The process PID 395 is nginx. How could that be concluded from the output above?

Display the services currently running.
a. Use the ps command to display all the programs running in the background:


[analyst@secOps ~]$ sudo ps –elf
[sudo] password for analyst:
F S UID PID PPID C PRI NI ADDR SZ WCHAN STIME TTY TIME CMD
4 S root 1 0 0 80 0 - 2250 SyS_ep Feb27 ? 00:00:00 /sbin/init
1 S root 2 0 0 80 0 - 0 kthrea Feb27 ? 00:00:00 [kthreadd]
1 S root 3 2 0 80 0 - 0 smpboo Feb27 ? 00:00:00 [ksoftirqd/0]
1 S root 5 2 0 60 -20 - 0 worker Feb27 ? 00:00:00 [kworker/0:0H]
1 S root 7 2 0 80 0 - 0 rcu_gp Feb27 ? 00:00:00 [rcu_preempt]
1 S root 8 2 0 80 0 - 0 rcu_gp Feb27 ? 00:00:00 [rcu_sched]
1 S root 9 2 0 80 0 - 0 rcu_gp Feb27 ? 00:00:00 [rcu_bh]
1 S root 10 2 0 -40 - - 0 smpboo Feb27 ? 00:00:00 [migration/0]
1 S root 11 2 0 60 -20 - 0 rescue Feb27 ? 00:00:00 [lru-add-drain]
5 S root 12 2 0 -40 - - 0 smpboo Feb27 ? 00:00:00 [watchdog/0]
1 S root 13 2 0 80 0 - 0 smpboo Feb27 ? 00:00:00 [cpuhp/0]
5 S root 14 2 0 80 0 - 0 devtmp Feb27 ? 00:00:00 [kdevtmpfs]
1 S root 15 2 0 60 -20 - 0 rescue Feb27 ? 00:00:00 [netns]
1 S root 16 2 0 80 0 - 0 watchd Feb27 ? 00:00:00 [khungtaskd]
1 S root 17 2 0 80 0 - 0 oom_re Feb27 ? 00:00:00 [oom_reaper]


b. In Linux, programs can also call other programs. The ps command can also be used to display such process hierarchy. Use –ejH options to display the currently running process tree.

[analyst@secOps ~]$ sudo ps –ejH
[sudo] password for analyst:

1 1 1 ? 00:00:00 systemd
167 167 167 ? 00:00:01 systemd-journal
193 193 193 ? 00:00:00 systemd-udevd
209 209 209 ? 00:00:00 rsyslogd
210 210 210 ? 00:01:41 java
212 212 212 ? 00:00:01 ovsdb-server
213 213 213 ? 00:00:00 start_pox.sh
224 213 213 ? 00:01:18 python2.7
214 214 214 ? 00:00:00 systemd-logind
216 216 216 ? 00:00:01 dbus-daemon
221 221 221 ? 00:00:05 filebeat
239 239 239 ? 00:00:05 VBoxService
287 287 287 ? 00:00:00 ovs-vswitchd
382 382 382 ? 00:00:00 dhcpcd
387 387 387 ? 00:00:00 lightdm
410 410 410 tty7 00:00:10 Xorg
460 387 387 ? 00:00:00 lightdm
492 492 492 ? 00:00:00 sh
503 492 492 ? 00:00:00 xfce4-session
513 492 492 ? 00:00:00 xfwm4
517 492 492 ? 00:00:00 Thunar
1592 492 492 ? 00:00:00 thunar-volman
519 492 492 ? 00:00:00 xfce4-panel
554 492 492 ? 00:00:00 panel-6-systray
559 492 492 ? 00:00:00 panel-2-actions
523 492 492 ? 00:00:01 xfdesktop
530 492 492 ? 00:00:00 polkit-gnome-au
395 395 395 ? 00:00:00 nginx
396 395 395 ? 00:00:00 nginx
408 384 384 ? 00:01:58 java
414 414 414 ? 00:00:00 accounts-daemon
418 418 418 ? 00:00:00 polkitd


c. As mentioned before, servers are essentially programs, often started by the system itself at boot time. The task performed by a server is called service. In such fashion, a web server provides web services.
The netstat command is a great tool to help identify the network servers running on a computer. The power of netstat lies on its ability to display network connections.
In the terminal window, type netstat.

