3
�h>`�;���������������
���@���s��d�ddgZ�ddlmZ�ddlmZ�ddlZddlZddlZddlZddlZ ddl
Z
ddl
m
Z
�ddl
Z
ddlZddlmZ�dd lmZ�dd
lT�dd
lT�dd
lT�yeed
��W�n�ek
r����d
e_Y�nX�eej��d
��Zdd��Z
G�dd��de�Z
G�dd���d�e
j
�Z dS�)�AuditSocketReceiverThread�AuditRecordReceiver�
verify_avc�����)�str)�objectN)�_thread)�
cmp_to_key)�
get_config)�*� AUDIT_EOEi(������c�������������C���sp���|�j�jd�ks|�jjd�kr
dS�tj|�j�jkrltjtjdt|�j�f���tjtjd|�jj�����dd�l}|j d��dS�)NFzUsetroubleshoot generated AVC, exiting to avoid recursion, context=%s, AVC scontext=%szaudit event
%sr���T)
Zscontext�typeZtcontext�
my_context�syslog�LOG_ERR�
audit_event�format�sys�exit)�avcr�����r���� /usr/lib/python3.6/avc_audit.pyr���7���s����
c���������������@���sx���e�Zd�ZdZdZdd��Zdd��Zdd��Zd d
��Zd
d
��Z d
d��Z
dd��Z
dd��Z
d
dd�Z
d
dd�Zdd��Zdd��ZdS�)
r���aO��
The audit system emits messages about a single event
independently. Thus one single auditable event may be composed
from one or more individual audit messages. Each audit message is
prefixed with a unique event id, which includes a timestamp. The
last audit message associated with an event is not marked in any
fashion. Audit messages for a specific event may arrive
interleaved with audit messages for other events. It is the job of
higher level software (this code) to assemble the audit messages
into events. The AuditEvent class is used for assembly. When a new
event id is seen a new AuditEvent object is created, then
every time an audit message arrives with that event id it is added
to that object. The AuditEvent object contains the timestamp
associated with the audit event as well as other data items useful
for processing and handling the event.
The audit system does not tell us when the last message belonging
to an event has been emitted so we have no explicit way of knowing
when the audit event has been fully assembled from its constituent
message parts. We use the heuristic if a sufficient length of
time has expired since we last saw a message for this event, then
it must be complete
Thus when audit events are created we place them in a cache where
they will reside until their time to live has expired at which
point we will assume they are complete and emit the event.
Events are expired in the flush_cache() method. The events
resident in the cache are sorted by their timestamps. A time
threshold is established. Any events in the cache older than the
time threshold are flushed from the cache as complete events.
When should flushes be performed? The moment when a new message is
added would seem a likely candidate moment to perform a sweep of
the cache. But this is costly and does not improve how quickly
events are expired. We could wait some interval of time (something
much greater than how long we expect it would take for messages
percolate) and this has good behavior, except for the following
case. Sometimes messages are emitted by audit in rapid
succession. If we swept the cache once a second then the cache may
have grown quite large. Since it is very likely that any given audit
event is complete by the time the next several events start
arriving we can optimize by tracking how many messages have
arrived since the last time we swept the cache.
The the heuristic for when to sweep the cache becomes:
If we've seen a sufficient number of messages then sweep -or- if
a sufficient length of time has elapsed then we sweep
Note that when audit messages are injected via log file scanning
elapsed wall clock time has no meaning relative to when to perform
the cache sweep. However, the timestamp for an event remains a
critical factor when deciding if an event is complete (have we
scanned far enough ahead such we're confident we won't see any
more messages for this event?). Thus the threshold for when to
expire an event from the cache during static log file scanning is
determined not by wall clock time but rather by the oldest
timestamp in the cache (e.g.there is enough spread between
timestamps in the cache its reasonable to assume the event is
complete). One might ask in the case of log file scanning why not
fill the cache until EOF is reached and then sweep the cache?
