proc file system
The /proc directory is a pseudo-file system used as an interface to kernel data structures rather than reading and interpreting kernel memory.
Most of /proc is read-only, but some files allow kernel variables to be changed. The kernel variable that determines wether the system can act as a router and forward IP packets is one such example. If IP forwarding is to be turned on, a 1 should be written into the file or variable at /proc/sys/net/ipv4/ip_forward. Without IP forwarding enabled, a value of 0 is in this file.
The /proc directory contains many parameters and kernel values needed by system calls to maintain a stable environment. The Linux manual pages describe the available pseudo-files. A few that might be of interest to a network security administrator are as follows:
- Process ID-There is a numerical subdirectory for each running process. The
subdirectory is named by the process ID. Each subdirectory contains pseudofiles
and directories. Two pseudo-files in these subdirectories are as follows:
- cmdline-This holds the complete command line for the process, unless the whole process has been swapped out or the process is a zombie. In either of these two cases, there is nothing in this file (a read on this file will return 0 characters). The command line arguments appear in this file as a set of null-separated strings, with a further null byte after the last string.
- cwd-This is a link to the process's current working directory. To determine
the current working directory of process 2250, enter the following command:
ls -l /proc/2250/cwd
This will produce the following output showing the current working directory of /root:
lrwxrwxrwx 1 root root 0 Sep 29 22:28 /proc/2250/cwd -> /root/
- cmdline-This pseudo-file contains the argments passed to the Linux kernel at boot time.
- kcore-This file represents the system's physical memory and is stored in the Executable Linking Format (ELF) core file format. With this pseudo-file and an unstripped kernel (/usr/src/linux/vmlinux) binary, the gdb command can be used to examine the current state of any kernel data structures. To see all the data in the kernel, it needs to be compiled with the -g option. The total length of the file is the size of physical memory (RAM) plus 4KB.
- net-This subdirectory contains various net pseudo-files, all of which give the status of some part of the networking layer. These files contain ASCII structures and are, therefore, readable with the cat command. However, the standard netstat suite provides much cleaner access to these files.
- net/arp-This holds an ASCII readable dump of the kernel Address Resolution Protocol (ARP) table. It will show both dynamically learned and pre-programmed ARP entries.
- sys-This directory contains a number of files and subdirectories corresponding to kernel variables. These variables can be read and sometimes modified using the proc file system and the sysctl system call.
- kernel/ctrl-alt-del-The ctrl-alt-del controls the handling of Ctrl-Alt-Del from the keyboard. When the value in this file is 0, Ctrl-Alt-Del is trapped and sent to the init program to handle a graceful restart. When the value is > 0, Linux's reaction will be an immediate reboot, without even syncing its dirty buffers.
- domainname, hostname-The files domainname and hostname can be used to set the NIS/YP domain name and the host name of your box in exactly the same way as the commands domainname and hostname.
In this tutorial:
- UNIX and Linux Security
- Network and development tools
- UNIX/Linux as a poor target
- Open source issues
- Detecting hardware changes
- Disk partitioning
- Prepare for the eventual attack
- Controlling the Configuration
- Kernel configurations
- Kernel modules
- proc file system
- Operating UNIX Safely
- Uncommon services
- Processes controlling processes
- The chkconfig command
- Controlling users
- Encryption and certificates
- Hardening UNIX
- Packet filtering with iptables