def feed_binary(self, new_data):
if len(new_data) <= 0:
return
self._input_buffer += new_data
# Now process as much of the buffer as we can, iterating over complete
# messages.
while True:
# To read a complete message there must be a complete header and
# all the data the header specified via the header.length
if len(self._input_buffer) < AuditRecord.binary_header_size:
return
binary_version, binary_header_size, record_type, msg_length = \
struct.unpack(AuditRecord.binary_header_format,
self._input_buffer[0:AuditRecord.binary_header_size])
total_len = AuditRecord.binary_header_size + msg_length
if len(self._input_buffer) < total_len:
return
text = self._input_buffer[AuditRecord.binary_header_size:total_len]
parse_succeeded, event_id, body_text = parse_audit_binary_text(
text)
self._input_buffer = self._input_buffer[total_len:]
if parse_succeeded:
yield (audit.audit_msg_type_to_name(record_type), event_id,
body_text, None, 0)
return
def feed_callback(au, cb_event_type, event_cnt):
if cb_event_type == auparse.AUPARSE_CB_EVENT_READY:
if not au.first_record():
print "Error getting first record"
sys.exit(1)
print "event %d has %d records" % (event_cnt[0], au.get_num_records())
record_cnt = 1
while True:
print " record %d of type %d(%s) has %d fields" % \
(record_cnt,
au.get_type(), audit.audit_msg_type_to_name(au.get_type()),
au.get_num_fields())
print " line=%d file=%s" % (au.get_line_number(), au.get_filename())
event = au.get_timestamp()
if event is None:
print "Error getting timestamp - aborting"
sys.exit(1)
print " event time: %d.%d:%d, host=%s" % (event.sec, event.milli, event.serial, none_to_null(event.host))
au.first_field()
while True:
print " %s=%s (%s)" % (au.get_field_name(), au.get_field_str(), au.interpret_field())
if not au.next_field(): break
print
record_cnt += 1
if not au.next_record(): break
event_cnt[0] += 1
def light_test(au):
while True:
if not au.first_record():
print "Error getting first record"
sys.exit(1)
print "event has %d records" % (au.get_num_records())
record_cnt = 1
while True:
print " record %d of type %d(%s) has %d fields" % \
(record_cnt,
au.get_type(), audit.audit_msg_type_to_name(au.get_type()),
au.get_num_fields())
print " line=%d file=%s" % (au.get_line_number(), au.get_filename())
event = au.get_timestamp()
if event is None:
print "Error getting timestamp - aborting"
sys.exit(1)
print " event time: %d.%d:%d, host=%s" % (event.sec, event.milli, event.serial, none_to_null(event.host))
print
record_cnt += 1
if not au.next_record(): break
if not au.parse_next_event(): break
def feed_callback(au, cb_event_type, event_cnt):
if cb_event_type == auparse.AUPARSE_CB_EVENT_READY:
if not au.first_record():
print "Error getting first record"
sys.exit(1)
print "event %d has %d records" % (event_cnt[0], au.get_num_records())
record_cnt = 1
while True:
print " record %d of type %d(%s) has %d fields" % \
(record_cnt,
au.get_type(), audit.audit_msg_type_to_name(au.get_type()),
au.get_num_fields())
print " line=%d file=%s" % (au.get_line_number(),
au.get_filename())
event = au.get_timestamp()
if event is None:
print "Error getting timestamp - aborting"
sys.exit(1)
print " event time: %d.%d:%d, host=%s" % (
event.sec, event.milli, event.serial, none_to_null(event.host))
au.first_field()
while True:
print " %s=%s (%s)" % (au.get_field_name(),
au.get_field_str(),
au.interpret_field())
if not au.next_field(): break
print
record_cnt += 1
if not au.next_record(): break
event_cnt[0] += 1
def light_test(au):
while True:
if not au.first_record():
print "Error getting first record"
sys.exit(1)
print "event has %d records" % (au.get_num_records())
record_cnt = 1
while True:
print " record %d of type %d(%s) has %d fields" % \
(record_cnt,
au.get_type(), audit.audit_msg_type_to_name(au.get_type()),
au.get_num_fields())
print " line=%d file=%s" % (au.get_line_number(),
au.get_filename())
event = au.get_timestamp()
if event is None:
print "Error getting timestamp - aborting"
sys.exit(1)
print " event time: %d.%d:%d, host=%s" % (
event.sec, event.milli, event.serial, none_to_null(event.host))
print
record_cnt += 1
if not au.next_record(): break
if not au.parse_next_event(): break
def feed_binary(self, new_data):
if len(new_data) <= 0:
