879101009 106086400 3883 268435456 4194304 4198540 140734904954112 18446744073709551615 239166349699 0 0 128 78337 0 0 0 17 0 0 0 3
# cat /proc/29421/stat |perl -nle '{@pstat = split(/\s/,$_); print "<$pstat[21]>"; }'
<1>
Example with process not having space in name (correct result)
# cat /proc/21825/stat
21825 (sh) S 21684 21662 17951 0 -1 4202496 316 0 0 0 0 0 0 0 21 0 1 0 779303346 65384448 235 18446744073709551615 4194304 4923308 140734670098944 18446744073709551615 239166321184 0 4 6 81921 18446744071562362030 0 0 17 2 0 0 0
cat /proc/21825/stat |perl -nle '{@pstat = split(/\s/,$_); print "<$pstat[21]>"; }'
<779303346>
I am getting false positives from lfd - for example:
Subject: lfd on host: Suspicious process running under user userxxx
Time: Wed Apr 3 06:48:46 2013 +0200
PID: 23607 (Parent PID:29421)
Account: userxxx
Uptime: 9147571 seconds
Executable: /usr/local/cpanel/3rdparty/perl/514/bin/perl
CAUSE
The Uptime used in calculations is parent (PID 1) uptime - due to splitting /proc/$pid/stat on space
AFFECTING
In best scenario I am getting false positive notifications
In worst scenarion it can erroneously kill all children of init
younger then 1800 second just because their process name has space inside
for example (in /proc/$pid/stat)
(cpdavd - accept)
(spamd child)
SOLUTION
have the jiffies determinig routine (in lfd_pl or wherever else in CFS/LFD)
to recognize \(.*?\) as single field in /proc/$pid/stat
EXAMPLES
Example with process having space in name (bad result)
# cat /proc/29421/stat
29421 (cpdavd - accept) S 1 29418 29366 0 -1 4202560 28433 473714 0 34 7 19 30696 1010 15 0 1 0 879101009 106086400 3883 268435456 4194304 4198540 140734904954112 18446744073709551615 239166349699 0 0 128 78337 0 0 0 17 0 0 0 3
# cat /proc/29421/stat |perl -nle '{@pstat = split(/\s/,$_); print "<$pstat[21]>"; }'
<1>
Example with process not having space in name (correct result)
# cat /proc/21825/stat
21825 (sh) S 21684 21662 17951 0 -1 4202496 316 0 0 0 0 0 0 0 21 0 1 0 779303346 65384448 235 18446744073709551615 4194304 4923308 140734670098944 18446744073709551615 239166321184 0 4 6 81921 18446744071562362030 0 0 17 2 0 0 0
cat /proc/21825/stat |perl -nle '{@pstat = split(/\s/,$_); print "<$pstat[21]>"; }'
<779303346>