concierge-permaudit: improve interpreter detection when auditing processes

src/concierge-permaudit

@@ -133,13 +133,41 @@ writePatterns = [
   '~/.logout' # tcsh shell
   ]
 
-interps = set([
-  '/bin/sh',
-  '/bin/bash',
-  '/usr/bin/perl',
-  '/usr/bin/python',
-  '/usr/bin/python3'
-  ])
+searchinterps = [
+  'sh',
+  'dash',
+  'bash',
+  'fish',
+  'tcsh',
+  'zsh',
+  'node',
+  'perl',
+  'php',
+  'php-cli',
+  'python',
+  'python2',
+  'python2.7',
+  'python3',
+  'python3.4',
+  'python3.5',
+  'python3.6',
+  'tclsh'
+  ]
+
+interps = set()
+
+for interpname in searchinterps:
+  interp = shutil.which(interpname)
+  if interp != None:
+    interp = Path(interp)
+    interps.add(str(interp))
+    realinterp = interp.resolve()
+    if realinterp != interp:
+      interps.add(str(realinterp))
+
+def is_interpreter(path):
+  resolvedPath = Path(path).resolve()
+  return str(resolvedPath) in interps
 
 interpArgParse = argparse.ArgumentParser(description='Generic interpreter parser', add_help=False)
 interpArgParse.add_argument('interp', type=str)
@@ -252,7 +280,6 @@ def printExceptions():
 
 def auditProcess(proc):
   ruid = proc.uids()[0]
-  pid = proc.pid
   exePathStr = proc.exe()
   if len(exePathStr) > 0:
     exePath = Path(exePathStr)
@@ -272,7 +299,7 @@ def auditCommand(ruid, argList, cwd, env = {}, context = None):
   else:
     path = os.defpath
   absArg0 = shutil.which(argList[0], path=path)
-  if absArg0 in interps and len(argList) > 1:
+  if absArg0 != None and is_interpreter(absArg0) and len(argList) > 1:
     (args, remainining) = interpArgParse.parse_known_args(argList)
     scriptPath = Path(args.script)
     if not scriptPath.is_absolute():