def status(msg: dict, suffix: str) -> str: if 'operation' in msg: title = 'Unknown AppArmor operation (' + msg['operation'] + ')' if msg['operation'] == 'profile_load': title = 'AppArmor profile load' elif msg['operation'] == 'profile_replace': title = 'AppArmor profile replace' elif msg['operation'] == 'profile_unload': title = 'AppArmor profile unload' elif 'info' in msg: title = msg['info'] return format_helper( title=title, timestamp=datetime.fromtimestamp(msg['time']) if 'time' in msg else None, urgency='info', suffix=suffix, info={ 'Profile name': msg.get('name'), }, extra_info={ 'Process ID': msg.get('pid'), 'Process profile': msg.get('profile'), 'Thread name': msg.get('comm') })
def policy_violation(msg, suffix) -> str: return format_helper( 'AppArmor policy violation', timestamp=datetime.fromtimestamp(msg['time']) if 'time' in msg else None, urgency='warn', suffix=suffix, info={ 'Operation': msg.get('operation'), 'Profile': msg.get('profile'), 'Target': decode_unsafe_hex(msg.get('name', msg.get('peer'))) if 'name' in msg or 'peer' in msg else None, 'Denied mask': msg.get('denied_mask') }, extra_info={ 'Requested mask': msg.get('requested_mask'), 'Process ID': msg.get('pid'), 'FS UID': msg.get('fsuid'), 'OUID': msg.get('ouid'), 'Thread name': decode_unsafe_hex(msg['comm']) if 'comm' in msg else None })
def proctitle(msg, suffix=''): return format_helper(title='Process title', suffix=suffix, timestamp=datetime.fromtimestamp(msg['time']) if 'time' in msg else None, urgency='info', info={'Title': decode_unsafe_hex(msg['proctitle'])})
def cwd(msg, suffix=''): return format_helper(title='Current working directory', suffix=suffix, timestamp=datetime.fromtimestamp(msg['time']) if 'time' in msg else None, urgency='info', info={'Path': decode_unsafe_hex(msg['cwd'])})
def service_start(msg, suffix=''): systemd_msg = split_message(msg['msg'], quotes='"') return format_helper(title='Service start', suffix=suffix, timestamp=datetime.fromtimestamp(msg['time']) if 'time' in msg else None, urgency='info', info={'Unit': systemd_msg['unit']})
def default_pretty_printer(msg, suffix='') -> str: return format_helper('Unknown message type (type=' + msg['type'] + ')', timestamp=datetime.fromtimestamp(msg['time']) if 'time' in msg else None, urgency='warn', suffix=suffix, info=dict(((k, v) for k, v in msg.items() if k not in {'time', 'type'})), extra_info={})
def seccomp_pretty(msg, suffix='') -> str: return format_helper( 'seccomp policy violation', timestamp=datetime.fromtimestamp(msg['time']) if 'time' in msg else None, urgency='warn', suffix=suffix, info={ 'Executable': msg.get('exe', None), 'Signal': decode_signal(msg['sig']) if msg.get('sig', 0) != 0 else None, 'System call': decode_syscall(msg['syscall'], msg['arch']) }, extra_info={ 'User ID': msg.get('uid'), 'Group ID': msg.get('gid'), 'AUID': msg.get('auid'), 'PID': msg.get('pid'), 'Thread name': msg.get('comm') } )
def add_user(msg, suffix=''): pam_msg = split_message(msg['msg'], quotes='"') return format_helper( title='New user created', timestamp=datetime.fromtimestamp(msg['time']) if 'time' in msg else None, urgency='info', suffix=suffix, info={ 'Created by': decode_uid(msg.get('auid')) if 'auid' in msg else None, 'New user ID': decode_uid(pam_msg['id'], str(pam_msg['id'])), 'Command': pam_msg.get('exe', pam_msg.get('cmd')), 'Session': msg.get('ses'), 'Success': 'Yes' if pam_msg.get('res') == 'success' else 'No' }, extra_info={ 'Process ID': msg.get('pid'), 'Hostname': pam_msg.get('hostname') if pam_msg.get('hostname') != '?' else None, 'Address': pam_msg.get('addr') if pam_msg.get('addr') != '?' else None, 'Terminal': pam_msg.get('terminal') if pam_msg.get('terminal') != '?' else None })
def generic_user_event(title, msg, suffix): pam_msg = split_message(msg['msg'], quotes='"') return format_helper( title=title, timestamp=datetime.fromtimestamp(msg['time']) if 'time' in msg else None, urgency='info', suffix=suffix, info={ 'Account': pam_msg.get('acct'), 'Command': pam_msg.get('exe', pam_msg.get('cmd')), 'Session': msg.get('ses'), 'Success': 'Yes' if pam_msg.get('res') == 'success' else 'No' }, extra_info={ 'Process ID': msg.get('pid'), 'Audit UID': decode_uid(msg.get('auid')) if 'auid' in msg else None, 'Hostname': pam_msg.get('hostname') if pam_msg.get('hostname') != '?' else None, 'Address': pam_msg.get('addr') if pam_msg.get('addr') != '?' else None, 'Terminal': pam_msg.get('terminal') if pam_msg.get('terminal') != '?' else None })
def user_cmd(msg, suffix) -> str: pam_msg = split_message(msg['msg'], quotes='"') return format_helper( title='Command executed with different user\'s priveleges', timestamp=datetime.fromtimestamp(msg['time']) if 'time' in msg else None, urgency='info', suffix=suffix, info={ 'Executor\'s UID': decode_uid(msg.get('auid'), str(msg['auid'])) if 'auid' in msg else None, 'Working directory': pam_msg.get('cwd'), 'Command': decode_unsafe_hex(str(pam_msg['cmd'])), 'Session': msg.get('ses'), 'Success': 'Yes' if pam_msg.get('res') == 'success' else 'No' }, extra_info={ 'Process ID': msg.get('pid'), 'Hostname': pam_msg.get('hostname') if pam_msg.get('hostname') != '?' else None, 'Address': pam_msg.get('addr') if pam_msg.get('addr') != '?' else None, 'Terminal': pam_msg.get('terminal') if pam_msg.get('terminal') != '?' else None })
def del_user(msg, suffix=''): pam_msg = split_message(msg['msg'], quotes='"') return format_helper( title='User deleted', timestamp=datetime.fromtimestamp(msg['time']) if 'time' in msg else None, urgency='info', suffix=suffix, info={ 'Deleted by': decode_uid(msg.get('auid')) if 'auid' in msg else None, # I love consistency of PAM audit logs. 'Deleted user ID': pam_msg.get('id') if pam_msg.get('res') == 'success' else pam_msg.get('acct'), 'Command': pam_msg.get('exe', pam_msg.get('cmd')), 'Session': msg.get('ses'), 'Success': 'Yes' if pam_msg.get('res') == 'success' else 'No' }, extra_info={ 'Process ID': msg.get('pid'), 'Hostname': pam_msg.get('hostname') if pam_msg.get('hostname') != '?' else None, 'Address': pam_msg.get('addr') if pam_msg.get('addr') != '?' else None, 'Terminal': pam_msg.get('terminal') if pam_msg.get('terminal') != '?' else None })
def path(msg, suffix=''): return format_helper( title='Filesystem path', suffix=suffix, timestamp=datetime.fromtimestamp(msg['time']) if 'time' in msg else None, urgency='info', info={ 'Path': decode_unsafe_hex(msg['name']), 'Inode': msg['inode'], }, extra_info={ 'Device (major:minor)': msg.get('dev'), 'Owner UID': system_utils.decode_uid(msg.get('ouid'), str(msg.get('ouid'))) if 'ouid' in msg else None, 'Owner GID': system_utils.decode_uid(msg.get('ogid'), str(msg.get('ogid'))) if 'ogid' in msg else None, })
def systemcall_pretty(msg, suffix=''): return format_helper( title='System call information', timestamp=datetime.fromtimestamp(msg['time']) if 'time' in msg else None, urgency='info', suffix=suffix, info={ 'System call': system_utils.decode_syscall(msg['syscall']), 'Result': ('ERROR: ' + strerror(-msg['exit'])) if msg['exit'] < 0 else msg['exit'], 'Executable': decode_unsafe_hex(msg['exe']), 'Real UID/GID': '{} ({}) / {} ({})'.format( system_utils.decode_uid(msg['uid'], 'UNKNOWN'), msg['uid'], system_utils.decode_gid(msg['gid'], 'UNKNOWN'), msg['gid']), 'Effective UID/GID': '{} ({}) / {} ({})'.format( system_utils.decode_uid(msg['euid'], 'UNKNOWN'), msg['euid'], system_utils.decode_gid(msg['egid'], 'UNKNOWN'), msg['egid']), }, extra_info={ 'Argument 1': msg.get('a0'), 'Argument 2': msg.get('a1'), 'Argument 3': msg.get('a2'), 'Argument 4': msg.get('a3'), 'Argument 5': msg.get('a4'), 'Argument 6': msg.get('a5'), 'Filesystem UID/GID': '{} ({}) / {} ({})'.format( system_utils.decode_uid(msg.get('fsuid'), 'UNKNOWN'), msg.get('fsuid'), system_utils.decode_gid(msg.get('fsgid'), 'UNKNOWN'), msg.get('fsgid')), 'Login UID': '{} ({})'.format( system_utils.decode_uid(msg.get('auid')), msg.get('auid')), 'Process ID': msg.get('pid'), 'Parent process ID': msg.get('ppid'), 'Session ID': msg.get('ses'), 'Terminal': msg.get('tty') if msg.get('tty') != '(none)' else None, 'Thread name': decode_unsafe_hex(msg['comm']) if 'comm' in msg else None, 'Arch.': system_utils.decode_arch(msg['arch']) if 'arch' in msg else None })