Mirror/LSMS
1
0
Fork 0
mirror of https://github.com/sqall01/LSMS.git synced 2024-11-17 01:28:25 +01:00
Code Issues Projects Releases Packages Wiki Activity

sync internal repo

Browse source
This commit is contained in:
Andre Pawlowski 2023-08-15 08:47:47 +02:00
parent 3c05463d94
commit a4add863a4
2 changed files with 13 additions and 2 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
scripts/monitor_systemd_units.py
View file

@ -50,7 +50,7 @@ except:
"/usr/lib/systemd/user", "/usr/lib/systemd/user",
"/usr/lib/systemd/network", "/usr/lib/systemd/network",
"/usr/local/lib/systemd/system", "/usr/local/lib/systemd/system",
"/usr/local/lib/systemd/user" "/usr/local/lib/systemd/user",
"/usr/local/lib/systemd/network", "/usr/local/lib/systemd/network",
"/lib/systemd/system", "/lib/systemd/system",
"/lib/systemd/user", "/lib/systemd/user",

13
scripts/search_deleted_exe.py
View file

@ -16,6 +16,7 @@ None
""" """
import os import os
import re
import sys import sys
from lib.util import output_finding from lib.util import output_finding
@ -54,7 +55,17 @@ def search_deleted_exe_files():
if suspicious_exes: if suspicious_exes:
message = "Deleted executable file(s) found:\n\n" message = "Deleted executable file(s) found:\n\n"
message += "\n".join(suspicious_exes) for suspicious_exe in suspicious_exes:
match = re.search(r" (/proc/(\d+)/exe -> .*)$", suspicious_exe)
exe = match.group(1)
pid = match.group(2)
message += "\n%s" % exe
with open("/proc/%s/cmdline" % pid, "rb") as fp:
cmdline = fp.read()
# Replace 0-bytes with whitespaces for readability
cmdline = cmdline.replace(b"\x00", b" ")
message += "\n/proc/%s/cmdline -> %s" % (pid, cmdline.decode("utf-8"))
message += "\n"
output_finding(__file__, message) output_finding(__file__, message)