Mammon_'s Tales to Tux's Grandson 32-bit Task-Switching Synchronized Insurrection Linux allows for different levels of commitment. On the one hand, with a distribution such as Corel or Caldera, one can have a no-fuss, well-configured system in under an hour; on the other hand, with a more serious distribution such as Slackware or Debian, one can spend weeks --even months-- modifying initialization scripts, adding command-line shortcuts, squeezing an extra iota of performance out of the memory manager, and in general fine-tuning the machine in the manner of a weekend mechanic. The previous paper represented a lower level of commitment; its contents could be considered mandatory for any install, the bare minimum one needs in order to obtain a linux install worth having. What follows represents a somewhat higher level of commitment to the OS; these topics can be considered unnecessary, fanatical, or the extra 'points for style' to polish off an already quality linux install. Protecting Ports ---------------- The way into a computer is through its ports; any remote attack on a host will require a connection to an open port in oder to succeed. Thus, from a security standpoint, the ports on a host are the first area to safeguard. Many arguments stressing the superior security of Windows NT tend to ignore this; any given unix ships with servers listening on every standard port, while NT does not even have a telnet server [that networking stuff costs extra]. As a result, the majority of systems broken into are unix systems as they have more doors [requiring more guards or even some bricking-up]; using this to imply that NT is more secure than unix leads to the logical conclusion that DOS is therefore more secure than NT. Security is to be measured in how secure a system can be, not in how secure its manufacturer ships it -- and to get a system as secure as it can be, the ports must be dealt with. Nmap The first step one should take in securing the ports of a host is the same step that a potential intruder would take: run a port scanner to determine which ports on the host are open [and therefore, potentially vulnerable]. Nmap is perhaps the best port scanner arouond for security purposes; unlike specialized 'security tools' such as SATAN it scans for all open ports rather than a select few, and it has a number of features that most scanners are lacking. To begin with, run nmap on the target host: root@localhost>nmap 123.45.67.89 Starting nmap V. 2.12 by Fyodor (fyodor@dhp.com, www.insecure.org/nmap/) Interesting ports on gaap.pandemonium.com (123.45.67.89): Port State Protocol Service 21 open tcp ftp 22 open tcp ssh 23 open tcp telnet 25 open tcp smtp 37 open tcp time 80 open tcp http 111 open tcp sunrpc 113 open tcp auth 515 open tcp printer 731 open tcp netviewdm3 2049 open tcp nfs Nmap run completed -- 1 IP address (1 host up) scanned in 0 seconds Note that the above output was obtained before ip_chains were configured; the machine is protected only by tcp_wrappers. Once ip_chains have been started, with the configuration suggested in Part 1 [default action is DENY, suitable for a workstation], nmap returns no ports found. As mentioned earlier, nmap supports multiple scanning techniques in order to circumvent portscan countermeasures on the target host. The different scannning methods are identified with variations of the -s flag: -sP : Standard ping scan -- shouts "I am portscanning you!" -sT : Standard TCP connect() scan -- still rather obvious -sU : Standard UDP scan -- for UDP ports only -sS : TCP SYN scan -- slightly more covert -sF : TCP FIN scan -- packet has only FIN flag set -sX : TCP 'Xmas Tree' scan -- packet has FIN, URG, PUSH set -sN : TCP NULL scan -- packet has no flags set In addition, nmap has some 'special options' that make it the Aston Martin of port scanners: -b user:pwd@server:port -- proxy the portscan from 'server:port' -D server[,server2 ...] -- use "server"[s] as decoys :) -S ipaddress -- specify the IP address the scans appear to come from -g # -- specify the port number the packets appear to come from -p #-# -- range of ports to scan [default is 1 - 1024] -P0 : do not ping hosts before scanning [very nice] -PT : use a TCP ack rather than ICMP echo for ping -PI : use ICMP echo packet -PB : use TCP and ICMP ping methods [default] -O : identify OS of target host -I : query identd on remote host for owner of each open port -f : fragment the S,F,X, or N packets to fool packet filters -o filename -- output human-readable log to 'filename' -m filename -- output machine-readable log to 'filename' -v : verbose [natch] Nmap has found a few ports open: now what? Just for fun, you can telnet to the ports, or use netcat. Depending on the port, you may wish to disable it entirely in inetd.conf or in the rc scripts, or you may wish to protect it with an ipchain. Port Sentry Port Sentry has got to be the coolest linux security program in existence, vis-a-vis the win-nuke-em script punk