Initial version of recovering process vectors

2024-12-27 11:16:11 +00:00 · 2010-01-20 18:24:36 +01:00 · 2010-01-20 18:24:36 +01:00 · 181a5ca1bf
commit 181a5ca1bf
parent 26f4e7096c
1 changed files with 55 additions and 0 deletions
--- a/aha/aha-eye.py
+++ b/aha/aha-eye.py
@ -0,0 +1,55 @@
 #!/usr/bin/python
 #Analyse log files generated from aha-worker and generate reports
 from ahalib import *
 logfile='aha.log'
 aha = AHAActions('../in','../out')
 ptress = ProcessTrees()
 def extract_object(obj):
    try:
        #FIXME Until now discard decisions from aha
        if obj.has_key('block') and obj.has_key('insult'):
            return 
        tp = int(obj['type'][0])
        pid = int(obj['pid'][0])
        ppid = int(obj['ppid'][0])
        ts = obj['timestamp']
        #handle sys_clone messages
        if (tp == 2):
            ptress.searchTree(pid,ppid) 
            return
        #handle sys_execve
        if (tp ==  1):
            file = obj['file'][0]
            if file == '/usr/sbin/sshd':
                print "Potential new user found: pid=",pid,"ppid=",ppid
                ptress.addUser(pid)
                return
            if ptress.searchTree(pid,ppid):
                print "User related command: ",file,"pid=",pid," ppid=",ppid
                #Annotation info is only available in sys_execve messages
                print "annotate process ",pid
                ptress.annotateProcessList(obj)                   
    except ValueError,e:
        print "Failed to parse ",obj
    except KeyError,e:
        print "Incomplete message"
 line = None
 try:
    f = open('aha.log','r')
    for line in f:
        (timestamp,key,serobj) = line.split('|',2)
        obj = aha.unserializeMessage(serobj)
        extract_object(obj)
    f.close()
 except ValueError,e:
    #File may be incomplete
    print "Value error"
    print e
    print line
 #Dump process trees
 print ptress.exportUserListTxt('userlist.txt')