Enhancement: Scan crontab for malicious jobs

[davidnuzik]

Summary:

Occasionally, php malware might be part of a Linux cron job on some systems. We should consider the feasibility of scanning for malicious cron jobs.
Context: IIRC, Chloe brought this up in a call as a potential feature for the CLI. I believe she mentioned malicious cron jobs do happen at times and this is the reason we are considering this.

Questions / Notes:

• Is this specific to wp cron jobs or the system or both?

• Are crontab locations consistent across Linux distros? (nearly always /etc/crontab ? & /etc/cron.* dirs?)

  • Permissions generally persistent as well? (at least readable by all)
  • What about user-specific crontabs? (/var/spool/cron/crontabs is where this is stored in most linux distros)
  • What about when have insufficient permissions to read crontabs? Need to handle this gracefully and probably should notify the user.

• Darwin support?

  • I would think Darwin support is not necessary (do we agree?). It would add complexity.
  • I believe locations differ such as for user-specific -- may be at /var/at/tabs
  • What about launchd ? (.plist files)

• Error handling - do we want permission issues accessing crontab to result in a warning or error

• Do we want this to be done by default during a malware-scan or only when a flag is passed? Subcommand?

  • Should it be it's own subcommand? (if so, does anyone have concerns over how many subcommands we have and the increasing cli help content?)