processes: improve results on Linux

scan --processes doesn't work well on Linux today:

It logs dozens of error messages relating to kernel threads that have no underlying executable
It can't lookup paths for programs that are running as another user
It fails to scan processes that have been replaced or deleted since start time

This addresses both of those items by:

Skipping kernel threads (pid=2 or parent=2)
Looking up paths via cmdline as an alternative
Falling back to /proc/XXX/exe as a scan path

Old Behavior

2024/10/07 10:52:08 ERROR systemd[1]: readlink /proc/1/exe: permission denied
2024/10/07 10:52:08 ERROR kthreadd[2]: readlink /proc/2/exe: permission denied
2024/10/07 10:52:08 ERROR pool_workqueue_release[3]: readlink /proc/3/exe: permission denied
2024/10/07 10:52:08 ERROR kworker/R-rcu_gp[4]: readlink /proc/4/exe: permission denied
2024/10/07 10:52:08 ERROR kworker/R-sync_wq[5]: readlink /proc/5/exe: permission denied
2024/10/07 10:52:08 ERROR kworker/R-slub_flushwq[6]: readlink /proc/6/exe: permission denied
2024/10/07 10:52:08 ERROR kworker/R-netns[7]: readlink /proc/7/exe: permission denied
2024/10/07 10:52:08 ERROR kworker/0:0H-events_highpri[10]: readlink /proc/10/exe: permission <hundreds of lines removed>
2024/10/07 10:52:08 ERROR auditd[2510]: readlink /proc/2510/exe: permission denied
2024/10/07 10:52:08 ERROR colord[4470]: readlink /proc/4470/exe: permission denied
2024/10/07 10:52:08 ERROR gdm[4513]: readlink /proc/4513/exe: permission denied
2024/10/07 10:52:08 ERROR uresourced[4652]: readlink /proc/4652/exe: permission denied
2024/10/07 10:52:08 ERROR ostree[32150]: readlink /proc/32150/exe: permission denied
2024/10/07 10:52:08 ERROR systemd-userwork: waiting...[109185]: readlink /proc/109185/exe: permission denied
🔎 Scanning "/tmp/go-build2528505487/b001/exe/mal"

New Behavior

2024/10/07 11:13:32 WARN skipping pid 3637: dbus-broker: unable to stat "/proc/3637/exe"
2024/10/07 11:13:32 WARN skipping pid 3652: avahi-daemon: unable to stat "/proc/3652/exe"
2024/10/07 11:13:32 WARN skipping pid 3664: elastic-agent[3664]: unable to stat "/proc/3664/exe" or "/opt/Elastic/Agent/elastic-agent"
2024/10/07 11:13:32 WARN skipping pid 3790: avahi-daemon: unable to stat "/proc/3790/exe"
2024/10/07 11:13:32 WARN skipping pid 5304: agentbeat[5304]: unable to stat "/proc/5304/exe" or "/var/opt/Elastic/Agent/data/elastic-agent-8.15.1-ecab0c/components/agentbeat"
2024/10/07 11:13:32 WARN skipping pid 5497: agentbeat[5497]: unable to stat "/proc/5497/exe" or "/var/opt/Elastic/Agent/data/elastic-agent-8.15.1-ecab0c/components/agentbeat"
2024/10/07 11:13:32 WARN skipping pid 5732: agentbeat[5732]: unable to stat "/proc/5732/exe" or "/var/opt/Elastic/Agent/data/elastic-agent-8.15.1-ecab0c/components/agentbeat"
2024/10/07 11:13:32 WARN skipping pid 6747: gdm-session-wor: unable to stat "/proc/6747/exe"
2024/10/07 11:13:32 WARN skipping pid 7075: (sd-pam): unable to stat "/proc/7075/exe"
2024/10/07 11:13:32 WARN skipping pid 8086: fusermount3: unable to stat "/proc/8086/exe"
2024/10/07 11:13:32 WARN skipping pid 8791: agentbeat[8791]: unable to stat "/proc/8791/exe" or "/var/opt/Elastic/Agent/data/elastic-agent-8.15.1-ecab0c/components/agentbeat"
2024/10/07 11:13:32 WARN skipping pid 13637: zypak-sandbox: unable to stat "/proc/13637/exe"
2024/10/07 11:13:32 WARN skipping pid 32178: dbus-launch: unable to stat "/proc/32178/exe"
2024/10/07 11:13:32 WARN skipping pid 32920: zypak-sandbox: unable to stat "/proc/32920/exe"
2024/10/07 11:13:32 WARN skipping pid 107942: zypak-sandbox: unable to stat "/proc/107942/exe"
2024/10/07 11:13:32 WARN skipping pid 110940: systemd-userwork: waiting...: unable to stat "/proc/110940/exe"
2024/10/07 11:13:32 WARN skipping pid 110956: systemd-userwork: waiting...: unable to stat "/proc/110956/exe"
2024/10/07 11:13:32 WARN skipping pid 111769: systemd-userwork: waiting...: unable to stat "/proc/111769/exe"
🔎 Scanning "/opt/Elastic/Endpoint/elastic-endpoint"
time=2024-10-07T11:13:32.419-04:00 level=ERROR source=/var/home/t/src/malcontent/pkg/action/programkind.go:82 msg=os.Open path=/var/opt/Elastic/Endpoint/elastic-endpoint error="open /var/opt/Elastic/Endpoint/elastic-endpoint: permission denied"
🔎 Scanning "/opt/kolide-k2/bin/launcher"
├── 📄 /usr/lib/opt/kolide-k2/bin/launcher [HIGH]
│      🔥 ref/path/hidden: hidden path in a system directory
🔎 Scanning "/opt/kolide-k2/bin/osqueryd"
├── 📄 /usr/lib/opt/kolide-k2/bin/osqueryd [HIGH]
│      🔥 kernel/dev/mem: access raw system memory
│      🔥 kernel/symbol/lookup: access unexported kernel symbols
│      🔥 secrets/bash_history: access .bash_history file
│      🔥 combo/degrader/selinux_firewall: selinux firewall
│      🔥 combo/stealer/browser: Uses HTTP, archives, and references multiple browsers
🔎 Scanning "/proc/107917/exe"
├── 📄 /proc/107917/exe [HIGH]
│      🔥 evasion/int_to_char: converts strings into integers
🔎 Scanning "/proc/107933/exe"
🔎 Scanning "/proc/107935/exe"
🔎 Scanning "/proc/107940/exe"
├── 📄 /proc/107940/exe [HIGH]
│      🔥 evasion/int_to_char: converts strings into integers
🔎 Scanning "/proc/107959/exe"
├── 📄 /proc/107959/exe [HIGH]
│      🔥 evasion/int_to_char: converts strings into integers
🔎 Scanning "/proc/107986/exe"

One future improvement to make is plumbing the name of the process into the scan output, which avoids the weird /proc/XXX/exe scan paths we see here. That's why this code now returns a richer ProcessInfo object, even if we're throwing away most of the detail.

chainguard-dev / malcontent

processes: improve results on Linux #499

Old Behavior

New Behavior