Process Tracking and csf.pignore

Locked
chirpy
Moderator
Posts: 3537
Joined: 09 Dec 2006, 18:13

Process Tracking and csf.pignore

Post by chirpy »

1. If you're seeing legitimate spamd processes on cPanel being reported and want to ignore them, the following can be added to /etc/csf/csf.pignore:

cmd:spamd child

Then restart lfd.

2. If you're seeing legitimate awstats processes on cPanel being reported and want to ignore them, the following can be added to /etc/csf/csf.pignore:

pcmd:/usr/local/cpanel/3rdparty/bin/awstats\.pl.*
pcmd:/usr/local/cpanel/base/awstats\.pl.*
pcmd:/usr/bin/perl /usr/local/cpanel/3rdparty/bin/awstats\.pl.*
pcmd:/usr/bin/perl /usr/local/cpanel/base/awstats\.pl.*

Then restart lfd.

3. If you're seeing legitimate mailman processes on cPanel being reported and want to ignore them, the following can be added to /etc/csf/csf.pignore:

pcmd:/usr/local/cpanel/3rdparty/bin/python /usr/local/cpanel/3rdparty/mailman/bin/qrunner.*
pcmd:/usr/local/cpanel/3rdparty/bin/python /usr/local/cpanel/3rdparty/mailman/bin/mailmanctl.*


Then restart lfd.

NOTE on 1-3 above: You need to still heed the advice in csf.pignore about using command line ignores:
It is strongly recommended that you use command line ignores very carefully as any process can change what is reported to the OS.
4. If you're seeing (deleted) processes being reported then you need to read the information provided in csf.conf for the PT_DELETED option. Currently this reads:
# lfd will report processes, even if they're listed in csf.pignore, if they're
# tagged as (deleted) by Linux. This information is provided in Linux under
# /proc/PID/exe. A (deleted) process is one that is running a binary that has
# the inode for the file removed from the file system directory. This usually
# happens when the binary has been replaced due to an upgrade for it by the OS
# vendor or another third party (e.g. cPanel). You need to investigate whether
# this is indeed the case to be sure that the original binary has not been
# replaced by a rootkit or is running an exploit.
#
# Note: If a deleted executable process is detected and reported then lfd will
# not report children of the parent (or the parent itself if a child triggered
# the report) if the parent is also a deleted executable process
#
# To stop lfd reporting such process you need to restart the daemon to which it
# belongs and therefore run the process using the replacement binary (presuming
# one exists). This will normally mean running the associated startup script in
# /etc/init.d/
#
# If you do want lfd to report deleted binary processes, set to 1
PT_DELETED = "1"
If, for example, you still want to ignore pure-ftpd deleted executable reports, the following can be added to csf.pignore:

pexe:/usr/sbin/pure-ftpd.*

or, if you want to ignore deleted executable processes, set the following in csf.conf:

PT_DELETED = "0"

In either case, restart lfd after making any changes.

However, be aware that deleted executable file names will become more corrupted the longer they are left running, so even the pure-ftpd part of the name may no longer match over time. This is a symptom of the Linux file system and the way Linux handles processes that are running executables that no longer exist at the inode they originally ran from, this is simply what lfd is reporting.


Please note that investigating Process Tracking reports is the responsibility of the server administrator and going into the detail of such work is beyond the scope of this forum. lfd simply reports the information it finds for a process within the /proc/PID/ file system.
Locked