sync internal repo

2024-11-16 17:18:26 +01:00 · 2023-08-15 08:47:47 +02:00 · 2023-08-15 08:47:47 +02:00 · a4add863a4
commit a4add863a4
parent 3c05463d94
2 changed files with 13 additions and 2 deletions
--- a/scripts/monitor_systemd_units.py
+++ b/scripts/monitor_systemd_units.py
@ -50,7 +50,7 @@ except:
                         "/usr/lib/systemd/user",
                         "/usr/lib/systemd/network",
                         "/usr/local/lib/systemd/system",
-                         "/usr/local/lib/systemd/user"
+                         "/usr/local/lib/systemd/user",
                         "/usr/local/lib/systemd/network",
                         "/lib/systemd/system",
                         "/lib/systemd/user",
--- a/scripts/search_deleted_exe.py
+++ b/scripts/search_deleted_exe.py
@ -16,6 +16,7 @@ None
 """

 import os
+import re
 import sys

 from lib.util import output_finding
@ -54,7 +55,17 @@ def search_deleted_exe_files():

    if suspicious_exes:
        message = "Deleted executable file(s) found:\n\n"
-        message += "\n".join(suspicious_exes)
+        for suspicious_exe in suspicious_exes:
+            match = re.search(r" (/proc/(\d+)/exe -> .*)$", suspicious_exe)
+            exe = match.group(1)
+            pid = match.group(2)
+            message += "\n%s" % exe
+            with open("/proc/%s/cmdline" % pid, "rb") as fp:
+                cmdline = fp.read()
+                # Replace 0-bytes with whitespaces for readability
+                cmdline = cmdline.replace(b"\x00", b" ")
+                message += "\n/proc/%s/cmdline -> %s" % (pid, cmdline.decode("utf-8"))
+            message += "\n"

        output_finding(__file__, message)