File: //etc/cron.hourly/unsafe_root_procs
#! /usr/bin/env perl
use Sys::Hostname;
use strict;
use warnings;
my $problems = 0;
opendir my $d, '/proc';
while (defined(my $pid = readdir $d)) {
next unless -o "/proc/$pid";
check_exe($pid);
check_cmdline($pid);
}
report($problems);
sub check_exe {
my ($pid) = @_;
my $script = readlink "/proc/$pid/exe" or return;
return unless $script =~ m,^(/home\d*/[^/]+/),;
my $homedir = $1;
return if -o $homedir;
print STDERR "root proc under user dir: $script\n" if -t \*STDERR;
$problems++;
}
sub check_cmdline {
my ($pid) = @_;
open my $f, '<', "/proc/$pid/cmdline" or return;
my @cmd = split /\0/, scalar(<$f>);
close $f;
return unless @cmd >= 2
&& $cmd[0] =~ m,(?:sh|bash|perl|ruby|php|python|lua|tclsh|awk)$,
&& $cmd[1] =~ m,^(/home\d*/[^/]+/),;
my $homedir = $1;
return if -o $homedir;
print STDERR "root script under user dir: @cmd\n" if -t \*STDERR;
$problems++;
}
sub report {
my ($flag) = @_;
exec "/usr/bin/zabbix_sender -c /etc/zabbix/zabbix_agentd.conf -s '@{[hostname()]}' -k eig.user.root_process -o $flag >/dev/null 2>/dev/null";
}