Because in log files it is not unusual to have thousands or tens
of thousands of events and the cache would grown needlessly
large. Because we have to deal with the real time case we already
have code to keep only the most recent events in the cache so we
might as well use that logic, keep the code paths the same and
minimize resource usage.
g{�G�zt?c�������������C���s$���d|�_�d|�_i�|�_g�|�_|�j���d�S�)N�
���r���)�
flush_size�
flush_count�cache�events�reset_statistics)�selfr���r���r����__init__����s
����z
AuditRecordReceiver.__init__c�������������C���s
���t�|�j�S�)N)�lenr���)r
���r���r���r����num_cached_events����s����z%AuditRecordReceiver.num_cached_eventsc�������������C���s���d|�_�d|�_d�S�)Nr���)�max_cache_length�
event_count)r
���r���r���r���r
�������s����z$AuditRecordReceiver.reset_statisticsc�������������C���s���t���}||�jt|j�<�|S�)N)Z
AuditEventr���r����event_id)r
����recordr���r���r���r����insert_new_event����s����z$AuditRecordReceiver.insert_new_eventc�������������C���s���|�j�jt|j�d��S�)N)r����getr���r$���)r
���r%���r���r���r����get_event_from_record����s����z)AuditRecordReceiver.get_event_from_recordc�������������C���sZ���t�d|�jj|f���|�j|�}|jdkr:|r6|�j|��d�S�|d�krL|�j|�}|j|��d�S�)Nz
%s.add_record_to_cache(): %s�EOE)� log_debug� __class__�__name__r(����
record_type�
flush_eventr&���Z
add_record)r
���r%���r���r���r���r����add_record_to_cache����s����
z'AuditRecordReceiver.add_record_to_cachec�������������C���s ���|��j�d7��_�|�jjd|��d�S�)Nr
���r���)r#���r
����insert)r
���r���r���r���r����
emit_event����s����z
AuditRecordReceiver.emit_eventc�������������C���s
���|�j�|��|�jt|j�=�d�S�)N)r1���r���r���r$���)r
���r���r���r���r���r.�������s����
z AuditRecordReceiver.flush_eventNc����������������s����t���j�dkrdS�t���j���jkr.t���j���_t��jj���}|dkrjx |D�]}��j|�}��j|��qJW�dS�|jt��fdd��d��|dkr���j|d��j��j �}x*|D�]"}��j|�}|j|k�r���j|��q�W�dS�)al��Flush events from the cache if they are older than the threshold age.
If the threshold age is None then the threshold age is set to the age
of the newest event in the cache minus the cache time to live, in other
words anything in the cache which is older than the time to live relative
to the most current event is flushed.
r���Nc����������������s�����j�|��j��j�|�jk�S�)N)r���� timestamp)�a�b)r
���r���r����<lambda>����s����z1AuditRecordReceiver.flush_cache.<locals>.<lambda>)�keyr
������)
r ���r���r"����list�keysr.����sortr���r2����cache_time_to_live)r
����
threshold_ageZ event_idsr$���r���r���)r
���r����
flush_cache����s"����
z AuditRecordReceiver.flush_cachec�������������c���s8���|�j�|��d|�_x"t|�j�dkr2|�jj��}|V��qW�d�S�)Nr���)r=���r���r ���r
����pop)r
���r<���r���r���r���r����flush����s
����
zAuditRecordReceiver.flushc�������������c���s
���x|�j�d�D�]
}|V��q
W�dS�)z{Emit every event in the cache irrespective of its
timestamp. This means we're done, nothing should remain buffered.r���N)r?���)r
���r���r���r���r����close����s����zAuditRecordReceiver.closec���������� ���c���sn���|��j�d7��_�|jd
kr"|�j|��|�j�|�jkrFx|�j��D�]
}|V��q8W�x"t|�j�d
krh|�jj��}|V��qHW�d
S�)
z9Accept a new audit record into the system for processing.r
����AVC�AVC_PATH�SYSCALL�CWD�PATHr)����1400�1107r���N)rA���rB���rC���rD���rE���r)���rF���rG���)r���r-���r/���r���r?���r ���r
���r>���)r
���r%���r���r���r���r����feed����s����
zAuditRecordReceiver.feed)N)N)r,����
__module__�
__qualname__�__doc__r;���r ���r!���r
���r&���r(���r/���r1���r.���r=���r?���r@���rH���r���r���r���r���r���F���s
