2022-04-27 17:39:20 -05:00
|
|
|
#! /bin/bash
|
2022-04-27 17:25:04 -05:00
|
|
|
#
|
|
|
|
# check_executables_in_tmpdir
|
|
|
|
# Check a directory for executables and become angry if we find them
|
|
|
|
#
|
|
|
|
# Copyright (C) 2022 Jacob Babor <jacob@babor.tech>
|
|
|
|
#
|
|
|
|
# Distributed under terms of the MIT license.
|
|
|
|
#
|
|
|
|
|
|
|
|
set -e
|
|
|
|
|
|
|
|
tmpdir="/tmp"
|
2022-04-27 17:44:04 -05:00
|
|
|
minfileage="3600"
|
2022-04-27 17:25:04 -05:00
|
|
|
|
2022-04-27 17:39:20 -05:00
|
|
|
#
|
2022-04-27 17:25:04 -05:00
|
|
|
# Compile a list of executables found in /tmp
|
2022-04-27 17:39:20 -05:00
|
|
|
#
|
|
|
|
# Note that we deliberately use the -perm flag instead of the -executable flag
|
|
|
|
#
|
|
|
|
# This is by design, as -executable will fail on systems with noexec on the
|
|
|
|
# filesystem we're checking. This runs counter to our goal here, which is just
|
|
|
|
# to see if some skid has dumped a cryptominer on the machine.
|
|
|
|
#
|
2022-04-27 17:25:04 -05:00
|
|
|
executables=""
|
2022-04-27 17:39:20 -05:00
|
|
|
while read line; do
|
2022-04-27 17:44:04 -05:00
|
|
|
# Ignore recently-created files
|
|
|
|
# This is so things like Ansible plays don't trigger us
|
|
|
|
filetimestamp="$(stat -c %Y -- "$line")"
|
|
|
|
now="$(date +%s)"
|
|
|
|
age="$(( now - filetimestamp ))"
|
|
|
|
if (( age <= minfileage )); then
|
|
|
|
continue
|
|
|
|
fi
|
|
|
|
# Add it to the list
|
2022-04-27 17:25:04 -05:00
|
|
|
if [ -z "$executables" ]; then
|
|
|
|
executables="$line"
|
|
|
|
else
|
|
|
|
executables="$executables, $line"
|
|
|
|
fi
|
2022-04-27 17:39:20 -05:00
|
|
|
done < <(find "$tmpdir" -type f -perm /u=x,g=x,o=x 2>/dev/null || true )
|
|
|
|
|
2022-04-27 17:25:04 -05:00
|
|
|
|
|
|
|
# If we found any, become angry
|
|
|
|
if [ -n "$executables" ]; then
|
|
|
|
echo "CRITICAL: Found executables in $tmpdir: $executables"
|
|
|
|
exit 2
|
|
|
|
else
|
2022-04-27 17:44:04 -05:00
|
|
|
echo "OK: No executables in $tmpdir older than ${minfileage}s"
|
2022-04-27 17:25:04 -05:00
|
|
|
exit 0
|
|
|
|
fi
|