def user_main_info(msg): m = msg.copy() pam = split_message(m['msg'], quotes='"') def rem(d, key): if key in d: del d[key] rem(m, 'id') rem(m, 'time') rem(m, 'msg') rem(pam, 'hostname') rem(pam, 'addr') rem(m, 'pid') rem(m, 'uid') rem(m, 'auid') rem(m, 'ses') rem(pam, 'cwd') rem(pam, 'op') rem(pam, 'exe') rem(pam, 'terminal') m['msg'] = ' '.join(['{}="{}"'.format(k, v) for k, v in pam.items()]) return m
def service_start(msg, suffix=''): systemd_msg = split_message(msg['msg'], quotes='"') return format_helper(title='Service start', suffix=suffix, timestamp=datetime.fromtimestamp(msg['time']) if 'time' in msg else None, urgency='info', info={'Unit': systemd_msg['unit']})
def add_user(msg, suffix=''): pam_msg = split_message(msg['msg'], quotes='"') return format_helper( title='New user created', timestamp=datetime.fromtimestamp(msg['time']) if 'time' in msg else None, urgency='info', suffix=suffix, info={ 'Created by': decode_uid(msg.get('auid')) if 'auid' in msg else None, 'New user ID': decode_uid(pam_msg['id'], str(pam_msg['id'])), 'Command': pam_msg.get('exe', pam_msg.get('cmd')), 'Session': msg.get('ses'), 'Success': 'Yes' if pam_msg.get('res') == 'success' else 'No' }, extra_info={ 'Process ID': msg.get('pid'), 'Hostname': pam_msg.get('hostname') if pam_msg.get('hostname') != '?' else None, 'Address': pam_msg.get('addr') if pam_msg.get('addr') != '?' else None, 'Terminal': pam_msg.get('terminal') if pam_msg.get('terminal') != '?' else None })
def generic_user_event(title, msg, suffix): pam_msg = split_message(msg['msg'], quotes='"') return format_helper( title=title, timestamp=datetime.fromtimestamp(msg['time']) if 'time' in msg else None, urgency='info', suffix=suffix, info={ 'Account': pam_msg.get('acct'), 'Command': pam_msg.get('exe', pam_msg.get('cmd')), 'Session': msg.get('ses'), 'Success': 'Yes' if pam_msg.get('res') == 'success' else 'No' }, extra_info={ 'Process ID': msg.get('pid'), 'Audit UID': decode_uid(msg.get('auid')) if 'auid' in msg else None, 'Hostname': pam_msg.get('hostname') if pam_msg.get('hostname') != '?' else None, 'Address': pam_msg.get('addr') if pam_msg.get('addr') != '?' else None, 'Terminal': pam_msg.get('terminal') if pam_msg.get('terminal') != '?' else None })
def user_cmd(msg, suffix) -> str: pam_msg = split_message(msg['msg'], quotes='"') return format_helper( title='Command executed with different user\'s priveleges', timestamp=datetime.fromtimestamp(msg['time']) if 'time' in msg else None, urgency='info', suffix=suffix, info={ 'Executor\'s UID': decode_uid(msg.get('auid'), str(msg['auid'])) if 'auid' in msg else None, 'Working directory': pam_msg.get('cwd'), 'Command': decode_unsafe_hex(str(pam_msg['cmd'])), 'Session': msg.get('ses'), 'Success': 'Yes' if pam_msg.get('res') == 'success' else 'No' }, extra_info={ 'Process ID': msg.get('pid'), 'Hostname': pam_msg.get('hostname') if pam_msg.get('hostname') != '?' else None, 'Address': pam_msg.get('addr') if pam_msg.get('addr') != '?' else None, 'Terminal': pam_msg.get('terminal') if pam_msg.get('terminal') != '?' else None })
def del_user(msg, suffix=''): pam_msg = split_message(msg['msg'], quotes='"') return format_helper( title='User deleted', timestamp=datetime.fromtimestamp(msg['time']) if 'time' in msg else None, urgency='info', suffix=suffix, info={ 'Deleted by': decode_uid(msg.get('auid')) if 'auid' in msg else None, # I love consistency of PAM audit logs. 'Deleted user ID': pam_msg.get('id') if pam_msg.get('res') == 'success' else pam_msg.get('acct'), 'Command': pam_msg.get('exe', pam_msg.get('cmd')), 'Session': msg.get('ses'), 'Success': 'Yes' if pam_msg.get('res') == 'success' else 'No' }, extra_info={ 'Process ID': msg.get('pid'), 'Hostname': pam_msg.get('hostname') if pam_msg.get('hostname') != '?' else None, 'Address': pam_msg.get('addr') if pam_msg.get('addr') != '?' else None, 'Terminal': pam_msg.get('terminal') if pam_msg.get('terminal') != '?' else None })
def main_info(msg): systemd_msg = split_message(msg['msg'], quotes='"') return {'msg': 'unit=' + systemd_msg['unit']}