a

U+ezg�@s~
dd
lm
Z

gd�
ZddlZddlmZmZ
ddlZddlZddl	Z	ddl
Z
ddlZddlTddl
Z
ddlmZ
ddlmZ
ddlTddlTddlTddlTddlTddlTddlTddlmZ
d	d
�ZGdd�de�ZGd
d�de�ZGdd�de�ZGdd�dee
j �Z!Gdd�de�Z"Gdd�de�Z#Gdd�de�Z$Gdd�de%e&e'ej�Z(e�)e(�

Gdd�dej�Z*e�)e*�

dS)�)
�print_function)�
AnalyzeThread�Analyze�PluginReportReceiver�TestPluginReportReceiver�SETroubleshootDatabase�SETroubleshootDatabaseLocal�LogfileAnalyzerN)�GObject�GLib)
�
*)
�
cmp_to_key)
�
get_config)
�validate_database_doccCs||
k||
kS�
N�)�
x�
yrr�:/usr/lib/python3.9/site-packages/setroubleshoot/analyze.py�<lambda>4�rc@s<eZ
dZd
d�Zdd�Zdd�Zdd�Zd	d
�Zdd�Zd
S)�PluginStatisticscCs0|
j|_
d|_d|_d|_d|_d|_d|_dSr)�analysis_id�name�analyze_start_time�analyze_end_time�analyze_elapsed_time�report_start_time�report_end_time�report_elapsed_time��self�pluginrrr�__init__=s






zPluginStatistics.__init__c
CsRt|j
�
}
|jdur"d
|j|
fSt|j|j�
}t|j�
}d|j||
|fSdS)Nz%s: %s elapsedz5%s: %s elapsed, %s analyze elapsed, %s report elapsed)�format_elapsed_timerrrrr)r!rZtotal_elapsed_timerrrr�__str__Fs






�zPluginStatistics.__str__c

Cst��|_
dSr)�timer�
r!rrr�
analyze_startRs
zPluginStatistics.analyze_startc

Cst��|_
|j
|j|_dSr)r&rrrr'rrr�analyze_endUs


zPluginStatistics.analyze_endc

Cst��|_
dSr)r&rr'rrr�report_startYs
zPluginStatistics.report_startc

Cst��|_
|j
|j|_dSr)r&rrrr'rrr�
report_end\s


zPluginStatistics.report_endN)	�__name__�
__module__�__qualname__r#r%r(r)r*r+rrrrr;s	rc@s<eZ
dZd
d�Zdd�Zdd�Zdd�Zd	d
�Zdd�Zd
S)�AnalyzeStatisticscCs(|
|_d|_
g|_d|_d|_d|_dSr)�num_plugins�
cur_plugin�called_plugins�
start_time�end_time�elapsed_time)r!r0rrrr#es





zAnalyzeStatistics.__init__c
CsPd}
d}t|j
�
}|jdu
r8t|j�
}
|r8t|j|�
}d
||j|
||��fS)NzB%d/%d plugins in %s elapsed, avg plugin %s elapsed, plugins=[
%s
])�lenr2r5r$r0�called_plugins_to_string)r!r5Zavg_plugin_timeZn_calledrrrr%ms












��zAnalyzeStatistics.__str__c

Csd
�dd�|j
D�
�
S)N�

c
Ssg|]}
t|
�
�qSr�
�str��.0rrrr�
<listcomp>{rz>AnalyzeStatistics.called_plugins_to_string.<locals>.<listcomp>)�joinr2r'rrrr7zs
z*AnalyzeStatistics.called_plugins_to_stringc

Cst��|_
dSr)r&r3r'rrr�start}s
zAnalyzeStatistics.startc

Cst��|_
|j
|j|_dSr)r&r4r3r5r'rrr�end�s


zAnalyzeStatistics.endcCs&t|
�
|_
|j�|j
�

|j
��
dSr)rr1r2�appendr(r rrr�
new_plugin�s



zAnalyzeStatistics.new_pluginN)	r,r-r.r#r%r7r?r@rBrrrrr/cs
r/c@s$eZ
dZd
d�Zdd�Zdd�ZdS)rc