situation. Port sentry is meant to do one thing: detect and react to port scans. The detection part is simple; the program allows Classic mode --where you specify the ports you want to monitor-- and Stealth mode, in which you provide the top end of a range of ports to scan [default is 1024, so 1-1024 are watched] and a list of ports to exclude from monitoring. Both of these modes allow you to specify hosts to ignore [e.g., your LAN] and the number of connections to allow before triggering [default is 0]. Now the fun really starts. Port Sentry allows you to set up the following response actions: KILL_ROUTE: use routed to route the packets from the suspect IP to a nonexistent machine or to reject them; or set up an ipchains rule for the suspect IP. KILL_HOSTS_DENY: Add suspect IP to hosts.deny file KILL_RUN_CMD: The best one yet. This runs an external command [and will pass the suspect IP on the command line] of your choosing; one can page the sysadmin, email root, nmap the suspect IP, flood-ping the suspect IP, etc. Port Sentry also allows you to mock any potential attackers with the PORT_BANNER variable, which will display a short message to the port being scanned. PortSentry will write to the /var/adm/messages file with the following keywords: adminalert: - Some message indicating the status of the PortSentry. securityalert: - A message indicating a security relevant event occurred. attackalert: - A host has tripped a sensor and an action was performed. It is configured via the portsentry.conf file in the the portsentry home directory. The configuration file is fairly straightforward: #------------------------------------------------------portsentry.conf #_________________________Ports_to_Monitor [Basic Mode] TCP_PORTS="21,23,25,80" UDP_PORTS="" #_________________________Ports_to_Monitor [Advanced Mode] # Monitor ports up to & including the one listed ADVANCED_PORTS_TCP="1024" ADVANCED_PORTS_UDP="1024" #_________________________Ports_to_Exclude [Advanced Mode] # Default TCP ident and NetBIOS service ADVANCED_EXCLUDE_TCP="113,139" # Default UDP route (RIP), NetBIOS, bootp broadcasts. ADVANCED_EXCLUDE_UDP="520,138,137,67" #_________________________Config_Files IGNORE_FILE="/usr/local/psionic/portsentry/portsentry.ignore" HISTORY_FILE="/usr/local/psionic/portsentry/portsentry.history" BLOCKED_FILE="/usr/local/psionic/portsentry/portsentry.blocked" #__________________________Response_Methods # 0 = do not block 1 = block 2 = do KILL_RUN_CMD only BLOCK_UDP="1" BLOCK_TCP="1" # Sensitivity [ # of connects allowed before alarm ] SCAN_TRIGGER="0" KILL_ROUTE="/sbin/ipchains -I input -s $TARGET$ -j DENY -l" KILL_HOSTS_DENY="ALL: $TARGET$ : DENY" KILL_RUN_CMD="echo PortScan from $TARGET$:$PORT$ | wall" PORT_BANNER="** UNAUTHORIZED ACCESS PROHIBITED **" #-------------------------------------------------------------------EOF Once configured, port sentry can be started in either TCP or UDP mode using -tcp/-udp for basic mode, -stcp/sudp for stealth mode, and -atcp/-audp for advanced-stealth mode: root@localhost>portsentry -atcp; portsentry -audp Running nmap flat-out will demonstrate the effects of PortSentry quite quickly: * A message is sent to all users with the IP address of the scanner * The scanner's IP is added to /etc/hosts.deny * A rule is added to the 'input' ipchain denying all packets from the scanner's IP address [check with 'ipchains -L input'] Note, however, that nmap's stealth options [e.g. -sF and -sX] allow it to scan the host undetected -- for this reason one should secure all valuable ports with ipchains, and use PortSentry only on 'script kid' ports such as the Back Orifice and PC Anywhere ports --which should have no 'server' listening on Unix machines-- in order to build a log of hostile IP addresses. Integrity Checks ---------------- An integrity checker is one of the tools that one hopes one will never need. It is at its most useful after an attack, when the sysadmin knows of the security breach and is trying to ascertain the damage. At its most basic, an integrity checker maintains a database of file sizes, checksums, and create/modification times for a list of files specified by the admin. This database is kept in a secure location such as a floppy, cd-rom, or other read-only filesystem, and on dire occasions it is compared with existing files to determine what system files have been modified. The most widely-used integrity checker is Tripwire; however, it is usually not included with linux distributions as it is not GPLed. Aide is a GPLed utility intended to replicate the functionality of Tripwire. Integrity checkers are very simple to use. First, create a config file in ./aide.conf or /etc/aide.conf; this config file must contain the location of the aide database, any program options, and the files or directories to watch. root@localhost>vi aide.conf database=file:///var/adm/aide.db database_out=file:///var/adm/aide.db.new verbose=20 /boot R /etc R /sbin R /usr/sbin R /var/logs R ~ The 