From 8b2242c616df31bef6d01e91766bc01c7ba8d34f Mon Sep 17 00:00:00 2001
From: Minoru Kobayashi <unknownbit@gmail.com>
Date: Wed, 14 Aug 2024 16:19:06 +0900
Subject: [PATCH] artif: collect /proc/*/stat

Added an artifact to collect /proc/*/stat.
Its 9th field is the task flags. So, it can help to identify if a process is kernel thread or not.
---
 .../live_response/process/procfs_information.yaml      | 10 +++++++++-
 1 file changed, 9 insertions(+), 1 deletion(-)

diff --git a/artifacts/live_response/process/procfs_information.yaml b/artifacts/live_response/process/procfs_information.yaml
index 6301299..63e2a66 100644
--- a/artifacts/live_response/process/procfs_information.yaml
+++ b/artifacts/live_response/process/procfs_information.yaml
@@ -202,6 +202,14 @@ artifacts:
     command: cat /proc/%line%/status
     output_directory: /live_response/process/proc/%line%
     output_file: status.txt
+  -
+    description: Collect stat of each process.
+    supported_os: [linux]
+    collector: command
+    foreach: for pid in /proc/[0-9]*; do echo ${pid} | sed -e 's:/proc/::'; done
+    command: cat /proc/%line%/stat
+    output_directory: /live_response/process/proc/%line%
+    output_file: stat.txt
   -
     description: Display the list of UNIX sockets.
     supported_os: [linux]
@@ -230,7 +238,7 @@ artifacts:
     command: astrings /proc/%line%/environ
     output_directory: /live_response/process/proc/%line%
     output_file: environ.txt
-  
+
   # macos
   -
     description: Collect running processes executable path.