Sindbad~EG File Manager

Current Path : /lib/python3.6/site-packages/setroubleshoot/__pycache__/
Upload File :
Current File : //lib/python3.6/site-packages/setroubleshoot/__pycache__/avc_audit.cpython-36.pyc

3

�h>`�;�@sdddgZddlmZddlmZddlZddlZddlZddlZddlZ	ddl
Z
ddlmZddl
Z
ddlZddlmZdd	lmZdd
lTdd
lTdd
lTyeed�Wnek
r�de_YnXeej�d
�Zdd�ZGdd�de�ZGdd�de
j�ZdS)�AuditSocketReceiverThread�AuditRecordReceiver�
verify_avc�)�str)�objectN)�_thread)�
cmp_to_key)�
get_config)�*�	AUDIT_EOEi(�cCsp|jjdks|jjdkrdStj|jjkrltjtjdt|jf�tjtjd|jj��ddl}|j	d�dS)NFzUsetroubleshoot generated AVC, exiting to avoid recursion, context=%s, AVC scontext=%szaudit event
%srT)
Zscontext�typeZtcontext�
my_context�syslog�LOG_ERR�audit_event�format�sys�exit)�avcr�r�/usr/lib/python3.6/avc_audit.pyr7s
c@sxeZdZdZdZdd�Zdd�Zdd�Zd	d
�Zdd�Z	d
d�Z
dd�Zdd�Zddd�Z
ddd�Zdd�Zdd�ZdS)raO
    The audit system emits messages about a single event
    independently. Thus one single auditable event may be composed
    from one or more individual audit messages. Each audit message is
    prefixed with a unique event id, which includes a timestamp. The
    last audit message associated with an event is not marked in any
    fashion. Audit messages for a specific event may arrive
    interleaved with audit messages for other events. It is the job of
    higher level software (this code) to assemble the audit messages
    into events. The AuditEvent class is used for assembly. When a new
    event id is seen a new AuditEvent object is created, then
    every time an audit message arrives with that event id it is added
    to that object. The AuditEvent object contains the timestamp
    associated with the audit event as well as other data items useful
    for processing and handling the event.

    The audit system does not tell us when the last message belonging
    to an event has been emitted so we have no explicit way of knowing
    when the audit event has been fully assembled from its constituent
    message parts. We use the heuristic if a sufficient length of
    time has expired since we last saw a message for this event, then
    it must be complete

    Thus when audit events are created we place them in a cache where
    they will reside until their time to live has expired at which
    point we will assume they are complete and emit the event.

    Events are expired in the flush_cache() method. The events
    resident in the cache are sorted by their timestamps. A time
    threshold is established. Any events in the cache older than the
    time threshold are flushed from the cache as complete events.

    When should flushes be performed? The moment when a new message is
    added would seem a likely candidate moment to perform a sweep of
    the cache. But this is costly and does not improve how quickly
    events are expired. We could wait some interval of time (something
    much greater than how long we expect it would take for messages
    percolate) and this has good behavior, except for the following
    case. Sometimes messages are emitted by audit in rapid
    succession. If we swept the cache once a second then the cache may
    have grown quite large. Since it is very likely that any given audit
    event is complete by the time the next several events start
    arriving we can optimize by tracking how many messages have
    arrived since the last time we swept the cache.

    The the heuristic for when to sweep the cache becomes:

    If we've seen a sufficient number of messages then sweep -or- if
    a sufficient length of time has elapsed then we sweep

