def check_container(container_id):
"""
Check a running container for files that have been changed. If a file
been changed, determine if it's suspicious by checking if the reference
dataset contains a file with the same path. If so compare the hash of
the file with the reference hash.
param container_id: short or full container id
return: json string containing suspicious files
"""
base_image = get_container_base_img(container_id)
if base_image is None:
return json.dumps({'error': 'failed to get container base image'})
elasticDB = ElasticDatabase(EsCfg)
if not elasticDB.check_index_exists(base_image):
print('Indexing missing base image: ', base_image)
process_image(base_image, base_image, base_image, 'store', elasticDB)
print 'Reference index is ', base_image
changed_files = {} # filename => similarity score
res = exec_cmd(['docker', 'diff', container_id])
if res is None:
return json.dumps({'error': 'Error running docker diff.'})
files = res.splitlines()
files_only = get_files_only(files)
temp_dir = 'tmpdata'
if not os.path.exists(temp_dir):
os.mkdir(temp_dir)
for s in files_only:
filename = s[3:] # filename starts at 3
# check if ref DB contains this file path
result = elasticDB.search_file(base_image, filename)
if result is None:
changed_files[filename] = -1
else:
# found a file with same path
# compare ref hash with file hash
ref_sdhash = result['_source']['sdhash']
features = ref_sdhash.split(":")[10:12]
if int(features[0]) < 2 and int(features[1]) < 16:
changed_files[filename] = -2
continue
copy_from_container(container_id + ':' + filename, temp_dir)
basename = os.path.basename(filename)
file_sdhash = exec_cmd(
['sdhash', os.path.join(temp_dir, basename)])
with open("file_hash", "w") as f:
f.write(file_sdhash)
with open("ref_hash", "w") as f:
f.write(ref_sdhash)
file1 = os.path.abspath('file_hash')
file2 = os.path.abspath('ref_hash')
# compare file hash with reference hash
resline = exec_cmd(['sdhash', '-c', file1, file2, '-t', '0'])
resline = resline.strip()
score = resline.split('|')[-1]
if score == "100":
print fileName + ' match 100%'
else:
changed_files[filename] = score
os.remove("file_hash")
os.remove("ref_hash")
return json.dumps(changed_files)
def check_container(container_id):
"""
Check a running container for files that have been changed. If a file
been changed, determine if it's suspicious by checking if the reference
dataset contains a file with the same path. If so compare the hash of
the file with the reference hash.
param container_id: short or full container id
return: json string containing suspicious files
"""
base_image = get_container_base_img(container_id)
if base_image is None:
return json.dumps({'error':'failed to get container base image'})
elasticDB = ElasticDatabase(EsCfg)
if not elasticDB.check_index_exists(base_image):
print('Indexing missing base image: ', base_image)
process_image(base_image, base_image, base_image, 'store', elasticDB)
print 'Reference index is ', base_image
changed_files = {} # filename => similarity score
res = exec_cmd(['docker', 'diff', container_id])
if res is None:
return json.dumps({'error':'Error running docker diff.'})
files = res.splitlines()
files_only = get_files_only(files)
temp_dir = 'tmpdata'
if not os.path.exists(temp_dir):
os.mkdir(temp_dir)
for s in files_only:
filename = s[3:] # filename starts at 3
# check if ref DB contains this file path
result = elasticDB.search_file(base_image, filename)
if result is None:
changed_files[filename] = -1
else:
# found a file with same path
# compare ref hash with file hash
ref_sdhash = result['_source']['sdhash']
features = ref_sdhash.split(":")[10:12]
if int(features[0]) < 2 and int(features[1]) < 16:
changed_files[filename] = -2
continue
copy_from_container(container_id + ':' + filename, temp_dir)
basename = os.path.basename(filename)
file_sdhash = exec_cmd(['sdhash', os.path.join(temp_dir, basename) ])
with open("file_hash", "w") as f:
f.write(file_sdhash)
with open("ref_hash", "w") as f:
f.write(ref_sdhash)
file1 = os.path.abspath('file_hash')
file2 = os.path.abspath('ref_hash')
# compare file hash with reference hash
resline = exec_cmd(['sdhash', '-c', file1, file2, '-t','0'])
resline = resline.strip()
score = resline.split('|')[-1]
if score == "100":
print fileName + ' match 100%'
else:
changed_files[filename] = score
os.remove("file_hash")
os.remove("ref_hash")
return json.dumps(changed_files)
