def feed_binary(self, new_data): if len(new_data) <= 0: return self._input_buffer += new_data # Now process as much of the buffer as we can, iterating over complete # messages. while True: # To read a complete message there must be a complete header and # all the data the header specified via the header.length if len(self._input_buffer) < AuditRecord.binary_header_size: return binary_version, binary_header_size, record_type, msg_length = \ struct.unpack(AuditRecord.binary_header_format, self._input_buffer[0:AuditRecord.binary_header_size]) total_len = AuditRecord.binary_header_size + msg_length if len(self._input_buffer) < total_len: return text = self._input_buffer[AuditRecord.binary_header_size:total_len] parse_succeeded, event_id, body_text = parse_audit_binary_text( text) self._input_buffer = self._input_buffer[total_len:] if parse_succeeded: yield (audit.audit_msg_type_to_name(record_type), event_id, body_text, None, 0) return
def feed_callback(au, cb_event_type, event_cnt): if cb_event_type == auparse.AUPARSE_CB_EVENT_READY: if not au.first_record(): print "Error getting first record" sys.exit(1) print "event %d has %d records" % (event_cnt[0], au.get_num_records()) record_cnt = 1 while True: print " record %d of type %d(%s) has %d fields" % \ (record_cnt, au.get_type(), audit.audit_msg_type_to_name(au.get_type()), au.get_num_fields()) print " line=%d file=%s" % (au.get_line_number(), au.get_filename()) event = au.get_timestamp() if event is None: print "Error getting timestamp - aborting" sys.exit(1) print " event time: %d.%d:%d, host=%s" % (event.sec, event.milli, event.serial, none_to_null(event.host)) au.first_field() while True: print " %s=%s (%s)" % (au.get_field_name(), au.get_field_str(), au.interpret_field()) if not au.next_field(): break print record_cnt += 1 if not au.next_record(): break event_cnt[0] += 1
def light_test(au): while True: if not au.first_record(): print "Error getting first record" sys.exit(1) print "event has %d records" % (au.get_num_records()) record_cnt = 1 while True: print " record %d of type %d(%s) has %d fields" % \ (record_cnt, au.get_type(), audit.audit_msg_type_to_name(au.get_type()), au.get_num_fields()) print " line=%d file=%s" % (au.get_line_number(), au.get_filename()) event = au.get_timestamp() if event is None: print "Error getting timestamp - aborting" sys.exit(1) print " event time: %d.%d:%d, host=%s" % (event.sec, event.milli, event.serial, none_to_null(event.host)) print record_cnt += 1 if not au.next_record(): break if not au.parse_next_event(): break
def feed_callback(au, cb_event_type, event_cnt): if cb_event_type == auparse.AUPARSE_CB_EVENT_READY: if not au.first_record(): print "Error getting first record" sys.exit(1) print "event %d has %d records" % (event_cnt[0], au.get_num_records()) record_cnt = 1 while True: print " record %d of type %d(%s) has %d fields" % \ (record_cnt, au.get_type(), audit.audit_msg_type_to_name(au.get_type()), au.get_num_fields()) print " line=%d file=%s" % (au.get_line_number(), au.get_filename()) event = au.get_timestamp() if event is None: print "Error getting timestamp - aborting" sys.exit(1) print " event time: %d.%d:%d, host=%s" % ( event.sec, event.milli, event.serial, none_to_null(event.host)) au.first_field() while True: print " %s=%s (%s)" % (au.get_field_name(), au.get_field_str(), au.interpret_field()) if not au.next_field(): break print record_cnt += 1 if not au.next_record(): break event_cnt[0] += 1
def light_test(au): while True: if not au.first_record(): print "Error getting first record" sys.exit(1) print "event has %d records" % (au.get_num_records()) record_cnt = 1 while True: print " record %d of type %d(%s) has %d fields" % \ (record_cnt, au.get_type(), audit.audit_msg_type_to_name(au.get_type()), au.get_num_fields()) print " line=%d file=%s" % (au.get_line_number(), au.get_filename()) event = au.get_timestamp() if event is None: print "Error getting timestamp - aborting" sys.exit(1) print " event time: %d.%d:%d, host=%s" % ( event.sec, event.milli, event.serial, none_to_null(event.host)) print record_cnt += 1 if not au.next_record(): break if not au.parse_next_event(): break
