From 0c51cfd662de7eb98c62e0d3388be07a8899f45d Mon Sep 17 00:00:00 2001 From: Gerard Wagener Date: Mon, 18 Jan 2010 17:00:47 +0100 Subject: [PATCH] Clean up process trees in aha --- aha/aha.py | 8 ++++++-- aha/ahalib.py | 12 +++++++++++- 2 files changed, 17 insertions(+), 3 deletions(-) diff --git a/aha/aha.py b/aha/aha.py index f5e1607a45b..3ca5645ba72 100644 --- a/aha/aha.py +++ b/aha/aha.py @@ -19,6 +19,10 @@ class KernelEvents(ProcessEvent): pid = int(msg['pid'][0]) ppid = int(msg['ppid'][0]) type = int(msg['type'][0]) + #Was a process closed? + if type == 3: + self.processtrees.silent_remove_pid(pid) + return if type == 1: # Got sys_execve command = msg['file'][0] @@ -33,7 +37,7 @@ class KernelEvents(ProcessEvent): #is this process induced by clone or sys_execve related to a user? if self.processtrees.searchTree(pid,ppid) == False: - print "Process belongs to the system, allow it" + #print "Process belongs to the system, allow it" #Note the process could also belong to a local #connected user self.ahaa.create_message(filekey,block=0, exitcode=0, @@ -41,7 +45,7 @@ class KernelEvents(ProcessEvent): return else: print "Process belongs to a user, play" - #TODO add default action + #TODO add default action except KeyError,e: print "EXCEPTION: KeyError" except IndexError,w: diff --git a/aha/ahalib.py b/aha/ahalib.py index 09b9f704d5e..22795767233 100644 --- a/aha/ahalib.py +++ b/aha/ahalib.py @@ -31,6 +31,7 @@ class AHAActions: except OSError,e: pass + #Can trow IOError def create_message(self,filename,block,exitcode,substitue,insult): try: @@ -129,7 +130,16 @@ class ProcessTrees: self.processList.pop(pid) return self.foundUser - + def silent_remove_pid(self,pid): + try: + if self.processList.has_key(pid): + self.processList.pop(pid) + if self.userList.has_key(pid): + self.userList.pop(pid) + print "User in process ",pid," pid disconnected" + except KeyError,e: + pass + class TestProcessTree(unittest.TestCase): def testSearchRegular0(self): x = ProcessTrees()