The Linux proc Filesystem (Unix Power Tools, 3rd Edition)

48.9. The Linux proc Filesystem

Linux contains a /proc filesystem with virtual files that maintain the current state of the system. You can actually access the proc system directly and view the command, command-line parameters, and other information.

In particular, if you have a suspicious process (detected using ps (Section 49.6)), you can investigate the process more thoroughly using the Linux proc filesystem. For instance, if ps -ux returns the following procecss:

Root   1684   0.0   0.7   7492    3888    ?   S    13:44     0.00      rp3

you can change to the process directory by using the process number:

bash# cd /proc/1684

Once there, typing ls will show several entries, including ones titled cwd, exe, and cmdline. At that point you can use cat (Section 11.2) to print out the cmdline entry, which will show the command, including parameters that kicked off the process:

bash# cat cmdline
rp3

Typing ls -l on cwd results in:

lrwxrwxrwx      1     root     root     9     June 4     17:44  cwd-> /root

Typing ls-1 on exe results in:

lrwxrwxrwx      1     root     root     9     June 4     17:44  cwd-> /usr/bin/rp3

The proc filesystem is extremely helpful, not only for security reasons, but also for general system usage.

-- SP