'R' flag is a composite aide command; it detects changes to permissions, inode number, number of links, user, group, size, modify time, and create time. Naturally there are more options within aide.conf, including the use of variables and conditional expressions; man aide.conf for details. The command 'aide --init' will set up the database; when software has been updated, aide --update will validate those changes in the database. It is important to check the database before using the update feature, in order to avoid validating any changes made without your knowledge. Note when updating one must explicitly rename the new database file to the original filename, e.g. `mv /var/adm/aide.db.new /var/adm/aide.db`. The database is checked with the command `aide --check`; this will output a report to STDOUT: root@localhost> aide --check Summary: Total number of files=400,added files=0,removed files=0,changed files=2 Changed files: changed:/etc changed:/etc/passwd Detailed information about changes: file: /etc Mtime: old = 954037287 , new = 954041324 Ctime: old = 954037287 , new = 954041324 file: /etc/passwd Size: old = 683 , new = 714 Mtime: old = 953967763 , new = 954041324 Ctime: old = 953967763 , new = 954041324 MD5: old = Ai9GS5SS4hSxjLCxSJOnyg== , new = cbVLM2dF7hUNpfSE7eGx5g== Here you see aide reporting on a change to the /etc/passwd file; the modify time has changed, and the MD5 checksum is different, indicating that the file has been modified since the database was last updated. Once the integrity checker has been set up, it is important to have it run frequently. It would be wise to add a cron job which will mail the output to the system administrator: root@localhost>crontab -e 0 1 * * * aide --check | mailx root 2>&1 >> /dev/null Since this will send a blank message each evening at 1 am when aide finds no changes, a shell script could be wrapped around the command to only mail the admin when aide reports changes. Packet Captures --------------- A packet sniffer is arguably the most useful tool in the network or security analyst's toolbox; it can be viewed as a disassembler for the network stream. A packet sniffer can be applied to a specific interface; it will place the interface in 'promiscuous mode' [meaning it will accept all packets, even those not destined for it] and print to STDOUT or to a file a log of all network traffic. Needless to say, this is dependent on the physical network to which the interface is attached, and thus a packet capture can only be used on local networks. TCPDump Every linux distribution comes with tcpdump, a command line packet sniffer. The syntax for tcpdump is, at one level, very simple: tcpdump [-i interface] [-c count] This will capture 'count' packets [default is infinity] from 'interface' [default is eth0] and print them to STDOUT. Some of the more common options to tcpdump are -x [dump the packet in hexadecimal], -a [resolve IP addresses to names], -n [do not resolve IPs to names], -s [maximum packet size to capture], -p [do not enter promiscuous mode], -q [less verbose], -v and -vv [verbose and very verbose]. In addition, the -d, -dd, and -ddd parameters will compile the packet-matching filter specified on the command line and print it in 'human readable' format, in C format, and in decimal format. The filtering itself can be quite complex; in general the filters will have the format type direction protocol A 'type' is one of 'host', 'net', and 'port' -- e.g. 'host localhost', 'net 10.1', 'net 127.0.0.1', 'port 25'. A 'direction' is one of 'src', 'dst', 'src or dst', and 'src and dst'. These are combined with types to provide qualifiers such as 'src host frimost', 'dst net 127.0.0.2 port 25', and 'src or dst host localhost'. A 'protocol' is one of 'ether', 'fddi', 'ip', 'arp', 'rarp', 'decnet', 'lat', 'sca', 'moprc', 'mopdl', 'tcp', 'udp'. In general, only ip, tcp, and udp will be needed. Each of the above qualifiers can be combined with the keywords 'gateway' and 'broadcast', as well as arithmetic and logical expressions. The tcpdump man page provides a wealth of information regarding filters; in particular, the EXAMPLES section provides filters such as the following: To print out all ICMP packets that are not echo requests/replies (i.e. not ping packets): tcpdump 'icmp[0] !=8 and icmp[0] != 0' For small LANs and for introductory experimentation, however, filters need not be used. Due to the complexity of tcpdump and the data it captures, many front-ends are available. For X, one has the choice of Xipdump and Ethereal, as well as the usual KDE and GNOME versions. So far, Ethereal seems to have the most features. Sniffit An alternative to tcpdump is the sniffit program; sniffit used libpcap and the BPF [BSD Packet Filter] to capture packets. The most basic use of sniffit is to dump packets to STDOUT: root@localhost> sniffit -t 10.12.34.