root@unknown#ps -ef|grep hostguard|grep -v grep
root 1258 1 0 2019 ? 01:38:39 /usr/local/hostguard/bin/hostguard -l /usr/local/hostguard/log
root 10501 1258 0 Jun30 ? 00:12:59 /usr/local/hostguard/bin/hostguard -l /usr/local/hostguard/log
可以看到hostguard启动了两个同名进程,且1258号进程还是10501进程的父进程。
父进程
看一下1258号进程,先看一下它是否由docker还是systemd启动
root@unknown#cat /proc/1258/cgroup
11:perf_event:/
10:memory:/system.slice/hostguard.service
9:devices:/system.slice/hostguard.service
8:blkio:/system.slice/hostguard.service
7:cpuset:/
6:hugetlb:/
5:net_prio,net_cls:/
4:cpuacct,cpu:/system.slice/hostguard.service
3:pids:/system.slice/hostguard.service
2:freezer:/
1:name=systemd:/system.slice/hostguard.service
可见它是由systemd启动的hostguard.service
再看启动参数和环境变量
root@unknown#cat /proc/1258/cmdline
/usr/local/hostguard/bin/hostguard^@-l^@/usr/local/hostguard/log^@
root@unknown#cat /proc/1258/environ
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin^@PWD=/^@LANG=en_US.UTF-8^@SHLVL=1^@_=/usr/local/hostguard/bin/hostguard^@
可见没什么有用信息,只是PATH环境变量调整了一下程序执行路径
再看它加载的so
root@unknown#cat /proc/1258/maps|awk '{print $6}'|sort|uniq
[heap]
[stack]
/usr/lib64/ld-2.17.so
/usr/lib64/libc-2.17.so
/usr/lib64/libdl-2.17.so
/usr/lib64/libm-2.17.so
/usr/lib64/libpthread-2.17.so
/usr/lib64/librt-2.17.so
/usr/local/hostguard/bin/hostguard
/usr/local/hostguard/bin/libagent.so
/usr/local/hostguard/bin/libbasecomm.so
/usr/local/hostguard/bin/libbaselogger.so
/usr/local/hostguard/bin/libbaseutils.so
/usr/local/hostguard/lib/libcrypto.so.1.0.0
/usr/local/hostguard/lib/libcurl.so.4.5.0
/usr/local/hostguard/lib/libgcc_s.so.1
/usr/local/hostguard/lib/libsecurec.so
/usr/local/hostguard/lib/libssl.so.1.0.0
/usr/local/hostguard/lib/libstdc_plus.so.6.0.14
[vdso]
[vsyscall]
可见,并没有加载一些功能so,说明这完全是一个daemon进程,可能是用来管控子进程的。
再看它的fd
root@unknown#ls -l /proc/1258/fd
total 0
lrwx------ 1 root root 64 Jun 11 15:41 0 -> /dev/null
lrwx------ 1 root root 64 Jun 11 15:41 1 -> /dev/null
lrwx------ 1 root root 64 Jun 11 15:41 2 -> /dev/null
lrwx------ 1 root root 64 Jun 11 15:41 3 -> /usr/local/hostguard/log/daemon.log
可见它确实是一个daemon进程。也就是说,hostguard的防护功能都放在子进程。
子进程
由于10501的1258的子进程,那么cgroup不用分析了。只要分析其它的。
分析启动参数和环境变量,一般父进程在启动子进程时,有可能会设置启动参数和改变环境变量,一般集中在PATH, LD_LIBRARY_PATH之类。
root@unknown#cat /proc/10501/cmdline
/usr/local/hostguard/bin/hostguard^@-l^@/usr/local/hostguard/log^@
root@unknown#cat /proc/10501/environ
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin^@PWD=/^@LANG=en_US.UTF-8^@SHLVL=1^@_=/usr/local/hostguard/bin/hostguard^@
可见父进程并没有对子进程进行打桩。
看一下子进程加载的so
root@unknown#cat /proc/10501/maps|awk '{print $6}'|sort|uniq
[heap]
[stack]
/usr/lib64/ld-2.17.so
/usr/lib64/libc-2.17.so
/usr/lib64/libcrypt-2.17.so
/usr/lib64/libdl-2.17.so
/usr/lib64/libfreebl3.so
/usr/lib64/libfreeblpriv3.so
/usr/lib64/libm-2.17.so
/usr/lib64/libnss_files-2.17.so
/usr/lib64/libpthread-2.17.so
/usr/lib64/librt-2.17.so
/usr/local/hostguard/bin/hostguard
/usr/local/hostguard/bin/libagent.so
/usr/local/hostguard/bin/libbasecomm.so
/usr/local/hostguard/bin/libbaselogger.so
/usr/local/hostguard/bin/libbaseutils.so
/usr/local/hostguard/bin/libmodargoseye.so
/usr/local/hostguard/bin/libmoddetconf.so