    Note that when audit messages are injected via log file scanning
    elapsed wall clock time has no meaning relative to when to perform
    the cache sweep. However, the timestamp for an event remains a
    critical factor when deciding if an event is complete (have we
    scanned far enough ahead such we're confident we won't see any
    more messages for this event?). Thus the threshold for when to
    expire an event from the cache during static log file scanning is
    determined not by wall clock time but rather by the oldest
    timestamp in the cache (e.g.there is enough spread between
    timestamps in the cache its reasonable to assume the event is
    complete). One might ask in the case of log file scanning why not
    fill the cache until EOF is reached and then sweep the cache?
    Because in log files it is not unusual to have thousands or tens
    of thousands of events and the cache would grown needlessly
    large. Because we have to deal with the real time case we already
    have code to keep only the most recent events in the cache so we
    might as well use that logic, keep the code paths the same and
    minimize resource usage.
    g{�G�zt?cCs$d|_d|_i|_g|_|j�dS)N�r)�
flush_size�flush_count�cache�events�reset_statistics)�selfrrr�__init__�s
zAuditRecordReceiver.__init__cCs
t|j�S)N)�lenr)rrrr�num_cached_events�sz%AuditRecordReceiver.num_cached_eventscCsd|_d|_dS)Nr)�max_cache_length�event_count)rrrrr�sz$AuditRecordReceiver.reset_statisticscCst�}||jt|j�<|S)N)Z
AuditEventrr�event_id)r�recordrrrr�insert_new_event�sz$AuditRecordReceiver.insert_new_eventcCs|jjt|j�d�S)N)r�getrr$)rr%rrr�get_event_from_record�sz)AuditRecordReceiver.get_event_from_recordcCsZtd|jj|f�|j|�}|jdkr:|r6|j|�dS|dkrL|j|�}|j|�dS)Nz%s.add_record_to_cache(): %s�EOE)�	log_debug�	__class__�__name__r(�record_type�flush_eventr&Z
add_record)rr%rrrr�add_record_to_cache�s



z'AuditRecordReceiver.add_record_to_cachecCs |jd7_|jjd|�dS)Nrr)r#r�insert)rrrrr�
emit_event�szAuditRecordReceiver.emit_eventcCs|j|�|jt|j�=dS)N)r1rrr$)rrrrrr.�s
zAuditRecordReceiver.flush_eventNcs�t�j�dkrdSt�j��jkr.t�j��_t�jj��}|dkrjx |D]}�j|}�j|�qJWdS|jt�fdd��d�|dkr��j|dj�j	}x*|D]"}�j|}|j|kr��j|�q�WdS)alFlush events from the cache if they are older than the threshold age.
        If the threshold age is None then the threshold age is set to the age
        of the newest event in the cache minus the cache time to live, in other
        words anything in the cache which is older than the time to live relative
        to the most current event is flushed.
        rNcs�j|j�j|jkS)N)r�	timestamp)�a�b)rrr�<lambda>�sz1AuditRecordReceiver.flush_cache.<locals>.<lambda>)�keyr���)
r rr"�list�keysr.�sortrr2�cache_time_to_live)r�
threshold_ageZ	event_idsr$rr)rr�flush_cache�s"	




zAuditRecordReceiver.flush_cacheccs8|j|�d|_x"t|j�dkr2|jj�}|VqWdS)Nr)r=rr r�pop)rr<rrrr�flush�s


zAuditRecordReceiver.flushccsx|jd�D]
}|VqWdS)z{Emit every event in the cache irrespective of its
        timestamp. This means we're done, nothing should remain buffered.rN)r?)rrrrr�close�szAuditRecordReceiver.closec	csn|jd7_|jdkr"|j|�|j|jkrFx|j�D]
}|Vq8Wx"t|j�d
krh|jj�}|VqHWdS)
z9Accept a new audit record into the system for processing.r�AVC�AVC_PATH�SYSCALL�CWD�PATHr)�1400�1107rN)rArBrCrDrEr)rFrG)rr-r/rr?r rr>)rr%rrrr�feed�s



zAuditRecordReceiver.feed)N)N)r,�
__module__�__qualname__�__doc__r;rr!rr&r(r/r1r.r=r?r@rHrrrrrFsE
"
c@s<eZdZdd�Zdd�Zdd�Zdd�Zd	d
�Zdd�Zd
S)rcCsFtjj|�||_||_t�|_tddt�|_	|j
�d|_d|_dS)N�audit�retry_interval�F)
�	threading�Threadr�queue�report_receiverr�record_receiverr	�intrM�get_socket_paths�timeout_interval�
has_audit_eoe)rrQrRrrrrsz"AuditSocketReceiverThread.__init__cCs6g|_tdd�}|jj|�tdd�}|jj|�dS)NrLZtext_protocol_socket_pathZbinary_protocol_socket_path)�audit_socket_pathsr	�append)r�audit_socket_pathrrrrUs


