Skip to main content

Virtual File System - /proc

posted onApril 6, 2004
by hitbsecnews

L33tdawg: This article first appeared over at our affiliates' site EBCVG. The original article can be found here.

By: Danny "Dr. T"

This article gives a brief overview on the /proc file system. It explains how to gather information using /proc and how to change system information (shortly explained). The article mostly focuses on important parts of /proc and less on others. Even though it is a short article, it provides good information for any UNIX-based operating system user.

The /proc file system is sort of mechanism that is used for the kernel and kernel modules to send information to processes (hence the name). This pseudo file structure allows you to interface with the internal data in the kernel, and to obtain information about the system/processes and to change settings. The /proc file system does not occupy space on hard drive; therefore it (and its files and sub- directories) is referred as “virtual file system”, but yet looks and acts like disk-based file system.

In order to use the /proc file system, two settings must be enabled in the kernel:CONFIG_PROC_FS – access/view/edit the /proc file system, and CONFIG_SYSCTL – modification without requiring a reboot. On most Linux distributions, those two settings are enabled by default. However, if you build your own kernel, make sure that you enabled them.

How does it work?

As mentioned above, neither the /proc directory nor its sub-directories and its files actually exits (virtual), so how one can access, read and edit those files? They are created dynamically in memory form raw kernel data only on demand when you access them.

Getting System Information

This /proc directory contains sub-directories in it, which contain information about the system. All the sub-directories are read-only, since they are used to gather system information. The first class of sub-directories is “Process Specific”. As the name implies, they are used to gather information on specific processes. Each running process has a sub-directory under /proc, which is named after the PID (Process ID). For example:

$ ps –aux | grep “syslog”
root 660 0.0 0.4 1428 588 ? S Nov18 0:00 syslogd –m 0

Syslogd’s PID is 660, so in order to find more information about Syslogd, one should look at the sub-directory /proc/660. Each process sub-directory has various files under it. Few of them are given below:

/proc/PID/cmdline – prints command line arguments
/proc/PID/cwd – link to the current working directory
/proc/PID/environ – values of environment variables
/proc/PID/mem – memory held by the process
/proc/PID/status - process status
/proc/PID/statm – process memory status information

For example, to get the status of a running process, all you have to do is to read the file /proc/PID/status. The ‘ps’ command uses the /proc file system to obtain information about running processes on the system. Indeed, most of the information is available to use through UNIX commands.

Not only information about running processes can be gathered, but also information about the running kernel. Note that not all of the kernel files will be present in your system. It depends on the running kernel, kernel configuration and loaded modules. Important files are given below:

/proc/cpuinfo – information about the CPU (model, cpu family etc.)
/proc/devices – available devices
/proc/interrupts – interrupt usage
/proc/iomem – memory map (version 2.4)
/proc/ioports – I/O (Input/Output) port usage
/proc/kmsg – kernel messages
/proc/meminfo – memory info
/proc/modules – list of loaded modules
/proc/mounts – list of mounted file systems
/proc/net – network information (see below)
/proc/sys – change the parameters within the kernel
/proc/version – kernel and system version

As mentioned above, you can use the command lsmod to view the list of loaded modules, which is equal to cat /proc/modules.

/proc/net

A variety of network information and data is available in the /proc/net directory. The more useful files available in the /proc/net sub-directory (short explanation how to use them) are given below:

/proc/net/dev – information about the configured network interfaces. This file can be used by network administrators to view the status of the network.
/proc/net/[tcp,udp,raw] – those three files shows information about open network sockets. The information is exported by the kernel. Note that those files are relevant for IPv4 only.
/proc/net/route – routing table; available using the command route.

Modifying System Information

In the previous part, I discussed about the various information than can be gathered using the /proc file system. In this part I’ll briefly discuss about the interesting part of the /proc file system - /proc/sys.

The /proc/sys allows you to change the parameters within the kernel, contrary to the previously mentioned files, which are just source of information. Note that you must know what you doing/changing when attempting to change anything; it might optimize your system or make the system crash. Therefore it is recommended to use a test machine to test your new configuration. Information change is done using the UNIX echo command (see below).

I will continue in the same pattern I used above – few examples for /proc/sys and a bit explanation

/proc/sys/kernel

This directory contains information which reflects general kernel behaviors.

/proc/sys/kernel/domainname – holds the NIS name for the machine. Use echo command to change: # echo “mydomain.com” > /proc/sys/kernel/domainname

/proc/sys/kernel/hostname – holds the name of the machine. Use echo command to change: # echo “frog” > /proc/sys/kernel/hostname. You can run as root the command # hostname frog and have the same results.

/proc/sys/kernel/{osrelease, ostype, version} – the names indicate what the files contain. Those files can be tuned only when you build a new kernel.

/proc/sys/vm

This sub-directory contains files, which can be used to tune information about the virtual memory (VM) subsystem. I will not explain about this sub-directory, due to its complexity.

/proc/sys/net

This sub-directory is the gate to the networking parts in the kernel. I will dead with sub-directories and files concerning IP networking and security.

/proc/sys/net/ipv4 – IPv4 is the most used protocol in UNIX networking. This sub-directory controls the behavior of the IPv4 sub-system of the kernel. This sub-directory is playing a major role on securing a UNIX system, even though it is neglected by network administrators.

This sub-directory contains many files for ICMP configuration, IP configuration, TCP configuration, interface configuration and more. To understand better the meaning of each file, I recommend reading the documentation of the Linux Kernel.

Links

/proc/sys/{kernel, vm} - http://www.opennet.ru/base/dev/procdoc.txt.html
/proc file system - http://www.redhat.com/docs/manuals/linux/RHL-7.3-Manual/ref-guide/ch-pr…
/proc file system - http://www.samag.com/documents/s=1190/sam9806d/9806d.htm

1.) Reducing "Human Factor" Mistakes - Dancho Danchev
2.) Virtual File System - /proc - Danny “Dr.T”
3.) Hiding Files - [in]visible
4.) Better Living Through Mod Security - L33tdawg
5.) Guide to ARP Spoofing - Barfbag
6.) SMOKE="gentoo" - mel
7.) Nessus - Doing more with Less - christian

Source

Tags

Articles

You May Also Like

Recent News

Tuesday, July 9th

Wednesday, July 3rd

Friday, June 28th

Thursday, June 27th

Thursday, June 13th

Wednesday, June 12th

Tuesday, June 11th

Friday, June 7th

Thursday, June 6th

Wednesday, June 5th