Browse Source

Add silly script to generate rules for all running applications.

master
Shawn Webb 3 years ago
parent
commit
a800229daa
No known key found for this signature in database
1 changed files with 72 additions and 0 deletions
  1. +72
    -0
      util/integriforce_procstat.zsh

+ 72
- 0
util/integriforce_procstat.zsh View File

@@ -0,0 +1,72 @@
#!/usr/local/bin/zsh

function check_blacklist() {
local list
local f

list=(/bin /usr/bin /sbin /usr/sbin /lib /libexec /usr/lib /usr/libexec /rescue)
f="${1}"
for l in ${list}; do
if echo ${f} | grep -q "^${l}"; then
return 1
fi
done

return 0
}

function do_the_procstat_thing() {
local p
local bin

ps ax | awk '{print $1;}' | sed 1d > /tmp/ps.txt
for p in $(cat /tmp/ps.txt); do
for bin in $(procstat -v ${p} | sed 1d | awk '{print $11;}'); do
if [ -f ${bin} ]; then
if file ${bin} | grep -q ELF; then
if ! check_blacklist ${bin}; then
continue
fi

echo ${bin} >> /tmp/bins.txt
fi
fi
done
done
}

function sort_the_things() {
sort /tmp/bins.txt | uniq > /tmp/sortedbins.txt
}

function hash_the_things() {
local f

for f in $(cat /tmp/sortedbins.txt); do
cat <<EOF >> /tmp/integriforce.rules
integriforce {
path: "${f}",
hash: "$(sha256 -q ${f})",
type: "sha256",
mode: "hard"
},
EOF
done
}

if [ ${UID} -ne 0 ]; then
echo "[-] plz2run as root" >&2
exit 1
fi

if [ -f /tmp/bins.txt ]; then
rm -f /tmp/bins.txt
fi

if [ -f /tmp/integriforce.rules ]; then
rm -f /tmp/integriforce.rules
fi

do_the_procstat_thing
sort_the_things
hash_the_things

Loading…
Cancel
Save