Process Audit Checklist

Top - Help

Copyright(c), 1995 - Management Analytics and Others - All Rights Reserved



Check all that apply:

Checking Root Processes


Type 'ps -aux > /tmp/pslisting' as a normal user and then examine the file for the following entries:
There is one and only one process named "swapper".
The "swapper" process is process number 0.
There is one and only one process named "init".
The "init" process is process number 1.
There is one and only one process named "pagedaemon".
The "pagedaemon" process is process number 2.
If there is a process owned by "root" and named "portmapper", this is explicitly identified as a process that should be running.
There in no more than one process owned by "root" and called "portmapper"
If there is a process owned by "root" and named "syslog", this is explicitly identified as a process that should be running.
There in no more than one process owned by "root" and called "syslog"
If there is NOT a process owned by "root" and named "update", this is explicitly identified as a process that should not be running.
If there is a process owned by "root" and named "cron", this is explicitly identified as a process that should be running.
There in no more than one process owned by "root" and called "cron"
If there is NOT a process owned by "root" and named "inetd", this is explicitly identified as a process that should not be running.
For each process identified with the process name "getty", that terminal is connected to a terminal that should allow users to login.
With the exception of the root-owned processes identified above, all processes owned by root are explicitly identified as necessary for system operation.

Checking for Zombie Processes


There are no processes with a "process state" containing a "Z".

Checking Old Processes


All processes with start times in excess of 24 hours ago should have such long run times.

Checking Non-root

These items apply to processes owned by users with UIDs of less than 100 as identified in the /etc/passwd file and to "special" non-root processes.


All processes owned by user "nobody" are running programs explicitly identified as legitimate for untrusted, unverified, remote users.
Each process belonging to each non-root system user is explicitly identified as legitimate for that user in this environment.
Each process belonging to each user is explicitly identified as legitimate for that user in this environment.

With maximum value of