[analyst@secOps ~]$ netstat
Active Internet connections (w/o servers)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 localhost.localdo:48746 localhost.local:wap-wsp ESTABLISHED
tcp 0 0 localhost.localdo:48748 localhost.local:wap-wsp ESTABLISHED
tcp6 0 0 localhost.local:wap-wsp localhost.localdo:48748 ESTABLISHED
tcp6 0 0 localhost.local:wap-wsp localhost.localdo:48746 ESTABLISHED
tcp6 0 0 localhost.local:wap-wsp localhost.localdo:48744 ESTABLISHED
tcp6 0 0 localhost.localdo:48744 localhost.local:wap-wsp ESTABLISHED
Active UNIX domain sockets (w/o servers)
Proto RefCnt Flags Type State I-Node Path
unix 3 [ ] DGRAM 8472 /run/systemd/notify
unix 2 [ ] DGRAM 8474 /run/systemd/
cgroups-agent

d. Use netstat with the –tunap options to adjust the output of netstat. Notice that netstat allows multiple options to be grouped together under the same “- ” sign.
The information for the nginx server is highlighted.

[analyst@secOps ~]$ sudo netstat -tunap
[sudo] password for analyst:
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State
PID/Program name
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN
395/nginx: master p
tcp 0 0 0.0.0.0:21 0.0.0.0:* LISTEN
279/vsftpd
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN
277/sshd
tcp 0 0 0.0.0.0:6633 0.0.0.0:* LISTEN
257/python2.7
tcp6 0 0 :::22 :::* LISTEN
277/sshd
tcp6 0 0 :::23 :::* LISTEN
1/init
udp 0 0 192.168.1.15:68 0.0.0.0:*
237/systemd-network

Clients will connect to a port and, using the correct protocol, request information from a server. The netstat output above displays a number of services that are currently listening on specific ports. Interesting columns are:
? The first column shows the Layer 4 protocol in use (UDP or TCP, in this case).
? The third column uses the format to display the local IP address and port on which a specific server is reachable. The IP address 0.0.0.0 signifies that the server is currently listening on all IP addresses configured in the computer.
? The fourth column uses the same socket format to display the address and port of the device on the remote end of the connection. 0.0.0.0:* means that no remote device is currently utilizing the connection.
? The fifth column displays the state of the connection.
? The sixth column displays the process ID (PID) of the process responsible for the connection. It also displays a short name associated to the process.
e. Sometimes it is useful to cross the information provided by netstat with ps. Based on the output of item (d), it is known that a process with PID 395 is bound to TCP port 80. Port 395 is used in this example. Use ps and grep to list all lines of the ps output that contain PID 395:

[analyst@secOps ~]$ sudo ps -elf | grep 395
[sudo] password for analyst:
1 S root 395 1 0 80 0 - 1829 sigsus Feb27 ? 00:00:00
nginx: master process /usr/bin/nginx -g pid /run/nginx.pid; error_log stderr;
5 S http 396 395 0 80 0 - 1866 SyS_ep Feb27 ? 00:00:00
nginx: worker process
0 S analyst 3789 1872 0 80 0 - 1190 pipe_w 14:05 pts/1 00:00:00 grep
395

In the output above, the ps command is piped through the grep command to filter out only the lines containing the number 395. The result is three lines with text wrapping.
The first line shows a process owned by the root user (third column), started by another process with PID 1 (fifth column), on Feb27 (twelfth column) with command /usr/bin/nginx -g pid /run/nginx.pid; error_log stderr;
The second line shows a process with PID 396, owned by the http user, started by process 395, on Feb27.
The third line shows a process owned by the analyst user, with PID 3789, started by a process with PID 1872, as the grep 395 command.

Based on the last column of line 1, the output shows nginx command line.

Computer Science & Information Technology

You might also like to view...

Match each acronym to its function:

I. VGA II. DVI III. ATSC IV. HDTV V. HDMI A. provides new standards for digital television B. converts digital data to an analog signal to send to a CRT monitor C. high-speed connection that does not require compression D. sends digital signals directly to LCD monitors E. broadcasts digital television signals

Computer Science & Information Technology

What are the two separate aspects in a Hyper-V backup?

What will be an ideal response?

Computer Science & Information Technology