Cs$d|_t
�|_td
t|j�
�

dS)NzNumber of Plugins = %d)�environmentZload_plugins�plugins�	log_debugr6r'rrrr#�s


zAnalyze.__init__cCs$t|
j
|
j|
j|
j|
j|
jd
�}|S)N)�host�access�scontext�tcontext�tclass�tpath)ZSEFaultSignaturerFrGrHrIrJrK)r!�avc�sigrrr�
get_signature�s






�zAnalyze.get_signaturecCs�
td
|
�

|
�
�
|jdur&t�|_|
jjdu
r>|
jj��
t|
j|
j|
j	|
j
|
j|
j|
j
|
j|
j|
j|
j|�|
�
|j|
jjt|
jj�
|��dd�}|jD�
]}z�|�|
�
}|du
�
r<|jdkr�td�

W
dS|jdu
�
r
|jdk�
r
|jdk�
s|jdk�
r
|j|_t|t��
r0|D]}|j�|�

�
qn|j�|�

Wq�t�
y�
}
z\t|tj d�
t!�!t!j"d	|j#�
t�$�\}}	}
td
�%t&�'|
�
�
�

|j�(|�

WYd}~q�d}~00q�|�)|�

dS)Nzanalyze_avc() avc=%sZyellow)�audit_event�source�spathrKZsrc_rpm_listZtgt_rpm_listrHrIrJ�portrFrMrC�line_numbers�last_seen_date�local_id�levelZwhitez!plugin level white, not reportingZredZgreen�
�filezPlugin Exception %s r8)*rE�updaterCZ
SEEnvironmentrOrS�sortZSEFaultSignatureInforPrQrKZsrc_rpmsZtgt_rpmsrHrIrJrRrFrN�	TimeStampZ	timestamp�generate_idrD�analyzerV�
isinstance�listZplugin_listrA�	Exception�print�sys�stderr�syslog�LOG_ERRr�exc_infor>�	traceback�	format_tb�remove�report_problem)r!rL�report_receiver�siginfor"�report�
r�
eZv1Zv2Zv3rrr�analyze_avc�s\





















�

















$zAnalyze.analyze_avcN)r,r-r.r#rNrprrrrr�s
rc@seZ
dZddd�
Zdd�ZdS)r�
cCs&tj
�|�

t�|�

|
|_||_dSr)�	threading�Threadr#r�queue�timeout)r!rtrurrrr#�s


zAnalyzeThread.__init__c

Cs�z0|j�
�\}
}td
�

t�d�

|�|
|�
WnBtyr
}
z*t�tjd|�
t	t
���

WYd}~n
d}~00td�|j
�
�

t�|j
�

qdS)Nz)AnalyzeThread.run(): Cancel pending alarmr
z!Exception during AVC analysis: %sz,AnalyzeThread.run(): Set alarm timeout to {})rt�getrE�signal�alarmrpr`rdreZsyslog_tracerg�
format_exc�formatru)r!rLrkrorrr�run�s







"

zAnalyzeThread.runN)
rq)r,r-r.r#r{rrrrr�s
rc@s$eZ
dZd
d�Zdd�Zdd�ZdS)rcCs
|
|_dSr)
�database�r!r|rrrr#�s
zPluginReportReceiver.__init__c
Cs�z0|j�
|
j�
}|�|
�

|j�|�

td
�

WnNty~
}
z6|jtkrhtd�

|
j	|
_
|j�|
�
}n�WYd}~n
d}~00|S)Nzsignature found in databaseznot in database yet)r|�lookup_signaturerMZupdate_merge�modify_siginforE�ProgramError�errno�ERR_NO_SIGNATURE_MATCHrT�first_seen_date�add_siginfo)r!rlZdatabase_siginfororrrrj�s











