PCDS

Process Change Detection System

What's New? Introduction Working Configuration Tuning Download Copyright

What's new?

September 25, 2005.
A major code-cleanup was done. There were several duplicate routines and some routines were not really efficient.
Besides this, i keep the current process-list only in memory. This prevents writing it out to file and read it in again, thus speeding it up a little.

November 16, 2004.
Totally rewritten the "compare" engine by using hashes instead of array's. This really speeds-up the work and it means less code. As with this change, the current process-list is not written to disk anymore as it can run from memory.
This changes implies also a new format of the baselist, either to improve readability and to ease reading into memory. It's now also possible to add comments to the baselist.
Warning: Your old baselist does not work anymore. Re-initialize pcds.

December 26, 2003.
Removed a small "bug". The first entry in the basefile was invalid due to a lack of checking the values. It's now fixed. Also I added extra logging-options so the used current-list and the report isn't removed, so after a test-run you can have a look at them. The default umask value is now 077.
Warning: If you upgrade from 2.6 or older, please re-initialize or remove the first characters from your baselist.txt !

November 3, 2003.
Added support for ranges. Thanks to Bill Nugent for his patch, pcds is capable of handling ranges. So even if your processes are changing between ranges, pcds will not complain anymore.
New in this version is the full FreeBSD support. All funtions are now working with FreeBSD.
I don't have the opportunity to test it against other BSD's, so please let me know if that works!

May 20, 2003.
Since the last version i added syslog-options to make it successfully log to syslog, so your syslogserver (what, you don't have one? It's time to build!) will collect all the messages. You can use MySecRep to generate reports out of the logging.

The total changelog can be visited here: Changelog

Introduction

I wrote this program to monitor changes in processes. Not to monitor if your webserver is still running, no, that's a job for your monitoring-tool. But to see if there are new programs running. When debugging a honeypot-logging, you often see that there's an extra inetd running, to open-up that backdoor-port.
Or, less dramatically, people are logging in to your system and "forget" to log-out.

Working

PCDS is a perl-script, taking the output of ps, storing it in a flatfile-format using it as a "fingerprint" and checks the current ps output against the fingerprint. New programs or additional programs will trigger PCDS to send an email and/or log a line via syslog.

Configuration

There's allmost nothing to configure. Within the script there's the administrator's emailadress. Change it to your needs, as you can do with the syslog option. Just choose an appropriate level and severity and it will log via syslog.
In the default settings it logs to syslog and doesn't send mail, so maybe you don't want to change anything.
After that, let it run by cron. It will initialize itself and notify you.

Tuning

Once initialized, it checks against the basefile. (default in /var/tmp/newbase.txt) If you, i.e. are running a webserver, your amount of httpd-processes will be changing all the time. Edit the baselist and change the number of your httpd-processes to -1. Now it will ignore the httpd-processes. Occasionally it will happen that it will complain about grep or so. You can either mark them ignored (remember the -1), or remove the baselist.txt and it will re-initialize again. Be aware that your shell will be counted allso, so the best way to initialize it, is by cron, while you are logged off!
Oh, by the way, there is totally no reason to run PCDS as root or with any additional privileges.

Download

HA! The important part:

pcds-2.9.gz

September 25, 2005: version 2.9
MD5 from this version: 928842ea7c3fab072fa9c688bb470142
RipeMD160 from this version: f49170541306238219520eaf3fd3f45223598e41
It is also signed with my pgp-public-key.

The old version was written in bash. I still keep it here for download, alltough i will not maintain it anymore.
Old, unmaintained version. Branche 1.

Copyright

PCDS is released under the GPL.