add stricter sanitization to command lines

agent360/plugins/process.py

@@ -3,10 +3,44 @@
 import psutil
 import plugins
 import sys
+import re
 
 class Plugin(plugins.BasePlugin):
     __name__ = 'process'
 
+    def sanitize_command_line(self, cmdline):
+        # Check if cmdline starts with a file path and separate it
+        match = re.match(r'^(\S+)(\s+.*)?$', cmdline)
+        if match:
+            initial_path = match.group(1)
+            remaining_cmdline = match.group(2) or ""
+        else:
+            initial_path = ""
+            remaining_cmdline = cmdline
+
+        # Redact sensitive information in the remaining command line (case-insensitive)
+        remaining_cmdline = re.sub(r'(/[^ ]+)+', '/***', remaining_cmdline, flags=re.IGNORECASE)
+        remaining_cmdline = re.sub(r'(--(?:password|pass|pwd|token|secret|key|api-key|access-key|secret-key|client-secret|auth-key|auth-token)\s+\S+)', '--***', remaining_cmdline, flags=re.IGNORECASE)
+        remaining_cmdline = re.sub(r'(-p\s+\S+)', '-p ***', remaining_cmdline, flags=re.IGNORECASE)
+        remaining_cmdline = re.sub(r'\b(?:password|pass|pwd|token|secret|key|api_key|access_key|client_secret|auth_key|auth_token)=\S+', '***', remaining_cmdline, flags=re.IGNORECASE)
+        remaining_cmdline = re.sub(r'\b(?:[0-9]{1,3}\.){3}[0-9]{1,3}\b', '***', remaining_cmdline, flags=re.IGNORECASE)
+        remaining_cmdline = re.sub(r'\b(?:[a-fA-F0-9:]+:+)+[a-fA-F0-9]+\b', '***', remaining_cmdline, flags=re.IGNORECASE)
+        remaining_cmdline = re.sub(r'(--port\s+\d+)', '--port ***', remaining_cmdline, flags=re.IGNORECASE)
+        remaining_cmdline = re.sub(r'\b(?:DB_PASS|DB_USER|AWS_SECRET_ACCESS_KEY|AWS_ACCESS_KEY_ID|SECRET_KEY|TOKEN|PASSWORD|USERNAME|API_KEY|PRIVATE_KEY|SSH_KEY|SSL_CERTIFICATE|SSL_KEY)\b=\S+', '***', remaining_cmdline, flags=re.IGNORECASE)
+        remaining_cmdline = re.sub(r'\b(root|admin|cpanelsolr|user\d*)\b', '***', remaining_cmdline, flags=re.IGNORECASE)
+        remaining_cmdline = re.sub(r'(\S+\.(pem|crt|key|cert|csr|pfx|p12|ovpn|enc|asc|gpg))', '***', remaining_cmdline, flags=re.IGNORECASE)
+        remaining_cmdline = re.sub(r'\b(?:id_rsa|id_dsa|id_ecdsa|id_ed25519|known_hosts|authorized_keys|credentials|.env|docker-compose.yml)\b', '***', remaining_cmdline, flags=re.IGNORECASE)
+        remaining_cmdline = re.sub(r'\b(?:jdbc|mysql|postgres|mongodb|redis|amqp|http|https|ftp|sftp|s3):\/\/\S+', '***', remaining_cmdline, flags=re.IGNORECASE)
+        remaining_cmdline = re.sub(r'\b(?:https?|ftp):\/\/(?:\S+\:\S+@)?(?:[a-zA-Z0-9.-]+\.\S+)', '***', remaining_cmdline, flags=re.IGNORECASE)
+        remaining_cmdline = re.sub(r'\b[A-Za-z0-9._%+-]+@[A-Za-z0-9.-]+\.[A-Za-z]{2,}\b', '***', remaining_cmdline, flags=re.IGNORECASE)
+
+        # Combine the initial path and the sanitized command line, then limit length
+        sanitized_cmdline = (initial_path + remaining_cmdline).strip()
+        if len(sanitized_cmdline) > 256:
+            sanitized_cmdline = sanitized_cmdline[:253] + '...'
+
+        return sanitized_cmdline
+
     def run(self, *unused):
         process = []
         for proc in psutil.process_iter():
@@ -17,7 +51,8 @@ def run(self, *unused):
                 ])
 
                 try:
-                    pinfo['cmdline'] = ' '.join(pinfo['cmdline']).strip()
+                    # Sanitize and format the command line
+                    pinfo['cmdline'] = self.sanitize_command_line(' '.join(pinfo['cmdline']).strip())
                 except:
                     pass
                 if sys.version_info < (3,):
@@ -38,6 +73,5 @@ def run(self, *unused):
                 process.append(pinfo)
         return process
 
-
 if __name__ == '__main__':
     Plugin().execute()