@ -x -a Note that -a dumps the packets in ASCII format [in case, for example, you are emulating a password hijack for an interested onlooker] while -d dumps the packets in hex [in case you are attempting a password hijack *despite* an interested onlooker]. The more interesting sniffit parameters are -t [addr] --destination IP -s [addr] --destination IP -n --disable IP checksum checking -d --dump packets in hex-mode bytes to STDOUT -a --dump packets in ASCII-mode bytes to STDOUT -x --prints extra info on TCP packets [SYN,ACK, etc] -P [proto] --protocol: IP, TCP, ICMP, UDP -p [port] --port to log; 0 means 'all' Needless to say, a few examples will make things more clear: #Watch ICMP traffic: root@localhost> sniffit -t 10.12.34.@ -x -a -P ICMP #Monitor telnet logins: root@localhost> sniffit -t 10.12.34.@ -x -a -p 23 #Read outgoing email: root@localhost> sniffit -s 10.12.34.@ -x -a -p 25 Sniffit also has an interactive mode which can be entered with `sniffit -i`; this is an ncurses window with absolutely no helpful hints. When a connection is made, a line will appear in the window: 10.12.34.56 21 -> 10.12.34.57 1270 : FTP: 220 10.12.34.57 1270 -> 10.12.34.56 21 : FTP: USER mammon Note that there are two connections shown, one for the server [port 21] and one for the client [port 1270]. The client is of course the most interest here; use the arrow keys to select that line and press ENTER. A small window will appear in which all subsequent network traffic will be logged: PASS YeahRight!..SYST..PORT 10,12,34,57,4,247..LIST.. ...and thus is it possible to capture a username and password. A word to the wise: ssh. Login and Process Accounting ---------------------------- Process accounting is used to record the commands executed on the system; it can be used for monitoring user activity or for measuring system resource usage. To enable process accounting, the kernel must be compiled with the BSD process accounting support [CONFIG_BSD_PROCESS_ACCT] enabled. Once this has been done, the accounting software [GNU's acct package] must be installed and its log file set up: root@localhost>mkdir /var/account root@localhost>touch /var/account/pacct root@localhost>chmod 644 /var/account/pacct Process accounting can be turned on and off with the accton command; the default behavior of accton is to turn off accouting, however when supplied a filename as a parameter, it will turn on accounting to that file. Thus, the rc.d scripts must be modified to run the following command upon entering the default run level: accton /var/account/pacct Once accounting has been turned on, testing that it is recording is fairly straightforward as the file size grows with each command: root@localhost>ls -l /var/account/pacct -rw-r--r-- 1 root root 64 Nov 29 01:01 /var/account/pacct root@localhost>ls -l /var/account/pacct -rw-r--r-- 1 root root 128 Nov 29 01:01 /var/account/pacct The acct package contains utilities that check the pacct file as well as the utmp log files. The pacct file contains the actual process accounting logs; it can be viewed with the 'lastcomm' [most recently run commands] utility, or summarized with the sa [summarize accounting] utility: root@localhost>lastcomm bash F root stderr 0.00 secs Mon Nov 29 01:06 sh S root ?? 0.00 secs Mon Nov 29 01:05 flushpop.sh S root ?? 0.01 secs Mon Nov 29 01:05 ... root@localhost>sa 126 25.56re 0.04cp 0avio 273k 5 0.01re 0.01cp 0avio 214k dump-utmp 4 0.16re 0.00cp 0avio 544k vim ... User IDs associated with each process can be displayed in the 'sa' report by using the -u option, although the output will be slighty different: root@localhost>sa -u root 0.00 cpu 207k mem 0 io accton root 0.01 cpu 221k mem 0 io ls root 0.04 cpu 547k mem 0 io vim ... The pacct file is a binary file and thus cannot be viewed in a text editor; for an ASCII version, the 'dump-acct' utility must be used: root@localhost>dump-acct /var/account/pacct | vim - The utmp files are used for login accounting; like the pacct file, they are binary files and must be dumped with dump-utmp: root@localhost>dump-utmp /var/log/wtmp | vim - root@localhost>dump-utmp /var/log/utmp | vim - The wtmp file maintains a log of all logins and logouts on the system; it should be truncated regularly as it can get quite large. The utmp file contains information about who is currently logged into the system. The 'last' and 'who' commands make use of the wtmp and utmp files, respectively. The 'ac' utility can be used to summarize system logins; the -d option will show the total connect time for all users for each day, while the -p option will show the total for each user --note that these options can be combined to give the total connect time for each user, by day. The connect time for a specific user can be found by appending the username to the 'ac' command: root@localhost>ac root total 1059.28 root@localhost>ac mammon total 0.00 In addition to the built-in accounting systems, there are many useful monitoring tools available for linux. The most common, of course, is 'top', along with GUI equivalents such as 'qps', 'gps', and 'gtop'. Top allows realtime system