-
Notifications
You must be signed in to change notification settings - Fork 174
/
startup.go
47 lines (42 loc) · 1.27 KB
/
startup.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
package service
import (
"io"
"io/fs"
api "github.com/chaitin/libveinmind/go"
"github.com/chaitin/veinmind-common-go/service/report/event"
)
// startupBackdoorCheck 检测启动项是否有后门
func startupBackdoorCheck(apiFileSystem api.FileSystem) (bool, []*event.BackdoorDetail) {
startupDirs := []string{"/etc/init.d/", "/etc/rc.d/", "/etc/rc.local/", "/usr/local/etc/rc.d/", "/usr/local/etc/rc.local/", "/etc/conf.d/local.start/", "/etc/inittab/", "/etc/systemd/system/"}
check := false
var res []*event.BackdoorDetail
for _, startupDir := range startupDirs {
apiFileSystem.Walk(startupDir, func(path string, info fs.FileInfo, err error) error {
file, err := apiFileSystem.Open(path)
if err != nil {
return nil
}
defer file.Close()
contents, err := io.ReadAll(file)
risk, content := analysisStrings(string(contents))
if risk {
check = true
fileDetail, err := file2FileDetail(info, path)
if err != nil {
return nil
}
res = append(res, &event.BackdoorDetail{
FileDetail: fileDetail,
Content: content,
Description: "startup backdoor",
})
}
return nil
})
}
return check, res
}
func init() {
ImageCheckFuncMap["startup"] = startupBackdoorCheck
ContainerCheckFuncMap["startup"] = startupBackdoorCheck
}