/usr/local/hostguard/bin/libmodfastscan.so
/usr/local/hostguard/bin/libmodfilemon.so
/usr/local/hostguard/bin/libmodiso.so
/usr/local/hostguard/bin/libmodlogin.so
/usr/local/hostguard/bin/libmodprocmon.so
/usr/local/hostguard/bin/libmodpuppetdet.so
/usr/local/hostguard/bin/libmodpwd.so
/usr/local/hostguard/bin/libmodwebcms.so
/usr/local/hostguard/bin/libmodwhitelist.so
/usr/local/hostguard/bin/libmodwshell.so
/usr/local/hostguard/lib/libcrypto.so.1.0.0
/usr/local/hostguard/lib/libcurl.so.4.5.0
/usr/local/hostguard/lib/libgcc_s.so.1
/usr/local/hostguard/lib/libmagic.so.1.0.0
/usr/local/hostguard/lib/libsecurec.so
/usr/local/hostguard/lib/libssl.so.1.0.0
/usr/local/hostguard/lib/libstdc_plus.so.6.0.14
/usr/local/hostguard/lib/libyara.so.3.4.0
/usr/local/hostguard/lib/libz.so.1.2.11
[vdso]
[vsyscall]
可见,确实是子进程加载了各种功能模块,也就是检测功能都放在子进程里。
再看打开的fd
root@unknown#ls -l /proc/10501/fd
total 0
lrwx------ 1 root root 64 Jun 30 14:40 0 -> /dev/null
lrwx------ 1 root root 64 Jun 30 14:40 1 -> /dev/null
lr-x------ 1 root root 64 Jun 30 14:40 10 -> anon_inode:inotify
lr-x------ 1 root root 64 Jun 30 14:40 11 -> anon_inode:inotify
lr-x------ 1 root root 64 Jun 30 14:40 12 -> anon_inode:inotify
lr-x------ 1 root root 64 Jun 30 14:40 13 -> anon_inode:inotify
lr-x------ 1 root root 64 Jun 30 14:40 14 -> anon_inode:inotify
lr-x------ 1 root root 64 Jun 30 14:40 15 -> anon_inode:inotify
lr-x------ 1 root root 64 Jun 30 14:40 16 -> anon_inode:inotify
lr-x------ 1 root root 64 Jun 30 14:40 17 -> anon_inode:inotify
lr-x------ 1 root root 64 Jun 30 14:40 18 -> anon_inode:inotify
lr-x------ 1 root root 64 Jun 30 14:40 19 -> anon_inode:inotify
lrwx------ 1 root root 64 Jun 30 14:40 2 -> /dev/null
lr-x------ 1 root root 64 Jun 30 14:40 20 -> anon_inode:inotify
lr-x------ 1 root root 64 Jun 30 14:40 21 -> anon_inode:inotify
lr-x------ 1 root root 64 Jun 30 14:40 22 -> anon_inode:inotify
lr-x------ 1 root root 64 Jun 30 14:40 23 -> anon_inode:inotify
lr-x------ 1 root root 64 Jun 30 14:40 24 -> anon_inode:inotify
lr-x------ 1 root root 64 Jun 30 14:40 25 -> anon_inode:inotify
lr-x------ 1 root root 64 Jun 30 14:40 26 -> anon_inode:inotify
lr-x------ 1 root root 64 Jun 30 14:40 27 -> anon_inode:inotify
lr-x------ 1 root root 64 Jun 30 14:40 28 -> anon_inode:inotify
lr-x------ 1 root root 64 Jun 30 14:40 29 -> anon_inode:inotify
lrwx------ 1 root root 64 Jun 30 14:40 3 -> /usr/local/hostguard/log/hostguard.log
lr-x------ 1 root root 64 Jun 30 14:40 30 -> anon_inode:inotify
lr-x------ 1 root root 64 Jun 30 14:40 31 -> anon_inode:inotify
lrwx------ 1 root root 64 Jun 30 14:40 32 -> socket:[2797256217]
lr-x------ 1 root root 64 Jun 30 14:40 33 -> anon_inode:inotify
lr-x------ 1 root root 64 Jun 30 18:46 34 -> /usr/local/hostguard/benchmarks/ssh.zip
lr-x------ 1 root root 64 Jul 2 21:31 35 -> /usr/local/hostguard/benchmarks/ssh.zip
lr-x------ 1 root root 64 Jun 30 14:41 36 -> /usr/local/hostguard/benchmarks/tomcat.zip
lr-x------ 1 root root 64 Jun 30 23:06 37 -> /usr/local/hostguard/benchmarks/ssh.zip
lr-x------ 1 root root 64 Jun 30 23:06 38 -> /usr/local/hostguard/benchmarks/tomcat.zip