return
self._input_buffer += new_data
# Now process as much of the buffer as we can, iterating over complete
# messages.
while True:
# To read a complete message there must be a complete header and
# all the data the header specified via the header.length
if len(self._input_buffer) < AuditRecord.binary_header_size:
return
binary_version, binary_header_size, record_type, msg_length = \
struct.unpack(AuditRecord.binary_header_format,
self._input_buffer[0:AuditRecord.binary_header_size])
total_len = AuditRecord.binary_header_size + msg_length
if len(self._input_buffer) < total_len:
return
text = self._input_buffer[AuditRecord.binary_header_size:total_len]
parse_succeeded, event_id, body_text = parse_audit_binary_text(text)
self._input_buffer = self._input_buffer[total_len:]
if parse_succeeded:
yield (audit.audit_msg_type_to_name(record_type), event_id, body_text, None, 0)
return
def walk_test(au):
event_cnt = 1
au.reset()
if not au.first_record():
print("Error getting first record")
sys.exit(1)
while True:
print("event %d has %d records" % (event_cnt, au.get_num_records()))
record_cnt = 1
while True:
print(" record %d of type %d(%s) has %d fields" % \
(record_cnt,
au.get_type(), audit.audit_msg_type_to_name(au.get_type()),
au.get_num_fields()))
print(" line=%d file=%s" % (au.get_line_number(), au.get_filename()))
event = au.get_timestamp()
if event is None:
print("Error getting timestamp - aborting")
sys.exit(1)
print(" event time: %d.%d:%d, host=%s" % (event.sec, event.milli, event.serial, none_to_null(event.host)))
au.first_field()
while True:
print(" %s=%s (%s)" % (au.get_field_name(), au.get_field_str(), au.interpret_field()))
if not au.next_field(): break
print("")
record_cnt += 1
if not au.next_record(): break
event_cnt += 1
if not au.parse_next_event(): break
def get_entry(self):
"""
Return the next record from the currently processed audit file
"""
# remember to 'yield json.dumps(entry)' after the object has been built
# this will return the object to the caller
# Event Loop
while True:
event = {}
event['count'] = self.auditstream.get_num_records()
event['records'] = []
# Record Loop
while True:
record = {}
headers = {}
timestamp = self.auditstream.get_timestamp()
if timestamp is None:
print "Error getting event timestamp, aborting"
sys.exit(1)
headers['fieldcount'] = self.auditstream.get_num_fields()
headers['typenum'] = self.auditstream.get_type()
headers['type'] = audit.audit_msg_type_to_name(headers['typenum'])
headers['location'] = self.entry_location()
headers['unixtime'] = float("%d.%d" % (timestamp.sec,timestamp.milli))
headers['isotime'] = datetime.fromtimestamp(headers['unixtime']).isoformat()
headers['serial'] = timestamp.serial
headers['host'] = none_to_null(timestamp.host)
if headers['typenum'] == 1327:
headers['type'] = 'PROCTITLE'
record['headers'] = headers
fields = {}
# Field Loop
self.auditstream.first_field()
while True:
name = self.auditstream.get_field_name()
raw = self.auditstream.get_field_str()
if name != 'type':
fields[name] = {
'raw': raw,
'value': self.auditstream.interpret_field()
}
if name == "proctitle":
fields[name]['value'] = raw.decode("hex")
else:
headers['fieldcount'] -= 1
if not self.auditstream.next_field():
break
record['fields'] = fields
event['records'].append(record)
if not self.auditstream.next_record():
break
yield event
if not self.auditstream.parse_next_event():
break
def msgtype_string(msgtype):
'''Return a string representing msgtype.'''
