Linux Daemons with Broken Links to Executables

Analysts are accustomed to scanning systems with Tenable Nessus to find vulnerable software, which is easily viewable in dashboards and reports in Tenable.sc. A typical result shows a vulnerable piece of software resident on a system that is categorized with an appropriate severity and has a remediation solution. If an analyst was to investigate that system to do further research into the vulnerable software, they would expect the software to be where Nessus found the file.

Linux has the ability to run software entirely in memory and operate normally. However, as this is entirely in memory, once the system reboots, the state of the program and activity is lost. In a normal situation, programs do run in memory, but typically write data, such as log activity, back to disk. If a user browses to the /proc file system directory, they can see the various folders of the process IDs of programs running on the system. Within this folder, we see two important symbolic links of “cwd” and “exe”.

In a normal running process, the “cwd” and “exe” symbolic links reference information about the running process that is helpful for an analyst. The “cwd” symbolic link points to the directory of the currently running cached copy of the executable. This directory is where the executable existed at the time of execution. The “exe” symbolic link is the absolute file path of the executable from where the executable was launched. Depending on the executable, this symbolic link may or may not be a true representation of the executable. For instance, an executable that is statically compiled and does not rely upon external programs such as Java will show the path to the executable. However, if the program that was launched is a wrapper that calls Java to launch the program, the “exe” symbolic link will show the path to Java. Analysts need to be aware of this potential issue with this scenario.

A typical scenario as described above is expected activity for a normally operating system. However, an attacker may launch a malicious program, have the program operate in memory, and remove the program from the disk. A program without the corresponding binary on disk is not a normal or common scenario. Analysts can be vigilant by using this report to detect instances of this scenario across the organization.

To detect this issue with a Nessus scan, analysts can use plugin 44657, which detects if “exe” has the word “(deleted)” in the name of the executable. Linux will append the string of “(deleted)” when the program is still running in memory, but no longer has a corresponding copy on disk. This report provides analysts with the host and program information from the “exe” symbolic name. With this information, analysts can work with administrators to determine if this activity was expected or not.

This report is available in the Tenable.sc Feed, a comprehensive collection of dashboards, reports, Assurance Report Cards, and assets. The report can be easily located in the Tenable.sc Feed under the category Discovery & Detection. The report requirements are:

• Tenable.sc 5.4
• Nessus 6.8.1

Tenable's Tenable.sc Continuous View (CV) provides continuous network monitoring, vulnerability identification, and security monitoring. Tenable.sc is continuously updated with information about advanced threats and zero-day vulnerabilities, and new types of regulatory compliance configuration audit files. Tenable constantly analyzes information from our unique sensors, delivering continuous visibility and critical context, enabling decisive action that transforms your security program from reactive to proactive. Active scanning examines the devices on the systems, running processes and services, configuration settings and services, and additional vulnerabilities. Tenable enables powerful, yet non-disruptive, continuous monitoring of the organization to ensure accurate and up-to-date information is presented on existing vulnerabilities discovered within the network.

This report contains the following chapters:

• Executive Summary: This chapter provides analysts with an overview of the Linux daemons with broken links to executables on disk in the organization
• Linux Daemons with Broken Links to Executables Detail: This chapter provides a detailed view of the Linux hosts affected with the daemons that have “exe” symbolic links to executables with “(deleted)” in the name