From f3d73475372120c5fe69eb4c95a6ff97978b24de Mon Sep 17 00:00:00 2001 From: Gerard Wagener Date: Fri, 15 Jan 2010 11:13:19 +0100 Subject: [PATCH] Try 2: If booted works, but does not boot --- aha/aha.py | 48 +++++++++++++++++++++--------------------------- aha/ahalib.py | 9 +++++---- 2 files changed, 26 insertions(+), 31 deletions(-) diff --git a/aha/aha.py b/aha/aha.py index 1778b9af3b9..c4f0c289680 100644 --- a/aha/aha.py +++ b/aha/aha.py @@ -14,39 +14,33 @@ class KernelEvents(ProcessEvent): self.processtrees = ProcessTrees() def decision(self,filekey,msg): - print msg + print filekey try: - command = msg['file'][0] pid = int(msg['pid'][0]) ppid = int(msg['ppid'][0]) - print "Got command: ",command - #Is there a new SSH connection? - if msg['file'][0] == '/usr/sbin/sshd': - print "New user found pid=",pid,",ppid=",ppid - self.processtrees.addUser(pid) - self.ahaa.create_message(filekey,block=0, exitcode=0, - insult=0, substitue=0) + type = int(msg['type'][0]) + if type == 1: + # Got sys_execve + command = msg['file'][0] + print "Got command: ",command + #Is there a new SSH connection? + if msg['file'][0] == '/usr/sbin/sshd': + print "New user found pid=",pid,",ppid=",ppid + self.processtrees.addUser(pid) + self.ahaa.create_message(filekey,block=0, exitcode=0, + insult=0, substitue=0) return - else: - #is this process related to a user? - if self.processtrees.searchTree(pid,ppid) == False: - print "Process belongs to the system, allow it" - #Note the process could also belong to a local - #connected user - self.ahaa.create_message(filekey,block=0, exitcode=0, - insult=0, substitue=0) - if msg['file'][0] == '/usr/bin/bvi': - self.ahaa.create_message(filekey, block=1, - exitcode=KERNEL_ERRORS.ENOMEM, - insult = 0, substitue=0) - return - if msg['file'][0] == '/usr/bin/vi': - # The index 0 is reserved - idx = random.randint(1,insultmaxidx) - self.ahaa.create_message(filekey, block=0, exitcode=0, - insult=idx, substitue=0) + #is this process related to a user? + if self.processtrees.searchTree(pid,ppid) == False: + print "Process belongs to the system, allow it" + #Note the process could also belong to a local + #connected user + self.ahaa.create_message(filekey,block=0, exitcode=0, + insult=0, substitue=0) return + + except KeyError,e: print "EXCEPTION: KeyError" except IndexError,w: diff --git a/aha/ahalib.py b/aha/ahalib.py index 35e4c90d1a6..bed0fa2a90e 100644 --- a/aha/ahalib.py +++ b/aha/ahalib.py @@ -107,15 +107,16 @@ class ProcessTrees: #Always add it pid and ppid the list self.processList[pid] = ppid if self.userList.has_key(ppid): - print "DEBUG: Found user" + print "DEBUG: user related command" self.foundUser = 1 return - print "DEBUG: Searching ppid ",ppid, "in ",self.processList + #print "DEBUG: Searching ppid ",ppid, "in ",self.processList if self.processList.has_key(ppid): - print "DEBUG: found parent of ",pid, "which is ",ppid + #print "DEBUG: found parent of ",pid, "which is ",ppid self.searchTree(ppid,self.processList[ppid]) else: - print "DEBUG: Cannot find parent of ",ppid + #print "DEBUG: Cannot find parent of ",ppid + pass def searchTree(self,pid,ppid): self.foundUser = 0