From: ramsdell@mitre.org (John D. Ramsdell)
To: sgrubb@redhat.com, jdennis@redhat.com
Cc: linux-audit@redhat.com
Subject: Re: High-level audit parser module
Date: 09 Aug 2007 15:42:43 -0400 [thread overview]
Message-ID: <ogtzm10a40c.fsf@oolong.mitre.org> (raw)
In-Reply-To: <ogty7hgns7b.fsf@oolong.mitre.org>
[-- Attachment #1: Type: text/plain, Size: 408 bytes --]
Enclosed is a patch that adds a high-level audit parser module to the
audit package. The included Python script can be used in two ways.
It can be installed in the usual location and the module can be
imported into other programs. One can also make a copy of the Python
source file, and modify the function that consumes a log to quickly
produce one-off scripts.
Use pydoc to obtain documentation.
John
[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #2: auditparser module --]
[-- Type: text/x-patch, Size: 10362 bytes --]
diff -urN a/audit-1.5.6/bindings/python/auditparser.py.in b/audit-1.5.6/bindings/python/auditparser.py.in
--- a/audit-1.5.6/bindings/python/auditparser.py.in 1969-12-31 19:00:00.000000000 -0500
+++ b/audit-1.5.6/bindings/python/auditparser.py.in 2007-08-09 15:29:25.000000000 -0400
@@ -0,0 +1,270 @@
+#! /usr/bin/python -E
+
+"""A high-level parser for audit logs.
+
+Provides AuditLog, which produces an iteration of audit events as a
+sequence of dictionary objects.
+
+To produces a quick one-off audit processing script, copy this source
+file and then edit the run function to suit your needs.
+
+Package: @PACKAGE@
+Version: @VERSION@
+
+"""
+
+# Authors: John D. Ramsdell
+#
+# Copyright (C) 2007 The MITRE Corporation
+# see file 'COPYING' for use and warranty information
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of the GNU General Public License as
+# published by the Free Software Foundation; version 2 only
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
+
+import sys, getopt, auparse, os.path, copy, string
+
+# Log Parsing
+
+class AuditLog(object):
+ """AuditLog(AuParser or file, bool)
+
+ Encapsulates a log accessed by the auparse module. It provides an
+ iterator to the log's events. Each call to the next method of
+ the iterator returns an AuditEvent. The boolean determines if
+ numeric entities in fields are interpreted.
+
+ """
+ def __init__(self, au, interpret = False):
+ if isinstance(au, file):
+ self.au = auparse.AuParser(auparse.AUSOURCE_FILE_POINTER, au)
+ else:
+ self.au = au
+ self.interpret = interpret
+
+ def __iter__(self):
+ return AuditLogIter(self)
+
+class AuditLogIter(object):
+ """AuditLogIter(AuditLog)
+
+ An iterator for an audit log.
+
+ """
+ def __init__(self, aulog):
+ self.au = aulog.au
+ self.filename = self.au.get_filename()
+ self.interpret = aulog.interpret
+
+ def next(self):
+ """Returns an AuditEvent
+
+ """
+ au = self.au
+ interpret = self.interpret
+ if not au.parse_next_event():
+ raise StopIteration()
+ event = AuditEvent(au.get_timestamp(), self.filename)
+ for i in range(au.get_num_records()):
+ record = AuditRecord(event, au.get_line_number())
+ for j in range(au.get_num_fields()):
+ name = au.get_field_name()
+ if interpret:
+ value = au.interpret_field()
+ else:
+ value = au.get_field_str()
+ record[name] = value
+ au.next_field()
+ event.append(record)
+ au.next_record()
+ return event
+
+class AuditEvent(list):
+ """AuditEvent(AuEvent, string)
+
+ An audit event is represented as a list of AuditRecord's. Each
+ AuditRecord is a dictionary that represents one of the records
+ that make up the event. The string is a filename giving the
+ source of the event.
+
+ """
+ def __init__(self, timestamp, filename = None):
+ self.timestamp = timestamp
+ self.filename = filename
+
+ def get_timestamp(self):
+ """Get the timestamp associated with this event."""
+ return self.timestamp
+
+ def get_filename(self):
+ """Get the filename associated with this event."""
+ return self.filename
+
+ def find_record_of_type(self, type):
+ """Find record of type
+
+ Returns a record in the event that has the given type.
+ Returns None when there is no such record.
+
+ """
+ for record in self:
+ try:
+ if record["type"] == type:
+ return record
+ except KeyError:
+ pass
+ return None
+
+ def find_value(self, name):
+ """Find a value
+
+ Returns a value associated with the given name in some record
+ in the event. Raises KeyError if no field has the given name.
+
+ """
+ for record in self:
+ try:
+ return record[name]
+ except KeyError:
+ pass
+ raise KeyError
+
+ def find_path_record(self, item):
+ """Find a PATH record for the given item.
+
+ Returns the PATH record for the given item. Return None if
+ PATH record cannot be found.
+
+ """
+ item = str(item) # Ensure item is a string
+ for record in self:
+ if record.is_path_record(item):
+ return record
+ return None
+
+class AuditRecord(dict):
+ """AuditRecord(AuditEvent, int)
+
+ An audit record is a dictionary. The int is the line number
+ associated with the source of the record.
+
+ """
+ def __init__(self, event, line_number):
+ self.event = event
+ self.line_number = line_number
+
+ def get_event(self):
+ """Get the event associated with this record."""
+ return self.event
+
+ def get_line_number(self):
+ """Get the line number associated with this record."""
+ return self.line_number
+
+ def get_source(self):
+ """Get the source of this record as a string."""
