通过Linux netlink NETLINK_CONNECTOR 协议实时进行监控本机进程情况。
当前维度: Linux NETLINK_CONNECTOR -> execve -> pid -> pid info 之前研究测试用的,方便输出安全规则。
获取的信息
| 参数 | 含义 | 来源 |
|---|---|---|
| name | name | /proc/PID/status,Name |
| cmd | Cmd | /proc/PID/cmdline |
| pid | process ID | netlink Exec |
| state | state | /proc/PID/status,state |
| tgid | thread group ID | /proc/PID/status,Tgid |
| uid | user ID(进程执行者) | /proc/PID/status,Uid[0] |
| euid | effective user ID(进程执行对文件的访问权限) | /proc/PID/status,Uid[1] |
| suid | saved set user ID(副本) | /proc/PID/status,Uid[2] |
| fsuid | file system user ID | /proc/PID/status,Uid[3] |
| gid | group ID | /proc/PID/status,Gid[0] |
| egid | effective group ID | /proc/PID/status,Gid[1] |
| sgid | saved group ID | /proc/PID/status,Gid[2] |
| fsgid | file system group ID | /proc/PID/status,Gid[3] |
| cwd | Cwd | /proc/PID/environ,PWD |
| exe | Exe | /proc/PID/exe (read link) |
| ppid | parent process ID | /proc/PID/status,PPid |
| p_name | ppid name | /proc/PPID/status,name |
| p_uid | ppid uid | /proc/PPID/status,Uid[0] |
| p_cmd | ppid cmd | /proc/PPID/cmdline |
| fd_info | fd info | /proc/PID/fd/[0-9]* |
| sock_info | fd to socket info | /proc/net |