Software ↑     Config Download Install Modules Procmon Scriptlets Security Usage



Another feature of nabou is to monitor running processes and to send out a report in case it finds something weird. But how does nabou know, if a process is weird? Good question. It uses the /proc filesystem. Because of this fact you cannot use this feature of nabou if you are running a system without a /proc filesystem enabled. Nabou cannot use the /dev/kmem device!

Nabou gathers a list of all running processes with all properties it can get from /proc. Most properties are those, which you can see when you use ps. But there are also some other, very interesting properties. Currently it uses 4 different methods to find out if a process could be dangerous:


If the real user id of the process is different from the effective user id. This is the case if it is a set uid program, i.e. xterm


The same as above(1.), but is uses group id.


If a process' commandline does not match it's absolute filename. i.e. if it appears in ps as nfsd but the executable is /tmp/sush.


If the process is detached from any terminal (connected to tty 0) and is actually running (state R).


additional you can define your own check using inline perl script- lets. See the previous sub-section on writing and using scriptlets and the proc-related scriptlet section below.

If you use nabou for process monitoring, you can use the -D option, which causes nabou to turn itself into the background (using fork(2). You can also define exceptions for processes which should be ignored furing the normal run, like xterm's or so.

See the provided example config file psrc for a demonstration.


A proc block starts with > and ends with >. It is used by the process monitoring routines of nabou. It may contain one or more of the following options:


You can define a name under which nabou appears in process listings if it is in daemon mode (-D). nabou will ignore it's own /proc entry silently.


1 turns it on, 0 off. eport a process if ruid and euid does not match, if it is a set uid program.


1 turns it on, 0 off. Report a process if rgid and egid does not match, if it is a set gid program.


1 turns it on, 0 off. Check if the visible commandline matches the executable which is actually running.


1 turns it on, 0 off. Report running detached processes.


requires a scriptlet name, which will be executed on every process running and must return a message in case of a match. see below.


Nabou can remember already reported processes. This option defines how long should nabou remember the process' entry until reporting it again. This option requires minute values, the default is 0, in other words the default is to always report.


Seconds. how long should nabou wait between refreshes in the proc filesystem. Please note, that it will eat some host performance if the intervall is too small. A good value is 20 or 30 seconds.


a comma separated list of process properties which should be reported if nabou finds a weird process. You will find a complete list of all available pro- perties below in the proc-sciptlet subsection. An example: pid, uid, euid, tty, exe, cmdline, cwd. Alternately you can use ps, which will cause in one line per process. The format will be similar to the helper script called ps in the subdir "supplement".


1 turns it on, 0 off. The Default is 0(off). If turned on, no reason will be printed out why the process has matched. This is only useful in combination with report = ps.


This option requires a pathname. Every process table will be dumped to the specified directory. The filename will contain the date, thus you will end up with unique files.

But be warned: This directory may become very huge!


Additional you can define exclude blocks, which starts with > and ends with >. Every exclude block may contain the following options:


the visible commandline, i.e. -bash. You can define multiple cmdline's, which is useful for scripts, i.e.:

 cmdline		/root/bin/checkusers.sh
 cmdline		/root/bin/checksnort.sh 

You can also use perl regular expressions here, but be very careful!


the MD5 checksum of the program.


The user id the process runs as.

An example:

 <exclude /bin/bash>
                # login shells
                cmdline -bash
                md5     c36b467680f96a6c63053df2c0df379e


As I mentioned above you can use custom perl scriptlets with the process monitoring mode of nabou too, and it works similar to the scriptlet engine in the file-system mode. But a scriptlet gets other parameters from nabou: a Process object and a message about the checks already done.

The Process object contains all available information about the current checked process. If the message is empty no other check found something, if is is not empty it contains the explanation of what nabou has already found about this file.

An example:

        test <<EOF
                my($prc, $lastmatch) = @_;
		if($prc->exe =~ /^\/tmp\/.*sh.*$/) {
			return "shell running from /tmp!";
		else {
			return "";

As you can see, you can access every property using the arrow notation: cmdline is: $prc->cmdline, the pid is: $prc->pid.

Here is a list of all available properties, which can also be used for reporting (see above about the report option!):


current working directory


visible commandline as seen by "ps"


the process id


the absolute filename to the executable running, i.e. /bin/bash


real user id


effective user id


saved user id


file user id


real group id


effective group id


saved group id


file group id


similar to cmdline


(internal) number of open filehandles


a hash of all open files, the keys are the file descriptors (filenumber).

see a more detailed description of the other properties in the proc(5) manpage: "man proc", look for "stat Status information about the process":

state ppid pgrp session tty tpgid flags minflt cminflt majflt cmajflt utime stime cutime cstime counter priority timeout itrealvalue starttime vsize rss rlim startcode endcode startstack kstkesp kstkeip signal blocked sigignore sigcatch wchan nswap cnswap exit_signal

There is a complete (tested) sample configuration supplied with nabou called psrc, which you can use as a starting point. Addional, there is a script called ps supplied in the sub directory "supplement", which you can use to see a complete ps-like listing with the following informations: PID RUID EUID RGID EGID FH TTY EXE CMD.