def feed_binary(self, new_data): if len(new_data) <= 0: return self._input_buffer += new_data # Now process as much of the buffer as we can, iterating over complete # messages. while True: # To read a complete message there must be a complete header and # all the data the header specified via the header.length if len(self._input_buffer) < AuditRecord.binary_header_size: return binary_version, binary_header_size, record_type, msg_length = \ struct.unpack(AuditRecord.binary_header_format, self._input_buffer[0:AuditRecord.binary_header_size]) total_len = AuditRecord.binary_header_size + msg_length if len(self._input_buffer) < total_len: return text = self._input_buffer[AuditRecord.binary_header_size:total_len] parse_succeeded, event_id, body_text = parse_audit_binary_text(text) self._input_buffer = self._input_buffer[total_len:] if parse_succeeded: yield (audit.audit_msg_type_to_name(record_type), event_id, body_text, None, 0) return
def walk_test(au): event_cnt = 1 au.reset() if not au.first_record(): print("Error getting first record") sys.exit(1) while True: print("event %d has %d records" % (event_cnt, au.get_num_records())) record_cnt = 1 while True: print(" record %d of type %d(%s) has %d fields" % \ (record_cnt, au.get_type(), audit.audit_msg_type_to_name(au.get_type()), au.get_num_fields())) print(" line=%d file=%s" % (au.get_line_number(), au.get_filename())) event = au.get_timestamp() if event is None: print("Error getting timestamp - aborting") sys.exit(1) print(" event time: %d.%d:%d, host=%s" % (event.sec, event.milli, event.serial, none_to_null(event.host))) au.first_field() while True: print(" %s=%s (%s)" % (au.get_field_name(), au.get_field_str(), au.interpret_field())) if not au.next_field(): break print("") record_cnt += 1 if not au.next_record(): break event_cnt += 1 if not au.parse_next_event(): break
def get_entry(self): """ Return the next record from the currently processed audit file """ # remember to 'yield json.dumps(entry)' after the object has been built # this will return the object to the caller # Event Loop while True: event = {} event['count'] = self.auditstream.get_num_records() event['records'] = [] # Record Loop while True: record = {} headers = {} timestamp = self.auditstream.get_timestamp() if timestamp is None: print "Error getting event timestamp, aborting" sys.exit(1) headers['fieldcount'] = self.auditstream.get_num_fields() headers['typenum'] = self.auditstream.get_type() headers['type'] = audit.audit_msg_type_to_name(headers['typenum']) headers['location'] = self.entry_location() headers['unixtime'] = float("%d.%d" % (timestamp.sec,timestamp.milli)) headers['isotime'] = datetime.fromtimestamp(headers['unixtime']).isoformat() headers['serial'] = timestamp.serial headers['host'] = none_to_null(timestamp.host) if headers['typenum'] == 1327: headers['type'] = 'PROCTITLE' record['headers'] = headers fields = {} # Field Loop self.auditstream.first_field() while True: name = self.auditstream.get_field_name() raw = self.auditstream.get_field_str() if name != 'type': fields[name] = { 'raw': raw, 'value': self.auditstream.interpret_field() } if name == "proctitle": fields[name]['value'] = raw.decode("hex") else: headers['fieldcount'] -= 1 if not self.auditstream.next_field(): break record['fields'] = fields event['records'].append(record) if not self.auditstream.next_record(): break yield event if not self.auditstream.parse_next_event(): break
def msgtype_string(msgtype): '''Return a string representing msgtype.''' s = audit.audit_msg_type_to_name(msgtype) if s is None: s = str(msgtype) return s