monitoring; in addition, it allows the user to kill ['k'] or renice ['r'] a process, to refresh the snapshot [spacebar], to sort by various fields [ P for CPU usage, M for memory usage, T for time], to display the command line of a process ['c'], and to hide or display various fields ['f']. A good addition to the native process accouting facilities is the 'exec' kernel module, available as exec.c from linux software repositories. Once compiled, exec can be loaded with 'insmod exec.o', whereupon it will log exec() calls as kernel.info messages. When using this module, the syslog daemon should be configured to log these messages to a specific terminal or logfile; the syslog.conf line would look as follows: kernel.info /usr/adm/execlog Restart the syslog daemon by doing a kill -HUP on syslogd, then tail -f /usr/adm/execlog: Nov 22 09:06:01 gaap kernel: EXECVE(65534)[459]: /usr/sbin/in.identd Nov 22 09:06:01 gaap kernel: EXECVE(0)[464]: /usr/sbin/tcpd Nov 22 09:06:01 gaap kernel: EXECVE(0)[465]: /usr/sbin/tcpd Nov 22 09:06:01 gaap kernel: EXECVE(0)[465]: /usr/sbin/wu.ftpd Nov 22 09:06:27 gaap kernel: EXECVE(0)[470]: /usr/local/bin/nmap Nov 22 09:07:41 gaap kernel: EXECVE(0)[471]: /bin/ping Nov 22 09:08:18 gaap kernel: EXECVE(0)[472]: /bin/ls To avoid filling up the filesystem, either truncate this file regularly, or configure syslogd to output to a terminal. A final important system monitoring tool is 'lsof', which is used to list currently open files. By default, for the root user, lsof displays every open file, including devices and pipes. The -u option will display files open for a specified user, with ^ acting as the NOT operator; thus 'lsof -u root' will display all of the files open under the root UID, while 'lsof -u ^root' will display all files open under UIDs other than root. Files opened by a specific command can be displayed using the -c option followed by the command: root@localhost>lsof -c vi COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME vim 457 root cwd DIR 3,1 2048 164161 /root vim 457 root rtd DIR 3,1 1024 2 / vim 457 root txt REG 3,3 919860 8488 /usr/bin/vim vim 457 root mem REG 3,1 79508 172437 /lib/ld-linux.so.1.9.9 Special files can be display as well; the -N option shows NFS files, the -i files shows TCP/UDP ports, and -U shows sockets. Kernel-space files can be ignored using the -b option, which will clear up the display somewhat. And finally, the +D option can be used with a directory name to display the open files within a specified directory tree: root@localhost>lsof +D /var COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME syslogd 108 root 1w REG 3,1 692282 12319 /var/log/messages syslogd 108 root 2w REG 3,1 28182 12318 /var/log/debug syslogd 108 root 3w REG 3,1 5444 12347 /var/log/authlog Needless to say, lsof is a command that lends itself readily to aliases such as 'opensockets' and 'opendevices'. File System Quotas ------------------ Linux allows disk usage quotas to be enabled for ext2 filesystems; these are useful for preventing a filesystem from filling up due to user abuse, over- zealous log files, or runaway processes with disk output. The quota system is enabled by compiling quota support [CONFIG_QUOTA] into the kernel and modifying /etc/fstab; it is administered with quota.group and quota.user files, and with the commands quotaon, quotaoff, quotacheck, repquota, and edquota. Quota support is applied to filesystems; the filesystems to be administered must be marked with the 'usrquota' option in /etc/fstab. A typcial fstab would then appear as follows: /dev/hda2 swap swap defaults 0 0 /dev/hda1 / ext2 defaults, usrquota 1 1 /dev/hda3 /usr ext2 defaults, usrquota 1 1 none /proc proc defaults 0 0 /dev/hdc /cdrom iso9660 ro,user,noauto 0 0 /dev/fd0 /floppy vfat defaults,user,noauto 0 0 Note that 'usrquota' refers to quotas enforced by UID; the option 'grpquota' can be used when enforcement by GID is necessary. The options are not mutually exclusive, and both may be specified in a single fstab line. At the mount point for each filesystem to be monitored [/ and /usr in the above example] there must be created the files quota.user and quota.root; these files must be owned by the root user [chmod 600]. Once these files are created and the fstab entries modified, the system should be rebooted to enable quota support [alternatively, the filesystems could be remounted and the quotaon command run]. Note that the rc scripts need to be modified to run quotacheck and quotaon at boot; a script for this is if [ ! -e /.noquotas ] then echo "Checking disk quotas." /sbin/quotacheck -avug echo "Turning on disk quotas." /sbin/quotaon -avug fi This will enable quotas unless the file .noquotas is present in the root directory. The quota limits can be modified using the 'edquota' utility; it can be used with the -u option to modify quotas for a specific user, or with the -g option to modify quotas for a particular group. The quota system allow one to specify a 'soft limit' at