old notes

#UofTBootCamp #classwork #linux #processes #ps #grep #awk

Given a VM with a shady user running a shady script...

###...list all processes running in real time

top for finding running processes in real time

lsof -u jack for finding jack's processes lsof | grep jack for highlighting ps aux | grep jack

How many tasks have been started on the host?

ps aux | wc -l ps aux | grep jack | wc -l ^ not great because grep has not filtered out occurrences of jack elsewhere

ps -eo user | grep jack | wc -l -o allows you to specify format -e selects all processes, including those of other users

ps -U jack -u jack u every process running as jack (real and effective ID) in user format?

How many are these are sleeping?

ps -U jack -u jack u | awk '{if ($8=="S" || $8=="D") print $0' | wc -l (1 process is sleeping)

ps -eo user,state | awk '{if ($2=="S" || $2=="D") print $1,$2}' | wc -l

Which process uses the most memory?

ps -eo user,pid,cmd,%cpu,%mem --sort=-%mem | head -20

Search all running processes by a specific user

ps -eo user,pid,cmd,state | grep root | awk '{if ($4=="R") print $1,$2,$3, $4}'

ps -U root -u root u | awk '{if ($8 == "R") print $0}'

BONUS:

List all processes with a TTY terminal

ps -t ps -eo pid,tty,cmd | grep pts

Identify the ID of suspicious processes:

ps -eo pid,user,tty,cmd | awk '/str.sh/{print $0}' – returns the matches including the awk command process

ps -eo pid,user,tty,cmd | awk '/[s]tr.sh/{print $0}' – adding the [] around the first character will avoid matching the awk command itself

ps -t | grep "[s]tr.sh" | awk '{print $0}'

WHY DOESN'T A WILDCARD WORK HERE?????

ps -t | grep “*.sh” |