lr-x------ 1 root root 64 Jul 3 21:50 39 -> /usr/local/hostguard/benchmarks/ssh.zip
lr-x------ 1 root root 64 Jun 30 14:40 4 -> anon_inode:inotify
lr-x------ 1 root root 64 Jul 1 23:06 40 -> /usr/local/hostguard/benchmarks/tomcat.zip
lr-x------ 1 root root 64 Jul 4 21:51 41 -> /usr/local/hostguard/benchmarks/ssh.zip
lr-x------ 1 root root 64 Jul 3 03:50 42 -> /usr/local/hostguard/benchmarks/tomcat.zip
lr-x------ 1 root root 64 Jul 5 11:16 43 -> /proc/71500/net/tcp
lr-x------ 1 root root 64 Jul 3 23:06 44 -> /usr/local/hostguard/benchmarks/tomcat.zip
lr-x------ 1 root root 64 Jun 30 14:40 5 -> anon_inode:inotify
lrwx------ 1 root root 64 Jul 2 18:43 6 -> socket:[2808807671]
lr-x------ 1 root root 64 Jun 30 14:40 7 -> anon_inode:inotify
lr-x------ 1 root root 64 Jun 30 14:40 8 -> anon_inode:inotify
lr-x------ 1 root root 64 Jun 30 14:40 9 -> anon_inode:inotify
满屏的anon_inode:inotify就说明hostguard在实时监控文件变动,这么多的inotify实例,会不会导致内核内存占用过多,毕竟一个inotify监控事件结构体是300-500字节。
而这些
lr-x------ 1 root root 64 Jun 30 18:46 34 -> /usr/local/hostguard/benchmarks/ssh.zip
lr-x------ 1 root root 64 Jul 2 21:31 35 -> /usr/local/hostguard/benchmarks/ssh.zip
lr-x------ 1 root root 64 Jun 30 14:41 36 -> /usr/local/hostguard/benchmarks/tomcat.zip
lr-x------ 1 root root 64 Jun 30 23:06 37 -> /usr/local/hostguard/benchmarks/ssh.zip
lr-x------ 1 root root 64 Jun 30 23:06 38 -> /usr/local/hostguard/benchmarks/tomcat.zip
lr-x------ 1 root root 64 Jul 3 21:50 39 -> /usr/local/hostguard/benchmarks/ssh.zip
lr-x------ 1 root root 64 Jul 1 23:06 40 -> /usr/local/hostguard/benchmarks/tomcat.zip
lr-x------ 1 root root 64 Jul 4 21:51 41 -> /usr/local/hostguard/benchmarks/ssh.zip
lr-x------ 1 root root 64 Jul 3 03:50 42 -> /usr/local/hostguard/benchmarks/tomcat.zip
lr-x------ 1 root root 64 Jul 3 23:06 44 -> /usr/local/hostguard/benchmarks/tomcat.zip
说明正在进行一些服务配置的基线检查。但配置脚本重复加载了。之前调研时,也遇到打开了280个fd,大部分是这些配置脚本,一开始以为是句柄泄露了,后来回落了。在这一块,hostguard需要好好审计一下代码,毕竟这5个配置脚本压缩包大小有297K,就算不解压,如果达到50份,也有14M,再加上其它任务,可能就导致hostguard达到内存配额150M,从而被重启掉。
再看fd里面的两个socket
lrwx------ 1 root root 64 Jun 30 14:40 32 -> socket:[2797256217]
lrwx------ 1 root root 64 Jul 2 18:43 6 -> socket:[2808807671]
看一下2808807671这个,第6个fd
root@unknown#cat /proc/1258/cgroup
11:perf_event:/
10:memory:/system.slice/hostguard.service
9:devices:/system.slice/hostguard.service
8:blkio:/system.slice/hostguard.service
7:cpuset:/
6:hugetlb:/
5:net_prio,net_cls:/
4:cpuacct,cpu:/system.slice/hostguard.service
3:pids:/system.slice/hostguard.service
2:freezer:/
1:name=systemd:/system.slice/hostguard.service
0可见,它是一个TCP socket,是对应这个
root@unknown#cat /proc/1258/cgroup
11:perf_event:/
10:memory:/system.slice/hostguard.service
9:devices:/system.slice/hostguard.service
8:blkio:/system.slice/hostguard.service
7:cpuset:/
6:hugetlb:/
5:net_prio,net_cls:/
4:cpuacct,cpu:/system.slice/hostguard.service
3:pids:/system.slice/hostguard.service
2:freezer:/
1:name=systemd:/system.slice/hostguard.service
1这说明它是和管理端相连。
再看一下第32个fd,2797256217
root@unknown#cat /proc/1258/cgroup
11:perf_event:/
10:memory:/system.slice/hostguard.service
9:devices:/system.slice/hostguard.service
8:blkio:/system.slice/hostguard.service
7:cpuset:/
6:hugetlb:/
5:net_prio,net_cls:/