���E
"
c���������������@���s<���e�Zd�Zdd��Zdd��Zdd��Zdd��Zd d
��Zd
d
��Zd
S�)r���c�������������C���sF���t�jj|���||�_||�_t��|�_tddt�|�_ |�j
���d|�_
d|�_
d�S�)N�audit�retry_interval����F)
� threading�Threadr ����queue�report_receiverr����record_receiverr ����intrM����get_socket_paths�timeout_interval�
has_audit_eoe)r
���rQ���rR���r���r���r���r ������s����
z"AuditSocketReceiverThread.__init__c�������������C���s6���g�|�_�tdd�}|�j�j|��tdd�}|�j�j|��d�S�)NrL���Ztext_protocol_socket_pathZbinary_protocol_socket_path)�audit_socket_pathsr ����append)r
����audit_socket_pathr���r���r���rU���
��s
����
z*AuditSocketReceiverThread.get_socket_pathsc�������������C���s����x~y�x�|�j�D�]�|�_|�jd�k ryjt|�j�}t|�|�_tjtjtj�|�_ t
j
|�j j
��t
j
t
j
��|�j j|�j��|�j j��|�_td|�j���d�S��tjk
r��}�z$t|�\}}td|�j|f���W�Y�d�d�}~X�qX�qW�tddj|�j��|�jf���W�n��tjk
�r4�}�z(t|�\}}td|�j||�jf���W�Y�d�d�}~X�n>�tk
�rp�}�z td|�j|d�|�jf���W�Y�d�d�}~X�nX�tj|�j��qW�d�S�)Nzaudit socket (%s) connectedz4attempt to open audit socket (%s) failed, error='%s'z:could not open any audit sockets (%s), retry in %d secondsz, z9audit socket (%s) failed, error='%s', retry in %d secondsr
���)rX���rZ���Zderive_record_formatZAuditRecordReader�
record_reader�Socket�socketZAF_UNIXZ
SOCK_STREAM�
audit_socket�fcntl�filenoZF_SETFDZ
FD_CLOEXEC�connect�makefile�audit_socket_fdr*����errorZ get_error_from_socket_exception�joinrM����OSError�timeZsleep)r
���Z
record_format�e�errno�strerrorr���r���r���ra�����s.����
(
&,z!AuditSocketReceiverThread.connectc�������������C���s<���t�|||||�}|j���x
|�jj|�D�]}|�j|��q&W�dS�)z"called to enter a new audit recordN)Z
AuditRecordZaudispd_rectifyrS���rH����new_audit_event_handler)r
���r-���r$���� body_text�fields�
line_numberZ
audit_recordr���r���r���r����new_audit_record_handler1��s����z2AuditSocketReceiverThread.new_audit_record_handlerc�������������C���sD���|j���r@|j��
�r@|j��dkr@t|�}t|�r@|�jj||�jf��d�S�)Nr���)Zis_avcZ
is_grantedZ
num_recordsrA���r���rQ���ZputrR���)r
���r���r���r���r���r���rk���9��s����
z1AuditSocketReceiverThread.new_audit_event_handlerc�������������C���s���|�j����|�j}�x�tj|�jgg�g�|�\}}}y�|�j|kr�dd�l}|j|�jj��d�}|dkrltd��|�j����nbtd|�j j
�����|�j
s�|�j}x�|�j
j
|�D�]2\}}} }
}
|dkr�d|�_
d�}|�j||| |
|
��q�W�n>x(|�j jtj��|�j��D�]}
|�j|
��q�W�|�j j
��dk�rd�}W�q�tk
�rL�}
�z
td|�jj���tj���W�Y�d�d�}
~
X�q�tk
�r��}
�z
td |�jj���tj���W�Y�d�d�}
~
X�q�tk
�r��}
�z6dd�l}t|j����t
j
t
j
d
|
jjt
|
�f���d�S�d�}
~
X�qX�qW�d�S�)
Nr���i�����z audit socket connection droppedz
cached audit event count = %dr)���Tz!KeyboardInterrupt exception in %szSystemExit exception in %szexception %s: %s) ra���rV����selectr^����os�readrc���r`���r*���rS���r!���rW���r[���rH���ro���r?���rg���rk����KeyboardInterruptr+���r,���r����interrupt_main�
SystemExit� Exception� tracebackZ
syslog_trace�
format_excr���r���r���)r
���ZtimeoutZinListZoutListZerrListrr���Znew_datar-���r$���rl���rm���rn���r���rh���rx���r���r���r����run?��sD����
z
AuditSocketReceiverThread.runN) r,���rI���rJ���r ���rU���ra���ro���rk���rz���r���r���r���r���r�������s
���
) �__all__�builtinsr���r���r���rL���rq���Zselinuxr]���r\���r_���Z six.movesr���rO���rg���� functoolsr���Zsetroubleshoot.configr ���Zsetroubleshoot.errcodeZsetroubleshoot.utilZsetroubleshoot.audit_data�getattr�AttributeErrorr
���Z
AvcContextZgetconr���r���r���rP���r���r���r���r���r����<module>���s6���
�9