z#PluginReportReceiver.report_problemc

Cs|jj
��Sr)r|�sigsZgenerate_local_idr'rrrr\
s
z PluginReportReceiver.generate_idN)r,r-r.r#rjr\rrrrr�srcs$eZ
dZ�f
d
d�Zdd�Z�ZS)rcstt
|��|
�

dSr)�superrr#r}�
�	__class__rrr#
s
z!TestPluginReportReceiver.__init__cCstd
|
j
j�

dS)NzAnalysis Result: %s)rarMr�r!rlrrrrj
s
z'TestPluginReportReceiver.report_problem)r,r-r.r#rj�
__classcell__rrr�rr
src@s�eZ
dZd2dd�
Zdd�Zdd�Zdd	�Zd
d�Zd3d
d�
Zd4dd�
Z	dd�Z
dd�Zdd�Zdd�Z
dd�Zdd�Zdd�Zdd �Zd!d"�Zd5d#d$�
Zd%d&�Zd'd(�Zd)d*�Zd6d,d-�
Zd.d/�Zd0d1�Zd
S)7rNcCs�|
|_d|_
t|||j�|_t��|_d
|_d|_d|_	d|_
d|_tddt
�|_d|_tdd�}|du
r�|��}|r�t|�
|_td|jj|jj|jjf�

|��
dS)	NFr
���r|�
max_alerts�
max_alert_agez<created new database: name=%s, friendly_name=%s, filepath=%s)�filepath�notifyZSEDatabaseProperties�
propertiesrr�Lock�lock�file_exists�modified_count�auto_save_interval�auto_save_threshold�auto_save_timerr�intr�r��stripZparse_datetime_offsetrEr�
friendly_name�load)r!r�rr�r�rrrr#
s$


















zSETroubleshootDatabase.__init__c
Cs�
|js|j
sd
S|jjjtdd��
d�

|j
�
rt�}
|
|j
8}
d}|jjD]}|j|
kr^
qh|d7}qL|dk�
rtd|j
|
�	�f�

td|jjdj�	�|jj|dj�	�f�

td	|jj|j�	�|jjd
j�	�f�

dd�|jjd|�D�
}|D]}|j
|d
d�
�
q|j�
r�t|jj�
|j}|dk�
r�dd�|jjd|�D�
}td|t|�
|f�

|D]}|j
|d
d�
�
qpdS)NFcSst|j
|
j
�Sr)�cmprT)�
a�
brrrr8
rz.SETroubleshootDatabase.prune.<locals>.<lambda>)
�keyr
�
z5prune by age: max_alert_age=%s min_time_to_survive=%szprune by age: pruning [%s - %s]zprune by age: keeping [%s - %s]���c
Ssg|]
}
|
j�qSr�
rM�r<rlrrrr=H
rz0SETroubleshootDatabase.prune.<locals>.<listcomp>T)
�prunec
Ssg|]
}
|
j�qSrr�r�rrrr=O
rz*prune first %d alerts, len(sigs=%d sigs=%s)r�r�r��signature_listrZr
r[rTrErz�delete_signaturer6)r!Zmin_time_to_surviveZkeeprlr�rMrrrr�3
s2













0
,









zSETroubleshootDatabase.prunecCs
|
|_dSr)
r��r!r�rrr�
set_notifyT
s
z!SETroubleshootDatabase.set_notifyc
Cs2|jj
D]$}
|
j|
jkr|
j}|
j|
_||
_qdSr)r�r�rTr�)r!rl�tmprrr�validateW
s




zSETroubleshootDatabase.validatec
Csht�|_
|jdurdStj�|j�
rTt�|j�
}
|
td
krT|j
�|jdt	�rTd|_
|��
|��
dS)Nr
r�T)
�SEFaultSignatureSetr�r��os�path�exists�stat�ST_SIZEZ
read_xml_filerr�r�r�)r!�	stat_inforrrr�_
s







