From Bugzilla Helper:
User-Agent: Mozilla/5.0 Galeon/1.2.5 (X11; Linux i686; U;) Gecko/20020809
Description of problem:
Under Red Hat versions prior to 8.0, the output of "ps ax" and the list of
processes under /proc were roughly the same (given processes starting and
exiting during comparison) and some packages have been using this to evaluate ps
to determine if it has been compromised by a root kit. I have a tool that starts
with ps, then uses /proc then uses kill to look for hidden processes, and since
Red Hat 8.0 it's basically useless becuase it reports dozens of "hidden"
processes based on the output of ps.
I tried various other arguments (e.g. "ps agx", "ps ag", etc) and nothing seems
to work. Interestingly if I take one of the processes that are listed in /proc,
but not ps, and do a "ps ax --pid <pid>" it does not show up, but if I do a "ps
--pid <pid>" it does.
Version-Release number of selected component (if applicable):
Steps to Reproduce:
1. ps ax
2. ls -d /proc/[0-9]*
3. compare the two
Actual Results: Differences occur.
Expected Results: No or very few differences.
This is a feature, and is mentioned in the release notes. If you want to see
every thread of each process, use the -m flag.
*** Bug 82757 has been marked as a duplicate of this bug. ***