I have to develop an application in C++ to monitor the state of processes in my Linux system and also need to know if a new process is created or an existing process is terminated. Is there an API available for this? Also it will be helpful if someone could tell me how to start it with.
inotify works well for all directories I tried, except the proc filesystem. So again I continued to search for a solution and where I reached was the proc connector and socket filters. Not much documented, but really worthy. Just have a look at:
http://netsplit.com/the-proc-connector-and-socket-filters
The way to reach this conclusion was through the answer provided by David Crookes to
Detect launching of programs on Linux platform.
Hope it will help someone in future.
Related
I have a system-V init service/daemon running my application. I wanted to make sure that my application always runs even with conditions where process/service could crash, machine restart. I know of supervisord which is able to monitor process but I am not sure it can monitor service/daemon ?
Looks like the manual advices against it.
There is an answer to a similar question which provides a workaround.
Anyway, I would try to find a way to have that service stay in the foreground.
I would like to create something like "file honeypot" on Windows OS.
The problem I would like to answer is this:
I need to detect that file is accessed (Malware wants to read file to send it over internet) so I can react to it. But I do not know how exacly tackle this thing.
I can periodically test file - Do not like this sollution. Would like some event driven without need to bother processor every few ms. But could work if file is huge enought so it cannot be read between checks.
I could exclusively open file myselve and somehow detect if file is accessed. But I have no idea how to do this thing.
Any idea about how to resolve this issue effectively? Maybe creating specialized driver could help but I have little experience in this.
Thanks
Tracking (and possibly preventing) filesystem access on Windows is accomplished using filesystem filter drivers. But you must be aware that kernel-mode code (rootkits etc) can bypass the filter driver stack and send the request directly to the filesystem. In this case only the filesystem driver itself can log or intercept access.
I'm going to assume that what you're writing is a relatively simple honeypot. The integrity of the system on which you're running has not been compromised, there is no rootkit or filter driver installation by malware and there is no process running that can implement avoidance or anti-avoidance measures.
The most likely scenario I can think of is that a server process running on the computer is subject to some kind of external control which would allow files containing sensitive data to be read remotely. It could be a web server, a mail server, an FTP server or something else but I assume nothing else on the computer has been compromised. And the task at hand is to watch particular files and see if anything is reading them.
With these assumptions a file system watcher will not help. It can monitor parts of the system for the creation of new files or modification or deletion of existing ones, but as far as I know it cannot monitor for read only access.
The only event-driven mechanism I am aware of is a filter driver. This is a specialised piece of driver software that can be inserted into the driver chain and monitor access to files. With the constraints above, it is a reliable solution to the problem at the cost of being quite hard to write.
If a polling mechanism is sufficient then I can see two avenues. One is to try to lock the file exclusively, which will fail if it is open. This is easy, but slow.
The other is to monitor the open file handles. I know it can be done because I know programs that do it, but I can't tell you how without some research.
If my assumptions are wrong, please edit your question and provide additional information.
I am looking for a solution that monitors a service on a server and runs a custom script when a problem is found.
To be more specific:
We have a service that relies on many Elastic IPs at EC2, when a problem occurs on the primary server, all those EIPs are required to move to a slave server.
I have written the script for the EIP failover, but my company wants to use an open source tool for the monitoring part.
I have looked into pacemaker/heartbeat solution but it seems too complex for what i want to achieve.
Please help me find a good solution for this problem, thanks in advance!
If your problem is as simple as watching a process and trigger scripts, monit will be your best friend:
http://mmonit.com/monit/
The good thing about monit is that it scales well if you have a lot of servers as it runs and executes everything locally on the machine being monitored.
Have you considered using Scout ? It allows you to write your custom scripts that get executed after triggers. For example you can setup a trigger from a third server that when it can't reach one of your EIPs then it's time to do the EIP switchover.
We are currently monitoring all of our servers using Scout and are pretty happy.
I am writing some webservices in Go on a linux machine, so the Go executable needs to keep running
which is the best way to do it?
should I setup the Go executable as a service on the linux machine?
many thanks
The short answer: use the system service manager if you want to keep things super-simple. CentOS currently uses Upstart, and it's well documented and can handle most Go applications without too many problems. There are some good examples of Upstart + Go here and here
The long answer: personal preference. Supervisord, Monit and Circus are good options as well, but bring differing levels of complexity. I personally like supervisord, since it has a fairly clear syntax and a good heap of options.
There's also a good run-down here: http://tech.cueup.com/blog/2013/03/08/running-daemons/
I created a server using c++ and want to run this server as daemon on linux..
How do I do this?
Thanks in advance...
There are many ways to daemonize a process. It is quite common that server implementations provides a switch to daemonize it at startup.
If you do not wish to implement such a feature, command-line tools exists such as this one : http://software.clapper.org/daemonize/.
I don't mean to sound condescending but did you try a google search, there is a heap of info on this out there, the first link I found: (http://www.enderunix.org/docs/eng/daemon.php)
You can use dup2() on Linux to make the FD's a bit easier to handle.
You may also want to look into using something like inetd to manage your server