zSETroubleshootDatabase.loadFcCsj|jdurdSt
d
|j|jf�

|
s.|��
|j�d|j�
d|_d|_|jdu
rft�	|j�

d|_dS)Nz'writing database (%s) modified_count=%sr�Tr
)
r�rEr�r�r�Z	write_xmlr�r�rZ
source_remove�r!r�rrr�saven
s










zSETroubleshootDatabase.savecCs^|jd
7_|j
durdS|j|jks.|js:|�|
�

n |jdurZt�|jd|j	�|_dS)Nr�i�)
r�r�r�r�r�r�rZtimeout_addr��auto_save_callbackr�rrr�
mark_modified}
s







��z$SETroubleshootDatabase.mark_modifiedc

Cs td
|j
|jf�

|��
dS)Nz)auto_save database (%s) modified_count=%sF)rEr�r�r�r'rrrr��
s


z)SETroubleshootDatabase.auto_save_callbackc

Cs:|jdurdSt
j�|j�
r6td
|j�

t
�|j�

dS)Nzdeleting database (%s))r�r�r�r�rErir'rrrri�
s






zSETroubleshootDatabase.removec

Cs|j�
�
dSr)r��acquirer'rrrr��
s
zSETroubleshootDatabase.acquirec

Cs|j�
�
dSr)r��releaser'rrrr��
s
zSETroubleshootDatabase.releasecCs�d}|j�
|
�
}td
t|�
d�dd�|D�
�
f�

t|�
dkrHtt�
�
t|�
dkrxtd
t|�
d�dd�|D�
�
f�

|dj}|S)Nz1lookup_signature: found %d matches with scores %s�
,c
Ssg|]}
d|
j�qS�
z%.2f�
Zscorer;rrrr=�
rz;SETroubleshootDatabase.lookup_signature.<locals>.<listcomp>r
r�c
Ssg|]}
d|
j�qSr�r�r;rrrr=�
r)r�Zmatch_signaturesrEr6r>r�r�rl)r!rMrl�matchesrrrr~�
s

$



$


z'SETroubleshootDatabase.lookup_signaturecCs2|j�
|
�
}|dur.td
|
�

ttd|
��
|S)Nzlookup_local_id: %s not foundzid (%s) not found)r��lookup_local_idrEr�ZERR_SIGNATURE_ID_NOT_FOUND)r!rUrlrrrr��
s





z&SETroubleshootDatabase.lookup_local_idcCs.|j�
|
�
}
|jr"|j�d
|
j�
|��
|
S)N�add)r�r�r��signatures_updatedrUr�r�rrrr��
s





z"SETroubleshootDatabase.add_siginfoc


Cs|jSr)
r�r'rrr�get_properties�
s
z%SETroubleshootDatabase.get_propertiescCs8td
|
�

|
dkr|j
St�}|�|
�
}|�|�

|S)Nzquery_alerts: criteria=%sr)rEr�r�r�r�)r!Zcriteriar�rlrrr�query_alerts�
s






z#SETroubleshootDatabase.query_alertsc
Cs�td
|
�

z|�
|
�
}WnFty`
}
z.|jtkrJtd�

WYd}~dS�WYd}~n
d}~00|j�|�

|jr�|j�d|j	�
|�
|�

dS)Nzdelete_signature: sig=%s�Signature not found!�delete)rEr~r�r�r�r�Zremove_siginfor�r�rUr�)r!rMr�rlrorrrr��
s









z'SETroubleshootDatabase.delete_signaturecCs"|jr|j�
d
|
j�
|��
dS)NZmodify)r�r�rUr�r�rrrr�
s


z%SETroubleshootDatabase.modify_siginfoc
Csttd
||
f�

z|�
|
�
}WnFtyd
}
z.|jtkrNtd�

WYd}~dS�WYd}~n
d}~00|�|�
}|S)Nz)evaluate_alert_filter: username=%s sig=%sr��ignore)rEr~r�r�r�Zevaluate_filter_for_user)r!rM�usernamerlro�actionrrr�evaluate_alert_filter�
s








