added python script that checks for potentially malicious procs

runs every 5 minutes, emails admins if anything is found.
2020-07-26 14:58:36 -04:00 · 2020-07-26 14:58:36 -04:00 · 0721da9d36
parent bb4c065491
commit 0721da9d36
1 changed files with 60 additions and 0 deletions
--- a/bin/badprocs.py
+++ b/bin/badprocs.py
@ -0,0 +1,60 @@
+#!/usr/bin/env python3
+
+# Checks the process list for anything that could be potentially worrisome.
+# If something is found, emails the admins@tilde.institute account.
+# gbmor <ben@gbmor.dev>
+
+from shlex import quote
+import subprocess
+import time
+
+
+def getBadProcs(procsList):
+    procsFound = []
+    procsRunning = list(
+        subprocess.check_output("/bin/ps aux", stderr=subprocess.STDOUT, shell=True)
+        .decode()
+        .split("\n")
+    )
+
+    for proc in procsRunning:
+        for badproc in procsList:
+            if badproc in proc.lower():
+                procsFound.append("Found {0} :: {1}".format(badproc, proc))
+
+    return procsFound
+
+
+def mailAdmins(procsFound):
+    msg = "WARNING: Check the following processes manually\n\n"
+    msg += "\n".join(procsFound)
+    msg += "\noutput from badprocs.py\n"
+
+    cmd = "echo {0} | mail -s 'WARNING: Found potential bad processes' admins@tilde.institute".format(
+        quote(msg)
+    )
+
+    subprocess.run(cmd, shell=True)
+
+
+if __name__ == "__main__":
+    procsList = [
+        "crowdserv",  # sauerbraten
+        "eggdrop",
+        "miner",  # lots of btc miners have this in the name
+        "nmap",
+        "regen2",  # sauerbraten
+        "sauer",  # sauerbraten
+        "torrent",
+        "transmission",
+        "tshark",
+        "xmr",  # lots of monero miners have this in the name
+    ]
+
+    while True:
+        procsFound = getBadProcs(procsList)
+
+        if len(procsFound) > 0:
+            mailAdmins(procsFound)
+
+        time.sleep(300)