+ serial = self.get_event().get_timestamp().serial
+ source = "%d (serial=%d)" % (self.line_number, serial)
+ filename = self.get_event().get_filename()
+ if filename:
+ return filename + ":" + source
+ else:
+ return source
+
+ def is_path_record(self, item):
+ """Is this a PATH record for the given item?"""
+ try:
+ return self["type"] == "PATH" and self["item"] == item
+ except KeyError:
+ return False
+
+def args2aulog():
+ """Make an AuditLog from command line arguments
+
+ Create an audit log object based on the command line arguments
+ passsed to this program.
+
+ Returns an AuditLog.
+
+ """
+ interpret = False # Event reading mode
+ output_file = None # Output file name for results
+ try:
+ long_opts = ["help", "interpret", "raw", "output="]
+ opts, args = getopt.getopt(sys.argv[1:], "hiro:", long_opts)
+ except getopt.GetoptError:
+ # Bad options
+ usage()
+ sys.exit(2)
+ for o, a in opts:
+ if o in ("-h", "--help"):
+ # Print help information
+ usage()
+ sys.exit(0)
+ elif o in ("-i", "--interpret"):
+ interpret = True
+ elif o in ("-r", "--raw"):
+ interpret = False
+ elif o in ("-o", "--output"):
+ # Record output file name
+ output_file = a
+ # Determine input source
+ if len(args) > 0:
+ au = auparse.AuParser(auparse.AUSOURCE_FILE_ARRAY, args)
+ sys.stdin.close()
+ else:
+ au = sys.stdin
+ # Open output file as standard output
+ if output_file:
+ sys.stdout.close()
+ try:
+ sys.stdout = file(output_file, 'w')
+ except IOError:
+ sys.stderr.write("cannot open %s for writing" % output_file)
+ sys.exit(1)
+ return AuditLog(au, interpret)
+
+def usage():
+ """Show usage
+
+ Print a ussage message that includes version information.
+
+ """
+ help = """Version: %s %s
+Usage: %s [OPTIONS] [FILE...]
+
+ -o FILE, --output=FILE output to FILE (default is standard output)
+ -i, --interpret interpret numeric entities into text
+ -r --raw do not interpret numeric entities (default)
+ -h, --help print this message and exit
+
+With no FILEs, read from the standard input.
+"""
+ sys.stderr.write(help % ("@PACKAGE@", "@VERSION@", sys.argv[0]))
+
+# Consume a log
+
+def run(log):
+ """The main loop for consuming a log. Modify this to suit your needs."""
+ for event in log:
+ print event
+
+def main():
+ """Main routine
+
+ Perform command line processing and then conume the log.
+
+ """
+ run(args2aulog())
+
+if __name__ == "__main__":
+ main()
diff -urN a/audit-1.5.6/bindings/python/Makefile.am b/audit-1.5.6/bindings/python/Makefile.am
--- a/audit-1.5.6/bindings/python/Makefile.am 2007-07-25 14:17:26.000000000 -0400
+++ b/audit-1.5.6/bindings/python/Makefile.am 2007-07-27 11:39:56.000000000 -0400
@@ -21,7 +21,7 @@
#
CONFIG_CLEAN_FILES = Makefile.in *.loT *.rej *.orig
-EXTRA_DIST = setup.py auparse_python.c
+EXTRA_DIST = setup.py auparse_python.c auditparser.py
all:
$(PYTHON) setup.py build
diff -urN a/audit-1.5.6/bindings/python/setup.py b/audit-1.5.6/bindings/python/setup.py
--- a/audit-1.5.6/bindings/python/setup.py 2007-05-01 18:06:23.000000000 -0400
+++ b/audit-1.5.6/bindings/python/setup.py 2007-07-27 11:54:34.000000000 -0400
@@ -11,3 +11,8 @@
description = 'python binding for audit parsing (auparse)',
ext_modules = [auparse])
+setup(name = 'auditparser',
+ version = '1.0',
+ description = 'high-level python binding for audit parsing',
+ py_modules = ['auditparser'])
+
diff -urN a/audit-1.5.6/configure.ac b/audit-1.5.6/configure.ac
--- a/audit-1.5.6/configure.ac 2007-07-23 14:39:31.000000000 -0400
+++ b/audit-1.5.6/configure.ac 2007-07-27 11:41:06.000000000 -0400
@@ -109,7 +109,7 @@
AC_DEFINE(WITH_APPARMOR,1,[Define if you want to enable AppArmor events.])fi
AC_CONFIG_SUBDIRS([system-config-audit])
-AC_OUTPUT(Makefile lib/Makefile auparse/Makefile auparse/test/Makefile src/Makefile src/mt/Makefile swig/Makefile docs/Makefile init.d/Makefile audisp/Makefile bindings/Makefile bindings/python/Makefile)
+AC_OUTPUT(Makefile lib/Makefile auparse/Makefile auparse/test/Makefile src/Makefile src/mt/Makefile swig/Makefile docs/Makefile init.d/Makefile audisp/Makefile bindings/Makefile bindings/python/Makefile bindings/python/auditparser.py)
echo .
echo "
[-- Attachment #3: Type: text/plain, Size: 0 bytes --]
prev parent reply other threads:[~2007-08-09 19:42 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2007-07-16 18:01 High-level audit parser module John D. Ramsdell
2007-08-09 19:42 ` John D. Ramsdell [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=ogtzm10a40c.fsf@oolong.mitre.org \
--to=ramsdell@mitre.org \
--cc=jdennis@redhat.com \
--cc=linux-audit@redhat.com \
--cc=sgrubb@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox