def status(msg: dict, suffix: str) -> str:
if 'operation' in msg:
title = 'Unknown AppArmor operation (' + msg['operation'] + ')'
if msg['operation'] == 'profile_load':
title = 'AppArmor profile load'
elif msg['operation'] == 'profile_replace':
title = 'AppArmor profile replace'
elif msg['operation'] == 'profile_unload':
title = 'AppArmor profile unload'
elif 'info' in msg:
title = msg['info']
return format_helper(
title=title,
timestamp=datetime.fromtimestamp(msg['time']) if 'time' in msg else None,
urgency='info',
suffix=suffix,
info={
'Profile name': msg.get('name'),
},
extra_info={
'Process ID': msg.get('pid'),
'Process profile': msg.get('profile'),
'Thread name': msg.get('comm')
})
def policy_violation(msg, suffix) -> str:
return format_helper(
'AppArmor policy violation',
timestamp=datetime.fromtimestamp(msg['time'])
if 'time' in msg else None,
urgency='warn',
suffix=suffix,
info={
'Operation':
msg.get('operation'),
'Profile':
msg.get('profile'),
'Target':
decode_unsafe_hex(msg.get('name', msg.get('peer')))
if 'name' in msg or 'peer' in msg else None,
'Denied mask':
msg.get('denied_mask')
},
extra_info={
'Requested mask':
msg.get('requested_mask'),
'Process ID':
msg.get('pid'),
'FS UID':
msg.get('fsuid'),
'OUID':
msg.get('ouid'),
'Thread name':
decode_unsafe_hex(msg['comm']) if 'comm' in msg else None
})
def proctitle(msg, suffix=''):
return format_helper(title='Process title',
suffix=suffix,
timestamp=datetime.fromtimestamp(msg['time'])
if 'time' in msg else None,
urgency='info',
info={'Title': decode_unsafe_hex(msg['proctitle'])})
def cwd(msg, suffix=''):
return format_helper(title='Current working directory',
suffix=suffix,
timestamp=datetime.fromtimestamp(msg['time'])
if 'time' in msg else None,
urgency='info',
info={'Path': decode_unsafe_hex(msg['cwd'])})
def service_start(msg, suffix=''):
systemd_msg = split_message(msg['msg'], quotes='"')
return format_helper(title='Service start',
suffix=suffix,
timestamp=datetime.fromtimestamp(msg['time'])
if 'time' in msg else None,
urgency='info',
info={'Unit': systemd_msg['unit']})
def default_pretty_printer(msg, suffix='') -> str:
return format_helper('Unknown message type (type=' + msg['type'] + ')',
timestamp=datetime.fromtimestamp(msg['time'])
if 'time' in msg else None,
urgency='warn',
suffix=suffix,
info=dict(((k, v) for k, v in msg.items()
if k not in {'time', 'type'})),
extra_info={})
def seccomp_pretty(msg, suffix='') -> str:
return format_helper(
'seccomp policy violation',
timestamp=datetime.fromtimestamp(msg['time']) if 'time' in msg else None,
urgency='warn',
suffix=suffix,
info={
'Executable': msg.get('exe', None),
'Signal': decode_signal(msg['sig']) if msg.get('sig', 0) != 0 else None,
'System call': decode_syscall(msg['syscall'], msg['arch'])
},
extra_info={
'User ID': msg.get('uid'),
'Group ID': msg.get('gid'),
'AUID': msg.get('auid'),
'PID': msg.get('pid'),
'Thread name': msg.get('comm')
}
)
def add_user(msg, suffix=''):
pam_msg = split_message(msg['msg'], quotes='"')
return format_helper(
title='New user created',
timestamp=datetime.fromtimestamp(msg['time']) if 'time' in msg else None,
urgency='info',
suffix=suffix,
info={
'Created by': decode_uid(msg.get('auid')) if 'auid' in msg else None,
'New user ID': decode_uid(pam_msg['id'], str(pam_msg['id'])),
'Command': pam_msg.get('exe', pam_msg.get('cmd')),
'Session': msg.get('ses'),
'Success': 'Yes' if pam_msg.get('res') == 'success' else 'No'
},
extra_info={
'Process ID': msg.get('pid'),
'Hostname': pam_msg.get('hostname') if pam_msg.get('hostname') != '?' else None,
'Address': pam_msg.get('addr') if pam_msg.get('addr') != '?' else None,
'Terminal': pam_msg.get('terminal') if pam_msg.get('terminal') != '?' else None
})
def generic_user_event(title, msg, suffix):
pam_msg = split_message(msg['msg'], quotes='"')
return format_helper(
title=title,
timestamp=datetime.fromtimestamp(msg['time']) if 'time' in msg else None,
urgency='info',
suffix=suffix,
info={
'Account': pam_msg.get('acct'),
'Command': pam_msg.get('exe', pam_msg.get('cmd')),
'Session': msg.get('ses'),
'Success': 'Yes' if pam_msg.get('res') == 'success' else 'No'