s = audit.audit_msg_type_to_name(msgtype)
if s is None:
s = str(msgtype)
return s
def feed_callback(au, cb_event_type, event_cnt):
global event_count
global place_object
global user_object
global syscall_object
global socket_object
global execve_object
global generic_object
while True:
event_count += 1
record_count = 1
# Both the ses and pid values will be used for the base lookups in auditd_core.
# Because of this, records after the first in an event will be benefited by passing
# this information along. If this is not done, a great deal of state goo and churn
# is introduced later in the bro code.
# The ses identifier is the primary with the pid as a backup since sid sometimes has
# a value of 'unset'.
#
ses_holder = 0
pid_holder = 0
event_rec_count = au.get_num_records()
while True:
if WHERE_RE.match(audit.audit_msg_type_to_name(au.get_type()) ) :
place_object = place_object.load(au)
print "%s:%s:%s %s %s %s %s %s %s %s %s %s %s %s %s" % (event_count, event_rec_count, record_count, place_object.flavor, place_object.type, place_object.time, place_object.node, ses_holder, pid_holder, place_object.cwd, place_object.path_name, place_object.inode, place_object.mode, place_object.ouid, place_object.ogid)
### ------------------------------ ###
elif WHO_RE.match(audit.audit_msg_type_to_name(au.get_type()) ) :
user_object = user_object.load(au)
if record_count == 1:
ses_holder = user_object.ses
pid_holder = user_object.pid
else:
user_object.ses = ses_holder
user_object.pid = pid_holder
print "%s:%s:%s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s" % (event_count, event_rec_count, record_count, user_object.flavor, user_object.type, user_object.time, user_object.node, user_object.ses, user_object.auid, user_object.egid, user_object.euid, user_object.fsgid, user_object.fsuid, user_object.gid, user_object.suid, user_object.sgid, user_object.uid, user_object.pid, user_object.success, user_object.exit, user_object.term, user_object.exe)
### ------------------------------ ###
elif SYSCALL_RE.match(audit.audit_msg_type_to_name(au.get_type()) ) :
syscall_object = syscall_object.load(au)
if record_count == 1:
ses_holder = syscall_object.ses
pid_holder = syscall_object.pid
print '%s:%s:%s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s' % (event_count, event_rec_count, record_count, syscall_object.flavor, syscall_object.type, syscall_object.time, syscall_object.node, syscall_object.ses, syscall_object.auid, syscall_object.syscall, syscall_object.key, syscall_object.comm, syscall_object.exe, syscall_object.a0, syscall_object.a1, syscall_object.a2, syscall_object.uid, syscall_object.gid, syscall_object.euid, syscall_object.egid, syscall_object.fsuid, syscall_object.fsgid, syscall_object.suid, syscall_object.sgid, syscall_object.pid, syscall_object.ppid, syscall_object.tty, syscall_object.success, syscall_object.exit)
### ------------------------------ ###
elif SOCKET_RE.match(audit.audit_msg_type_to_name(au.get_type()) ) :
socket_object = socket_object.load(au)
print '%s:%s:%s %s %s %s %s %s %s %s' % (event_count, event_rec_count, record_count, socket_object.flavor, socket_object.type, socket_object.time, socket_object.node, ses_holder, pid_holder, socket_object.saddr)
### ------------------------------ ###
elif EXECVE_RE.match(audit.audit_msg_type_to_name(au.get_type()) ) :
execve_object = execve_object.load(au)
print '%s:%s:%s %s %s %s %s %s %s %s %s' % (event_count, event_rec_count, record_count, execve_object.flavor, execve_object.type, execve_object.time, execve_object.node, ses_holder, pid_holder, execve_object.argc, execve_object.arg)
### ------------------------------ ###
else:
generic_object = generic_object.load(au)
if record_count == 1:
ses_holder = generic_object.ses
pid_holder = generic_object.pid
else:
generic_object.ses = ses_holder
generic_object.pid = pid_holder
print '%s:%s:%s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s' % (event_count, event_rec_count, record_count, generic_object.flavor, generic_object.type, generic_object.time, generic_object.node, generic_object.ses, generic_object.auid, generic_object.key, generic_object.comm, generic_object.exe, generic_object.a0, generic_object.a1, generic_object.a2, generic_object.uid, generic_object.gid, generic_object.euid, generic_object.egid, generic_object.fsuid, generic_object.fsgid, generic_object.suid, generic_object.sgid, pid_holder, generic_object.ppid, ses_holder, generic_object.tty, generic_object.terminal, generic_object.success, generic_object.exit)
record_count += 1
if not au.next_record(): break
if not au.parse_next_event(): break
