adulau/aha
1
0
Fork 0
mirror of https://github.com/adulau/aha.git synced 2024-12-27 11:16:11 +00:00
Code Issues Projects Releases Packages Wiki Activity

First version of exporting information like ssh addresses and timestamps

Browse source 
besides process vectors
This commit is contained in:
Gerard Wagener 2010-01-20 19:09:13 +01:00
parent 181a5ca1bf
commit b58b2ecea2
2 changed files with 17 additions and 23 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

5
aha/aha-eye.py
View file

@ -17,7 +17,7 @@ def extract_object(obj):
#handle sys_clone messages #handle sys_clone messages
if (tp == 2): if (tp == 2):
ptress.searchTree(pid,ppid) ptress.searchTree(pid,ppid)
return
#handle sys_execve #handle sys_execve
if (tp == 1): if (tp == 1):
@ -25,6 +25,7 @@ def extract_object(obj):
if file == '/usr/sbin/sshd': if file == '/usr/sbin/sshd':
print "Potential new user found: pid=",pid,"ppid=",ppid print "Potential new user found: pid=",pid,"ppid=",ppid
ptress.addUser(pid) ptress.addUser(pid)
ptress.annotateProcessList(obj)
return return
if ptress.searchTree(pid,ppid): if ptress.searchTree(pid,ppid):
print "User related command: ",file,"pid=",pid," ppid=",ppid print "User related command: ",file,"pid=",pid," ppid=",ppid
@ -52,4 +53,4 @@ except ValueError,e:
print line print line
#Dump process trees #Dump process trees
print ptress.exportUserListTxt('userlist.txt') ptress.exportUserListTxt('userlist.txt')

27
aha/ahalib.py
View file

@ -145,7 +145,7 @@ class ProcessTrees:
if ev.startswith('SSH_CLIENT='): if ev.startswith('SSH_CLIENT='):
ev = ev.replace('SSH_CLIENT=','') ev = ev.replace('SSH_CLIENT=','')
self.aplist[pid]['ssh_client'] = ev self.aplist[pid]['ssh_client'] = ev
#print "Annotated pid=", pid," ev",ev print "Annotated with ssh info pid=", pid," ev",ev
# Is there a timestamp? # Is there a timestamp?
if msg.has_key('timestamp'): if msg.has_key('timestamp'):
self.aplist[pid]['timestamp'] = msg['timestamp'] self.aplist[pid]['timestamp'] = msg['timestamp']
@ -219,30 +219,23 @@ class ProcessTrees:
except KeyError,e: except KeyError,e:
pass pass
# Describe the root process
# f is file object
# pid is the root process
def desc_root_process(self,f,pid): def desc_root_process(self,f,pid):
f.write("** user root process %d **\n"%pid) f.write("** user root process %d **\n"%pid)
#See if some annotation is found for this pid
if self.aplist.has_key(pid):
print "Found some annotations for",pid
#Look for SSH variables in the first child process
sshinfo = self.search_ssh_info(pid) sshinfo = self.search_ssh_info(pid)
if sshinfo: if sshinfo:
f.write("%s\n"%sshinfo) f.write("SSH_client: %s\n"%sshinfo)
else: ts = self.get_timestamp_from_pid(pid)
sys.stderr.write("No SSH information is there\n") print "11111",ts
if self.aplist[pid].has_key('timestamp'): if ts >0:
#Convert timestamp
ts = self.aplist[pid]['timestamp']
obj=datetime.datetime.fromtimestamp(float(ts)) obj=datetime.datetime.fromtimestamp(float(ts))
f.write("Connection date:%s\n\n"%str(obj)) f.write("Connection date: %s\n"%str(obj))
else:
f.write("No timestamp information is there\n")
else:
sys.stderr.write("No annotations found for pid: %d\n"%pid)
#Add process vector #Add process vector
vec = self.recover_process_vector(pid) vec = self.recover_process_vector(pid)
f.write("Process vector: %s\n"%','.join(vec)) f.write("Process vector: %s\n"%','.join(vec))
f.write('\n')
def exportUserListTxt(self,filename): def exportUserListTxt(self,filename):
try: try:
#Opens the file in append mode aiming to keep the history #Opens the file in append mode aiming to keep the history