},
extra_info={
'Process ID': msg.get('pid'),
'Audit UID': decode_uid(msg.get('auid')) if 'auid' in msg else None,
'Hostname': pam_msg.get('hostname') if pam_msg.get('hostname') != '?' else None,
'Address': pam_msg.get('addr') if pam_msg.get('addr') != '?' else None,
'Terminal': pam_msg.get('terminal') if pam_msg.get('terminal') != '?' else None
})
def user_cmd(msg, suffix) -> str:
pam_msg = split_message(msg['msg'], quotes='"')
return format_helper(
title='Command executed with different user\'s priveleges',
timestamp=datetime.fromtimestamp(msg['time']) if 'time' in msg else None,
urgency='info',
suffix=suffix,
info={
'Executor\'s UID': decode_uid(msg.get('auid'), str(msg['auid'])) if 'auid' in msg else None,
'Working directory': pam_msg.get('cwd'),
'Command': decode_unsafe_hex(str(pam_msg['cmd'])),
'Session': msg.get('ses'),
'Success': 'Yes' if pam_msg.get('res') == 'success' else 'No'
},
extra_info={
'Process ID': msg.get('pid'),
'Hostname': pam_msg.get('hostname') if pam_msg.get('hostname') != '?' else None,
'Address': pam_msg.get('addr') if pam_msg.get('addr') != '?' else None,
'Terminal': pam_msg.get('terminal') if pam_msg.get('terminal') != '?' else None
})
def del_user(msg, suffix=''):
pam_msg = split_message(msg['msg'], quotes='"')
return format_helper(
title='User deleted',
timestamp=datetime.fromtimestamp(msg['time']) if 'time' in msg else None,
urgency='info',
suffix=suffix,
info={
'Deleted by': decode_uid(msg.get('auid')) if 'auid' in msg else None,
# I love consistency of PAM audit logs.
'Deleted user ID': pam_msg.get('id') if pam_msg.get('res') == 'success' else pam_msg.get('acct'),
'Command': pam_msg.get('exe', pam_msg.get('cmd')),
'Session': msg.get('ses'),
'Success': 'Yes' if pam_msg.get('res') == 'success' else 'No'
},
extra_info={
'Process ID': msg.get('pid'),
'Hostname': pam_msg.get('hostname') if pam_msg.get('hostname') != '?' else None,
'Address': pam_msg.get('addr') if pam_msg.get('addr') != '?' else None,
'Terminal': pam_msg.get('terminal') if pam_msg.get('terminal') != '?' else None
})
def path(msg, suffix=''):
return format_helper(
title='Filesystem path',
suffix=suffix,
timestamp=datetime.fromtimestamp(msg['time'])
if 'time' in msg else None,
urgency='info',
info={
'Path': decode_unsafe_hex(msg['name']),
'Inode': msg['inode'],
},
extra_info={
'Device (major:minor)':
msg.get('dev'),
'Owner UID':
system_utils.decode_uid(msg.get('ouid'), str(msg.get('ouid')))
if 'ouid' in msg else None,
'Owner GID':
system_utils.decode_uid(msg.get('ogid'), str(msg.get('ogid')))
if 'ogid' in msg else None,
})
def systemcall_pretty(msg, suffix=''):
return format_helper(
title='System call information',
timestamp=datetime.fromtimestamp(msg['time']) if 'time' in msg else None,
urgency='info',
suffix=suffix,
info={
'System call': system_utils.decode_syscall(msg['syscall']),
'Result': ('ERROR: ' + strerror(-msg['exit'])) if msg['exit'] < 0 else msg['exit'],
'Executable': decode_unsafe_hex(msg['exe']),
'Real UID/GID': '{} ({}) / {} ({})'.format(
system_utils.decode_uid(msg['uid'], 'UNKNOWN'), msg['uid'],
system_utils.decode_gid(msg['gid'], 'UNKNOWN'), msg['gid']),
'Effective UID/GID': '{} ({}) / {} ({})'.format(
system_utils.decode_uid(msg['euid'], 'UNKNOWN'), msg['euid'],
system_utils.decode_gid(msg['egid'], 'UNKNOWN'), msg['egid']),
},
extra_info={
'Argument 1': msg.get('a0'),
'Argument 2': msg.get('a1'),
'Argument 3': msg.get('a2'),
'Argument 4': msg.get('a3'),
'Argument 5': msg.get('a4'),
'Argument 6': msg.get('a5'),
'Filesystem UID/GID': '{} ({}) / {} ({})'.format(
system_utils.decode_uid(msg.get('fsuid'), 'UNKNOWN'), msg.get('fsuid'),
system_utils.decode_gid(msg.get('fsgid'), 'UNKNOWN'), msg.get('fsgid')),
'Login UID': '{} ({})'.format(
system_utils.decode_uid(msg.get('auid')), msg.get('auid')),
'Process ID': msg.get('pid'),
'Parent process ID': msg.get('ppid'),
'Session ID': msg.get('ses'),
'Terminal': msg.get('tty') if msg.get('tty') != '(none)' else None,
'Thread name': decode_unsafe_hex(msg['comm']) if 'comm' in msg else None,
'Arch.': system_utils.decode_arch(msg['arch']) if 'arch' in msg else None
})
