Practical audit advice you can use today.
# 31 : Parent Process IDs
UNIX systems, at least up to a point, tend to be deterministic systems. This is quite different from Windows hosts which are completely non-deterministic.
What this means for the System Administrator and the Auditor is that it is not only possible to accurately baseline which processes should be running on the system but also to tie those processes to specific process ID numbers! Especially when faced with detecting compromise and the possible installation of malware, this becomes an incredibly valuable detection technique. If malware is installed by an attacker it will typically be installed in such a way that it will automatically restart the next time that the system is booted. Since We now have a baseline of which processes should be running and also know precisely which process IDs they should have, even if the malware is hidden we can see that it has displaced the process IDs!
© 2011, David Hoelzer & EnclaveForensics