Initial version of recovering process vectors

2024-12-26 10:46:11 +00:00 · 2010-01-20 18:24:36 +01:00 · 2010-01-20 18:24:36 +01:00 · 181a5ca1bf
commit 181a5ca1bf
parent 26f4e7096c
1 changed files with 55 additions and 0 deletions
--- a/aha/aha-eye.py
+++ b/aha/aha-eye.py
@ -0,0 +1,55 @@
+#!/usr/bin/python
+#Analyse log files generated from aha-worker and generate reports
+from ahalib import *
+logfile='aha.log'
+aha = AHAActions('../in','../out')
+ptress = ProcessTrees()
+
+def extract_object(obj):
+    try:
+        #FIXME Until now discard decisions from aha
+        if obj.has_key('block') and obj.has_key('insult'):
+            return 
+        tp = int(obj['type'][0])
+        pid = int(obj['pid'][0])
+        ppid = int(obj['ppid'][0])
+        ts = obj['timestamp']
+        #handle sys_clone messages
+        if (tp == 2):
+            ptress.searchTree(pid,ppid) 
+            return
+        
+        #handle sys_execve
+        if (tp ==  1):
+            file = obj['file'][0]
+            if file == '/usr/sbin/sshd':
+                print "Potential new user found: pid=",pid,"ppid=",ppid
+                ptress.addUser(pid)
+                return
+            if ptress.searchTree(pid,ppid):
+                print "User related command: ",file,"pid=",pid," ppid=",ppid
+                #Annotation info is only available in sys_execve messages
+                print "annotate process ",pid
+                ptress.annotateProcessList(obj)                   
+        
+    except ValueError,e:
+        print "Failed to parse ",obj
+    except KeyError,e:
+        print "Incomplete message"
+ 
+line = None
+try:
+    f = open('aha.log','r')
+    for line in f:
+        (timestamp,key,serobj) = line.split('|',2)
+        obj = aha.unserializeMessage(serobj)
+        extract_object(obj)
+    f.close()
+except ValueError,e:
+    #File may be incomplete
+    print "Value error"
+    print e
+    print line
+
+#Dump process trees
+print ptress.exportUserListTxt('userlist.txt')