def feed_callback(au, cb_event_type, event_cnt): global event_count global place_object global user_object global syscall_object global socket_object global execve_object global generic_object while True: event_count += 1 record_count = 1 # Both the ses and pid values will be used for the base lookups in auditd_core. # Because of this, records after the first in an event will be benefited by passing # this information along. If this is not done, a great deal of state goo and churn # is introduced later in the bro code. # The ses identifier is the primary with the pid as a backup since sid sometimes has # a value of 'unset'. # ses_holder = 0 pid_holder = 0 event_rec_count = au.get_num_records() while True: if WHERE_RE.match(audit.audit_msg_type_to_name(au.get_type()) ) : place_object = place_object.load(au) print "%s:%s:%s %s %s %s %s %s %s %s %s %s %s %s %s" % (event_count, event_rec_count, record_count, place_object.flavor, place_object.type, place_object.time, place_object.node, ses_holder, pid_holder, place_object.cwd, place_object.path_name, place_object.inode, place_object.mode, place_object.ouid, place_object.ogid) ### ------------------------------ ### elif WHO_RE.match(audit.audit_msg_type_to_name(au.get_type()) ) : user_object = user_object.load(au) if record_count == 1: ses_holder = user_object.ses pid_holder = user_object.pid else: user_object.ses = ses_holder user_object.pid = pid_holder print "%s:%s:%s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s" % (event_count, event_rec_count, record_count, user_object.flavor, user_object.type, user_object.time, user_object.node, user_object.ses, user_object.auid, user_object.egid, user_object.euid, user_object.fsgid, user_object.fsuid, user_object.gid, user_object.suid, user_object.sgid, user_object.uid, user_object.pid, user_object.success, user_object.exit, user_object.term, user_object.exe) ### ------------------------------ ### elif SYSCALL_RE.match(audit.audit_msg_type_to_name(au.get_type()) ) : syscall_object = syscall_object.load(au) if record_count == 1: ses_holder = syscall_object.ses pid_holder = syscall_object.pid print '%s:%s:%s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s' % (event_count, event_rec_count, record_count, syscall_object.flavor, syscall_object.type, syscall_object.time, syscall_object.node, syscall_object.ses, syscall_object.auid, syscall_object.syscall, syscall_object.key, syscall_object.comm, syscall_object.exe, syscall_object.a0, syscall_object.a1, syscall_object.a2, syscall_object.uid, syscall_object.gid, syscall_object.euid, syscall_object.egid, syscall_object.fsuid, syscall_object.fsgid, syscall_object.suid, syscall_object.sgid, syscall_object.pid, syscall_object.ppid, syscall_object.tty, syscall_object.success, syscall_object.exit) ### ------------------------------ ### elif SOCKET_RE.match(audit.audit_msg_type_to_name(au.get_type()) ) : socket_object = socket_object.load(au) print '%s:%s:%s %s %s %s %s %s %s %s' % (event_count, event_rec_count, record_count, socket_object.flavor, socket_object.type, socket_object.time, socket_object.node, ses_holder, pid_holder, socket_object.saddr) ### ------------------------------ ### elif EXECVE_RE.match(audit.audit_msg_type_to_name(au.get_type()) ) : execve_object = execve_object.load(au) print '%s:%s:%s %s %s %s %s %s %s %s %s' % (event_count, event_rec_count, record_count, execve_object.flavor, execve_object.type, execve_object.time, execve_object.node, ses_holder, pid_holder, execve_object.argc, execve_object.arg) ### ------------------------------ ### else: generic_object = generic_object.load(au) if record_count == 1: ses_holder = generic_object.ses pid_holder = generic_object.pid else: generic_object.ses = ses_holder generic_object.pid = pid_holder print '%s:%s:%s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s' % (event_count, event_rec_count, record_count, generic_object.flavor, generic_object.type, generic_object.time, generic_object.node, generic_object.ses, generic_object.auid, generic_object.key, generic_object.comm, generic_object.exe, generic_object.a0, generic_object.a1, generic_object.a2, generic_object.uid, generic_object.gid, generic_object.euid, generic_object.egid, generic_object.fsuid, generic_object.fsgid, generic_object.suid, generic_object.sgid, pid_holder, generic_object.ppid, ses_holder, generic_object.tty, generic_object.terminal, generic_object.success, generic_object.exit) record_count += 1 if not au.next_record(): break if not au.parse_next_event(): break