1 #ˆl–äY>”T†»ÕÀ5q°)‹FÿÁ „B_À¿?÷# Authors: Karl MacMillan # # Copyright (C) 2006 Red Hat # see file 'COPYING' for use and warranty information # # This program is free software; you can redistribute it and/or # modify it under the terms of the GNU General Public License as # published by the Free Software Foundation; version 2 only # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with this program; if not, write to the Free Software # Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA # import re import sys from . import refpolicy from . import access from . import util # Convenience functions def get_audit_boot_msgs(): """Obtain all of the avc and policy load messages from the audit log. This function uses ausearch and requires that the current process have sufficient rights to run ausearch. Returns: string contain all of the audit messages returned by ausearch. """ import subprocess import time fd=open("/proc/uptime", "r") off=float(fd.read().split()[0]) fd.close s = time.localtime(time.time() - off) bootdate = time.strftime("%x", s) boottime = time.strftime("%X", s) output = subprocess.Popen(["/sbin/ausearch", "-m", "AVC,USER_AVC,MAC_POLICY_LOAD,DAEMON_START,SELINUX_ERR", "-ts", bootdate, boottime], stdout=subprocess.PIPE).communicate()[0] if util.PY3: output = util.decode_input(output) return output def get_audit_msgs(): """Obtain all of the avc and policy load messages from the audit log. This function uses ausearch and requires that the current process have sufficient rights to run ausearch. Returns: string contain all of the audit messages returned by ausearch. """ import subprocess output = subprocess.Popen(["/sbin/ausearch", "-m", "AVC,USER_AVC,MAC_POLICY_LOAD,DAEMON_START,SELINUX_ERR"], stdout=subprocess.PIPE).communicate()[0] if util.PY3: output = util.decode_input(output) return output def get_dmesg_msgs(): """Obtain all of the avc and policy load messages from /bin/dmesg. Returns: string contain all of the audit messages returned by dmesg. """ import subprocess output = subprocess.Popen(["/bin/dmesg"], stdout=subprocess.PIPE).communicate()[0] if util.PY3: output = util.decode_input(output) return output # Classes representing audit messages class AuditMessage: """Base class for all objects representing audit messages. AuditMessage is a base class for all audit messages and only provides storage for the raw message (as a string) and a parsing function that does nothing. """ def __init__(self, message): self.message = message self.header = "" def from_split_string(self, recs): """Parse a string that has been split into records by space into an audit message. This method should be overridden by subclasses. Error reporting should be done by raise ValueError exceptions. """ for msg in recs: fields = msg.split("=") if len(fields) != 2: if msg[:6] == "audit(": self.header = msg return else: continue if fields[0] == "msg": self.header = fields[1] return class InvalidMessage(AuditMessage): """Class representing invalid audit messages. This is used to differentiate between audit messages that aren't recognized (that should return None from the audit message parser) and a message that is recognized but is malformed in some way.