which point the user will be warned, and a 'hard limit' which will disallow further disk activity. To use these, the system 'grace period' must be set up using 'edquota -t'. The edquota command will bring up the default editor [usually vi] with the limits or grace period displayed at their current setting; these may be modified directly, and the results will be enforced when the file in the editor is saved. root@localhost>edquota -u mammon Quotas for user mammon: /dev/hda1: blocks in use: 21, limits (soft = 0, hard = 0) inodes in use: 5, limits (soft = 0, hard = 0) Once the quotas have been modified, they may be verified using the 'repquota' [report quotas] utility: root@localhost>repquota -a Block limits File limits User used soft hard grace used soft hard grace root -- 151419 0 0 12848 0 0 bin -- 109 0 0 1 0 0 daemon -- 2 0 0 3 0 0 mammon -- 4 500 600 4 50 100 nobody -- 1 0 0 1 0 0 The Proc Filesystem ------------------- The proc file system contains two types of files: kernel data structures (read-only) and kernel variables (read-write). The bulk of /proc consists of files whch contain kernel data structures; these files may be read, but not written to. The general layout of /proc is as follows: 1/ -- Info for PID 1 cmdline -- Command Line Arguments cwd@ -> // -- Current Working Directory environ -- Environment exe@ -> /sbin/init fd/ -- Open file descriptors 10 -> /dev/initctl| maps| -- Memory Maps mem -- Memory in use by process root@ -> // stat -- Status (unformatted) statm -- Memory Status (unformatted) Format: Size Res Share TRS DRS LRS DT [Total program size, size of in-mem portions, # shared pages, # code pages, # data/stack pages, # library pages, # dirty pages ] status -- Status (formatted) 10/ -- Info for PID 10 103/ -- Info for PID 103 ... 99/ -- Info for PID 99 apm -- APM [power mgt] stats bus/ -- Misc BUS Info pccard/ -- PCMCIA Bus Info 00/ -- Info for device 00 cardbus -- Hex data exca -- Hex data info -- Card Information pci -- Hex data ioport -- I/O Ports used by PCMCIA irq -- Interrupts used by PCMCIA memory -- Memory used by PCMCIA pci/ -- PCI Bus Info 00/ -- Info for device 00 00.0 -- Binary data 02.0 -- Binary data devices -- Available devices pnp/ -- Plug n Pray Info 00 -- Info for device oo boot/ -- Boot ID info 00 -- Binary data devices -- Detected devices cmdline -- Kernel command line cpuinfo -- Info about the CPU devices -- Available devices dma -- Used DMS channels filesystems -- Supported filesystems ide/ -- IDE Bus Info drivers -- IDE Driver versions ide0/ -- IDE controller 0 channel -- IDE controller channel config -- Configuration parameters hda/ cache -- Device cache capacity -- Capacity of the medium driver -- Driver and version geometry -- Physical and logical geometry identify -- Device identify block media -- Media type model -- Device identifier settings -- Device setup smart_thresholds -- IDE disk management thresholds smart_values -- IDE disk management values model -- model info interrupts -- Interrupt usage ioports -- I/O port usage kcore -- Kernel core image kmsg -- Kernel messages ksyms -- Kernel symbol table loadavg -- Load average locks -- Kernel locks meminfo -- Memory info [Total, used, free, swap] misc -- Miscellaneous modules -- List of loaded modules mounts -- Mounted filesystems mtrr -- Pentium II mtrr configuration net/ -- Network Information arp -- Kernel ARP table dev -- network devices with statistics dev_mcast -- Layer2 multicast groups dev_stat -- network device status igmp -- IP multicast addresses ip_fwchains -- Firewall chain linkage ip_fwnames -- Firewall chains ip_masq/ -- masquerading tables ip_masquerade -- Major masquerading table netlink -- List of PF_NETLINK sockets netstat -- Network statistics psched -- Global packet scheduler parameters raw -- Raw device statistics route -- Kernel routing table rt_cache -- Routing cache snmp -- SNMP data sockstat -- Socket statistics tcp -- TCP sockets udp -- UDP sockets unix -- UNIX domain sockets wireless -- Wireless interface data parport/ -- Parallel Ports 0/ -- Device 0 [LPT1] autoprobe -- Autoprobe results of this port devices -- Connected device modules hardware -- Hardware info (io-port, DMA, IRQ, etc.) irq -- Interrupt Used partitions -- Table of partitions known to the system pci -- PCI Bus devices rtc -- Real time clock scsi/ -- SCSI BUS Info slabinfo -- Slab pool [memory usage] info sound -- Sound device info stat -- Overall statistics swaps -- Swap space utilization sys/ -- System Variables [see below] tty/ -- Available and used tty's driver/ -- Tty Device Drivers serial -- Usage statistic and status of single tty lines drivers -- List of drivers and their usage ldisc/ -- Line disciplines ldiscs -- Registered line disciplines uptime -- System uptime version -- Kernel version Note that the /proc file system will differ with devices and modules; the above is taken from a Dell laptop and thus is missing the SCSI tree. These files are primarily used for gathering information about the