4:cpuacct,cpu:/system.slice/hostguard.service
3:pids:/system.slice/hostguard.service
2:freezer:/
1:name=systemd:/system.slice/hostguard.service
2说明它是netlink socket。
根据netlink文件的格式
root@unknown#cat /proc/1258/cgroup
11:perf_event:/
10:memory:/system.slice/hostguard.service
9:devices:/system.slice/hostguard.service
8:blkio:/system.slice/hostguard.service
7:cpuset:/
6:hugetlb:/
5:net_prio,net_cls:/
4:cpuacct,cpu:/system.slice/hostguard.service
3:pids:/system.slice/hostguard.service
2:freezer:/
1:name=systemd:/system.slice/hostguard.service
3可见这个netlink socket的信息是
sk: ffff880227ba4000 Eth: 11 Pid: 10501 Groups: 00000001 Rmem: 0 Wmem: 0 Dump: 0 Locks: 2 Drops: 721841 Inode: 2797256217
根据内核代码net/netlink/af_netlink.c:
root@unknown#cat /proc/1258/cgroup
11:perf_event:/
10:memory:/system.slice/hostguard.service
9:devices:/system.slice/hostguard.service
8:blkio:/system.slice/hostguard.service
7:cpuset:/
6:hugetlb:/
5:net_prio,net_cls:/
4:cpuacct,cpu:/system.slice/hostguard.service
3:pids:/system.slice/hostguard.service
2:freezer:/
1:name=systemd:/system.slice/hostguard.service
4可知sk_protocol是11,那么11是哪个值呢?
根据/usr/include/linux/netlink.h的定义
root@unknown#cat /proc/1258/cgroup
11:perf_event:/
10:memory:/system.slice/hostguard.service
9:devices:/system.slice/hostguard.service
8:blkio:/system.slice/hostguard.service
7:cpuset:/
6:hugetlb:/
5:net_prio,net_cls:/
4:cpuacct,cpu:/system.slice/hostguard.service
3:pids:/system.slice/hostguard.service
2:freezer:/
1:name=systemd:/system.slice/hostguard.service
5可知,它这个值是NETLINK_CONNECTOR,说明是一个Kernel connector
既然已经知道是Kernel connector,那么groups的定义就从/usr/include/linux/connector.h查
root@unknown#cat /proc/1258/cgroup
11:perf_event:/
10:memory:/system.slice/hostguard.service
9:devices:/system.slice/hostguard.service
8:blkio:/system.slice/hostguard.service
7:cpuset:/
6:hugetlb:/
5:net_prio,net_cls:/
4:cpuacct,cpu:/system.slice/hostguard.service
3:pids:/system.slice/hostguard.service
2:freezer:/
1:name=systemd:/system.slice/hostguard.service
6从groups的值为1,可知hostguard使用netlink从内核接收实时进程创建,退出的信息,也就是hostguard有做进程实时监控功能。
看进程的防护能力
杀掉10501进程,看看会如何?
root@unknown#cat /proc/1258/cgroup
11:perf_event:/
10:memory:/system.slice/hostguard.service
9:devices:/system.slice/hostguard.service
8:blkio:/system.slice/hostguard.service
7:cpuset:/
6:hugetlb:/
5:net_prio,net_cls:/
4:cpuacct,cpu:/system.slice/hostguard.service
3:pids:/system.slice/hostguard.service
2:freezer:/
1:name=systemd:/system.slice/hostguard.service
7可见重新创建了55611子进程。
如果杀掉1258进程,就没有再创建进程了,只能重启服务了。
root@unknown#cat /proc/1258/cgroup
11:perf_event:/
10:memory:/system.slice/hostguard.service
9:devices:/system.slice/hostguard.service
8:blkio:/system.slice/hostguard.service
7:cpuset:/
6:hugetlb:/
5:net_prio,net_cls:/
4:cpuacct,cpu:/system.slice/hostguard.service
3:pids:/system.slice/hostguard.service
2:freezer:/
1:name=systemd:/system.slice/hostguard.service
8从这一点,说明hostguard并没有对服务的防护能力。
结论
hostguard单从进程行为来看,有如下能力:
父进程对子进程的防护能力。但没有自身服务防护能力。 使用 inotify进行实时文件监控使用 netlink进行实时进程事件监控从上面数据可以看到,cpu最高到25%,内存在0.2%左右,说明它有做资源控制。
=========================================
暗号:7ae7c
推荐站内搜索:最好用的开发软件、免费开源系统、渗透测试工具云盘下载、最新渗透测试资料、最新黑客工具下载……
还没有评论,来说两句吧...