z*AuditSocketReceiverThread.get_socket_pathscCs��x~y�x�|jD]�|_|jdk	ryjt|j�}t|�|_tjtjtj�|_	t
j
|j	j�t
jt
j
�|j	j|j�|j	j�|_td|j�dStjk
r�}z$t|�\}}td|j|f�WYdd}~XqXqWtddj|j�|jf�Wn�tjk
�r4}z(t|�\}}td|j||jf�WYdd}~Xn>tk
�rp}z td|j|d|jf�WYdd}~XnXtj|j�qWdS)Nzaudit socket (%s) connectedz4attempt to open audit socket (%s) failed, error='%s'z:could not open any audit sockets (%s), retry in %d secondsz, z9audit socket (%s) failed, error='%s', retry in %d secondsr)rXrZZderive_record_formatZAuditRecordReader�
record_reader�Socket�socketZAF_UNIXZSOCK_STREAM�audit_socket�fcntl�filenoZF_SETFDZ
FD_CLOEXEC�connect�makefile�audit_socket_fdr*�errorZget_error_from_socket_exception�joinrM�OSError�timeZsleep)rZ
record_format�e�errno�strerrorrrrras.


(&,z!AuditSocketReceiverThread.connectcCs<t|||||�}|j�x|jj|�D]}|j|�q&WdS)z"called to enter a new audit recordN)ZAuditRecordZaudispd_rectifyrSrH�new_audit_event_handler)rr-r$�	body_text�fields�line_numberZaudit_recordrrrr�new_audit_record_handler1sz2AuditSocketReceiverThread.new_audit_record_handlercCsD|j�r@|j�r@|j�dkr@t|�}t|�r@|jj||jf�dS)Nr)Zis_avcZ
is_grantedZnum_recordsrArrQZputrR)rrrrrrrk9sz1AuditSocketReceiverThread.new_audit_event_handlercCs�|j�|j}�x�tj|jggg|�\}}}y�|j|kr�ddl}|j|jj�d�}|dkrltd�|j�nbtd|j	j
��|js�|j}x�|jj
|�D]2\}}}	}
}|dkr�d|_d}|j|||	|
|�q�Wn>x(|j	jtj�|j�D]}|j|�q�W|j	j
�dk�rd}Wqtk
�rL}
ztd|jj�tj�WYdd}
~
Xqtk
�r�}
ztd	|jj�tj�WYdd}
~
Xqtk
�r�}
z6ddl}t|j��tjtjd
|
jjt|
�f�dSd}
~
XqXqWdS)Nri�zaudit socket connection droppedzcached audit event count = %dr)Tz!KeyboardInterrupt exception in %szSystemExit exception in %szexception %s: %s)rarV�selectr^�os�readrcr`r*rSr!rWr[rHror?rgrk�KeyboardInterruptr+r,r�interrupt_main�
SystemExit�	Exception�	tracebackZsyslog_trace�
format_excrrr)rZtimeoutZinListZoutListZerrListrrZnew_datar-r$rlrmrnrrhrxrrr�run?sD

zAuditSocketReceiverThread.runN)	r,rIrJrrUrarorkrzrrrrr�s	) �__all__�builtinsrrrrLrqZselinuxr]r\r_Z	six.movesrrOrg�	functoolsrZsetroubleshoot.configr	Zsetroubleshoot.errcodeZsetroubleshoot.utilZsetroubleshoot.audit_data�getattr�AttributeErrorrZ
AvcContextZgetconrrrrPrrrrr�<module>s69

Sindbad File Manager Version 1.0, Coded By Sindbad EG ~ The Terrorists