system; their contents should be apparent from their names, though the data may be unfor- matted. Note that much of this information can be displayed with formatted output using the procinfo command. The /proc files can be combined with cat in aliases to create a quick means of accessing kernel variables: root@localhost>vi ~/.bashrc alias powerleft='cat /proc/apm' alias mem='cat /proc/meminfo' alias mods='cat /proc/modules' export PS1='$PWD[$TTY] `cat /proc/apm|cut -d " " -f 8`min>' The last line will display the battery life on the shell prompt, renewing each time the prompt displays. The kernel variables are located under the directory /proc/sys; this is, in general, the only location of files in /proc/sys that can be modified. The /proc/sys tree usually has the following files: sys/dev -- Device-specific [driver-supplied] vars sys/fs -- filesystem data binfmt_misc/ -- Register misc binary formats for kernel auto-exec register -- Register binary format type. Syntax: :name:type:offset:magic:mask:interpreter: [name = unique identifier, type = method of file recognition -- E=extension/M=Magic, offset = offset of Magic # into file, magic = byte sequence to match at offset [hex = \x##] or extension to match, mask = bitmask for match, interpreter = program used to launch the matched file] status -- enabled/disabled dentry-state -- Directory Entry cache Contains NULL, # of used cache entries, Age [seconds] when entry is reclaimed, and want_pages + 2 dummy vals. dquot-max -- Max # of chached disk quota entries dquot-nr -- Currently allocated and free quota entries file-max -- Max # of file handles file-nr -- Currently allocated, used, and max# of handles inode-max -- Max # of inode handles inode-nr -- Currently allocated, free inodes inode-state -- Ditto, followed by "preshrink" [nr_inodes > inode-max] super-max -- Max # of superblocks super-nr -- Currently allocated superblocks sys/kernel -- kernel parameters acct -- Control BSD process accounting. Format: highwater lowwater frequency [ % at which to resume, % at which to suspend, how often to check ] ctrl-alt-del -- 0: send to init >0: reboot. domainname -- Get/set domain name hostname -- Get/set hostname modprobe -- Location of modprobe osrelease -- Kernel release # ostype -- Linux ;) panic -- # seconds to wait before rebooting on panic printk -- Control kernel printk output. Format: CL DML MCL DCL [ console_loglevel, default_message_loglevel, minimum_console_level, default_console_loglevel ] rtsig-max -- max # of POSIX realtime (queued) signals rtsig-nr -- # of current POSIX realtime (queued) signals shmmax -- Max shared memory segment size version -- # of times compiled from this source distr. sys/net -- Networking 802/ -- E802 protocol core/ -- General parameters message_burst -- # of 1/10-seconds between repeat msgs message_cost -- Priority of message [ more = less msgs] netdev_max_backlog -- Max # of incoming packets to queue optmem_max -- max ancillary buffer size rmem_default -- default socket receive buffer size rmem_max -- max socket receive buffer size wmem_default -- default socket send buffer size wmem_max -- max socket send buffer size ethernet/ -- Ethernet protocol ipv4/ -- IP version 4 conf/ -- per-device configuration settings accept_redirects -- Boolean 0=router, 1=pc accept_source_route -- Boolean 1=router, 0=pc bootp_relay -- Boolean act as BootP relay forwarding -- Boolean IP forwarding log_martians -- Boolean log unknown source addr mc_forwarding -- Boolean multicast routing proxy_arp -- Boolean proxy ARP rp_proxy_arpfilter -- Boolean validate source secure_redirects -- Boolean ICMP redir to gateway only shared_media -- Boolean send_redirects -- Boolean send ICMP redirs icmp_destunreach_rate -- Max package rate 1/100-second icmp_echo_ignore_all -- Boolean on/off icmp_echo_ignore_broadcasts -- Boolean on/off icmp_echoreply_rate -- Max package rate 1/100-second icmp_ignore_bogus_error_responses-- Boolean on/off icmp_paramprob_rate -- Max package rate 1/100-second icmp_timeexceed_rate -- Max package rate 1/100-second ip_autoconfig -- Boolean: was IP auto-cfg'd? ip_default_ttl -- Max # hops for outgoing packets ip_dynaddr -- Boolean: dynamic address rewriting ip_forward -- Boolean: enable IP forwarding ip_local_port_range -- Range, lowest-highest avail port# ip_no_pmtu_disc -- Boolean: Path MTU Discovery ipfrag_high_thresh -- Max memory for IP reassembly ipfrag_low_thresh -- Lower threshold [stop dropping pkt] ipfrag_time -- Time to keep IP fragment in memory tcp_fin_timeout -- How long to wait for FIN tcp_keepalive_probes -- # of keepalive probes to send tcp_keepalive_time -- How often to send out keepalive tcp_max_ka_probes -- Max keepalive per timer run tcp_max_syn_backlog -- Size of socket backlog queue tcp_retrans_collapse -- Boolean: send larger pkt on retry tcp_retries1 -- # TCP retries [receive] tcp_retries2 -- # TCP retries [send] tcp_sack -- Boolean: select ack [RFC2018] tcp_stdurg -- Boolean: urgent ptr [RFC793] tcp_syn_retries -- # of times to retry SYN pkts tcp_syncookies -- Boolean: enable syncookies tcp_timestamps -- Boolean: timestamps [RFC1323] tcp_window_scaling -- Boolean: Window scaling [RFC1323] unix/ -- Unix domain sockets delete_delay -- Delay for socket delete destroy_delay -- Delay for socket destory max_dgram_qlen -- Max queue length sys/sunrpc -- Reset the debug flags for RPC subsystem nfs_debug -- Reset nfs_debug flag nfsd_debug -- Reset nfsd_debug flag nlm_debug -- Reset nlm_debug flag rpc_debug -- Reset rpc_debug flag sys/vm -- Virtual Memory Management bdflush -- bdflush kernel daemon nfract: % buffer cache dirty to activate bdflush ndirty: Max # dirty blocks writ per wakecycle nrefill: # clean buffers to obtain on refill nref_dirt: Dirty buffer threshold dummy val age_buffer: Age od normal buffer before flush age_super: Age of superblock before flush 2 more dummy vals buffermem -- How much memory to use for buffers min_percent: minimum % of memory to use borrow_percent: % to prune on memory shortage max_percent: maximum % to use for buffers freepages -- Regulate free-memory allocation min: Below this only kernel can alloc memory low: Below this kernel seriously swaps high: Below this point, kernel lightly swaps kswapd -- Kernel swap daemon tries_base: # of pages to swap out each round tries_min: Min # of times to try freeing a page swap_cluster: # of pages written in one turn overcommit_memory -- Set to 1 to allow mallocs to always succeed page-cluster -- Read in 2^[#] pages at a time -- default is 4. pagecache -- Same as buffermem, only for memory-maps pagetable_cache -- Per-processor cache -- set to 0 for non-SMP Note that each of these parameters can be modified; the best way to do this is to cat the /proc file to a temporary file, modify the file, then echo the temp file to the /proc file. The /proc files with a boolean [0/1] value can be reset simply by echoing 0 or 1 to the /proc file. In general, the /proc/sys tree mimics the linux kernel source layout; for example, /proc/sys/net/core maps to /usr/src/linux/net/core. To track down the usage of variables in the kernel source, one could search the relevant directories under /usr/src/linux for occurences of the variable: root@localhost>cd /usr/linux/src root@localhost>grep -A 2 message_burst net/core/*.c net/core/sysctl_net_core.c: {NET_CORE_MSG_BURST, "message_burst", net/core/sysctl_net_core.c- &net_msg_burst, sizeof(int), 0644, NULL, net/core/sysctl_net_core.c- &proc_dointvec_jiffies}, root@localhost>grep -n net_msg_burst net/core/*.c net/core/utils.c:39:int net_msg_burst = 10*5*HZ; net/core/utils.c:55: if (toks > net_msg_burst) One of the tunable kernel parameters that is not located under /proc/sys is the interface to the MTRR support; this is available through the /proc/mtrr file. MTRR stands for Memory Type Range Register; in a nutshell, it is a register for transferring specific memory ranges in order to gain high-speed access to that memory range. Sample uses of MTRR would be to increase performance to on-card memory for video card and drive controller cards. X-windows takes advantage of MTRRs, so it is a good idea to set this up for the local video card. The simplest way to do this is to capture the output from X ['X -probeonly 2> out.txt'] and grep the output for the line buffer: root@localhost>grep buffer out.txt (--) SVGA: NM2160: Linear framebuffer at 0xF0000000 A /proc/mtrr entry can be added by echoing the memory base address, size, and type to /proc/mtrr. The above videocard has 2MB of VRAM; thus the following command is used to modify the MTRR file: echo "base=0xf0000000 size=0x200000 type=write-combining" >> /proc/mtrr The results will be added in the next available register [usually reg03]: root@localhost>cat /proc/mtrr reg00: base=0x00000000 ( 0MB), size= 128MB: write-back, count=1 reg01: base=0x100a0000 ( 256MB), size= 16MB: write-back, count=1 reg02: base=0xf0000000 (3840MB), size= 2MB: write-combining, count=1 Additional PCI devices can be added by searching through /proc/pci for prefetchable memory addresses; these should be added as write-combining to enable burst memory writes. The binfmt_misc directory is also a good area to experiment in. The register file in this directory allows one to register file types with specific executables, so that if a file of that type is given execute permissions [chmod +x] it will be passed as a parameter to the executable it is associated with. This turns out to be a mechanism similar to file extension association in Windows-9x or in various Window Managers, only more powerful -- files can be associated by extension or by a binary signature in their file header [e.g., DOS apps could be identified by the MZ string in the header]. The following are a few suggested associations: ':DOSWin:M::MZ::/usr/local/bin/wine:' ':Java:M::\xca\xfe\xba\xbe::/usr/local/java/bin/javawrapper:' ':Perl:E::pl::/usr/bin/perl:' ':Tcl:E::tcl::/usr/bin/tclsh:' ':HTML:E::html::/usr/local/bin/netscape:' ':Applet:M::