A colleague of mine assigned me to perform a root-cause analysis of an enterprise security server sometime ago. We knew the problem resided in one of the processes run by root but did not know which one.

I first began my research by issuing the command:

ps -aux | grep -v grep | grep root

This returned a list of several dozen processes. My colleague then helped me optimize my search with this command:

ps -aux | grep -v grep | grep root | grep -Ev '[[]'| grep -v tty

This new command reduced the list of processes returned significantly, and we soon found the problem. The latter two parts of the command filter out

1) processes surrounded by [ ], such as [ksoftirqd/0]
2) processes running via teletype terminal

ps(1) tells me that processes with arguments that cannot be located are placed in square brackets (not sure what this means), and tty is just a predecessor of the modern bash terminal. However, I still do not understand their significance (or should I say insignificance) as to why we could've just eliminated them from the more "fruitful" root processes.

Would anyone be able to shed some light here?

Processes in square brackets are kernel processes. They aren't helpful if you're just looking for user processes. Most daemon processes fork so they have no tty and can run independently.

1 members found this post helpful.