Clean up process trees in aha

aha/aha.py

@@ -19,6 +19,10 @@ class KernelEvents(ProcessEvent):
             pid = int(msg['pid'][0])
             ppid = int(msg['ppid'][0])
             type = int(msg['type'][0])
+            #Was a process closed?
+            if type == 3:
+                self.processtrees.silent_remove_pid(pid)
+                return
             if type == 1:
                 # Got sys_execve
                 command = msg['file'][0]
@@ -33,7 +37,7 @@ class KernelEvents(ProcessEvent):
 
             #is this process induced by clone or sys_execve related to a user?
             if self.processtrees.searchTree(pid,ppid) == False:
-                print "Process belongs to the system, allow it"
+                #print "Process belongs to the system, allow it"
                 #Note the process could also belong to a local
                 #connected user
                 self.ahaa.create_message(filekey,block=0, exitcode=0,
@@ -41,7 +45,7 @@ class KernelEvents(ProcessEvent):
                 return
             else:
                 print "Process belongs to a user, play"
-            #TODO add default action
+           #TODO add default action
         except KeyError,e:
             print "EXCEPTION: KeyError"
         except IndexError,w:

aha/ahalib.py

@@ -31,6 +31,7 @@ class AHAActions:
         except OSError,e:
             pass
 
+       
     #Can trow IOError
     def create_message(self,filename,block,exitcode,substitue,insult):
         try:
@@ -129,6 +130,15 @@ class ProcessTrees:
             self.processList.pop(pid)
         return self.foundUser
 
+    def silent_remove_pid(self,pid):
+        try:
+            if self.processList.has_key(pid):
+                self.processList.pop(pid)
+            if self.userList.has_key(pid):
+               self.userList.pop(pid)
+               print "User in process ",pid," pid disconnected"
+        except KeyError,e:
+            pass
  
 class TestProcessTree(unittest.TestCase):
     def testSearchRegular0(self):