z,SETroubleshootDatabase.evaluate_alert_filterc
Cs�td
||||
f�

z|�
|
�
}WnFtyh
}
z.|jtkrRtd�

WYd}~dS�WYd}~n
d}~00|�|�
}|�||�
|�|�

dS)Nz2set_user_data: username=%s item=%s data=%s sig=
%sr�)rEr~r�r�r�Z
get_user_dataZupdate_itemr)r!rMr��item�datarlroZ	user_datarrr�
set_user_data�
s









z$SETroubleshootDatabase.set_user_data�c
Cs�td
|||
f�

z|�
|
�
}WnFtyf
}
z.|jtkrPtd�

WYd}~dS�WYd}~n
d}~00|�|||�
|�|�

dS)Nz.set_filter: username=%s filter_type=%s sig=
%sr�)rEr~r�r�r�Zupdate_user_filterr)r!rMr�Zfilter_typer�rlrorrr�
set_filter�
s







z!SETroubleshootDatabase.set_filtercCs|jj
�|
�
|_|��
dSr)r��users�add_user�userr��r!r�rrrr�s

zSETroubleshootDatabase.add_usercCs|jj
�|
�
Sr)r�r��get_userr�rrrr�s
zSETroubleshootDatabase.get_user)
N)
F)
F)
F)
r�)r,r-r.r#r�r�r�r�r�r�r�rir�r�r~r�r�r�r�r�rr�r�r�r�r�rrrrr
s.
!



rc@s^eZ
dZejjd
ejejffejjd
ejejejffd�Z	dd�Z
dd�Zdd�Zd	d
�Z
d
S)rN)r�zasync-errorcCs,tj�
|�

t�
|�

|
|_|j�|�

dSr)r
r#�	RpcManager|r�r}rrrr#s




z$SETroubleshootDatabaseLocal.__init__cCs|j�
|
�

dSr)r|r�r�rrrr�$s
z&SETroubleshootDatabaseLocal.set_notifyc
Gs�td
|j
j|jd�dd�|D�
�
|
f�

|j|
}t|j|jd�}|durdtt	d|j|j
jf��
z(||�|_
d|_|j
du
r�|j
g
|_
Wn8ty�
}
z |j|j
g|_
d|_WYd}~n
d}~00|j
du
r�t�|j|�
dS)Nz%s emit %s(%s) id=%sr�c
Ssg|]}
t|
�
�qSrr9)r<�argrrrr=(rz8SETroubleshootDatabaseLocal.emit_rpc.<locals>.<listcomp>z'method %s not found in base class of %sZ
method_returnZerror_return)rEr�r,�methodr>Zasync_rpc_cache�getattrr|r�ZERR_METHOD_NOT_FOUNDZreturn_argsZreturn_typer��strerrorr
�idle_addZprocess_async_return)r!Zrpc_id�typeZrpc_def�argsZ	async_rpc�funcrorrr�emit_rpc's"
*





�










z$SETroubleshootDatabaseLocal.emit_rpccCs"td
|
|f�

|�
d|
|�
dS)Nz4signatures_updated() database local: type=%s item=%sr�)rE�emit)r!r�r�rrrr�:s

z.SETroubleshootDatabaseLocal.signatures_updated)r,r-r.r
�SignalFlags�RUN_LAST�
TYPE_PYOBJECTZTYPE_STRINGZTYPE_INT�__gsignals__r#r�r�r�rrrrrs�rc@sneZ
dZejjd
ejf
fejjd
ejf
fd�Zddd�
Z	ddd�
Z
dd�Zd	d
�Zdd�Z
d
d�Zdd�Zd
S)r	N)�progress�
state-changedcCsftj�
|�

td
|jj|
f�

|
|_d|_d|_d|_d|_	d|_
d|_d|_d|_
d|_d|_dS)Nz%s.__init__(%s)�)r
r#rEr�r,�logfile_pathrX�fileno�	read_size�
record_reader�record_receiver�analyzerrk�idle_proc_idr�r�)r!r�rrrr#Ks







zLogfileAnalyzer.__init__c
CsV
|
du
r|
|_t
d
|jj|jf�

z2t�|j�
}|t|_t|j�
|_	|j	�
�|_
WnTty�
}
z<t�tj
d|jj|jf�
|j|_|j|_|�
WYd}~n
d}~00d|_d|_d|_d|_d|_|�d|j�
tj�|j�
}dtj�|�
d|_td||jd�|_ttj�
|_t�|_ t!�|_"t#d	d
t$��
sFt%|j�
|_&nt'|j�
|_&dS)Nz%s.open(%s)z
%s.open(): %sr
gFr�zfile: %s)
r��testr]T)(r�rEr�r,r�r�r��	file_size�openrXr��EnvironmentErrorrdrer�r��n_bytes_readZ
line_count�record_countr��	cancelledr�r��basename�splitextr�rr|ZAuditRecordReaderZTEXT_FORMATr�ZAuditRecordReceiverr�rr�r�boolrrkr)r!r�r�roZlogfile_basenamerrrr�_s:
























zLogfileAnalyzer.openc

s6td
|j
j|jf�

|���t��f
dd��
|_dS)Nz
%s.run(%s)cst��
Sr)
�nextr�
Ztask_generatorrrr�rz%LogfileAnalyzer.run.<locals>.<lambda>T)rEr�r,rX�taskrr�r�r'rr�rr{�s



zLogfileAnalyzer.runc
Cs�|jdu
r&t
�|j|j�}
d|_d|_|j|jkrdd
dl}d|j|j|jf}t	|�

|j
|_||_|jdu
r�|j�
�D]}|�|�

qx|js�|�dd�
dS)Nr
zFfailed to read complete file, %d bytes read out of total %d bytes (%s)r�g�?)rXr��readr�r�r�r�r�r�rEZEIOr�r��close�avc_event_handlerr�r�)r!�new_dataZErrnor�rOrrrr��s"






�




zLogfileAnalyzer.closec

csr
|�d
d�
|j
�
r\z8t�|j
|j��d�
}
|
dkrJtd|j�

|��
Wn�t	y�
}
z6|j
|_
|j|_|��
|�d
d�
dV
WYd}~n<d}~0ty�
}
zt
d|tjd	�
WYd}~n
d}~00|jt|
�
7_|jd
k�
rt|j�
t|j�
|_|�d|j�
|j�|
�
D]6\}}}}}|�|||||�
dV
|j�
rdV
�
qdV
q|�d
d�
dV
dS)
Nr�Zrunningzutf-8r�z	EOF on %s�stoppedFr8rWr
r�T)r�r�r�r�r��decoderEr�r�r�r�r��
ValueErrorrarbrcr�r6r��floatr�r��feed�new_audit_record_handlerr�)r!r�ro�record_type�event_id�	body_text�fields�line_numberrrrr��s6














&










zLogfileAnalyzer.taskcCsNtd
|
�

|
�
�rJ|
��sJ|
��dkrJt|
�
}|D]}|j�||j�
q4dS)Nz"avc_event_handler() audit_event=%sr
)rEZis_avcZ
is_grantedZnum_recordsZcompute_avcsr�rprk)r!rOZavcsrLrrrr��s





z!LogfileAnalyzer.avc_event_handlerc	Cs�td
|
||f�

|j
d7_
t|
||||�}|j�|�
D]F}z|�|�

Wq<ty�
}
zt|tj	d�
WYd}~q<d}~00q<dS)z"called to enter a new audit recordzBnew_audit_record_handler() record_type=%s event_id=%s body_text=%sr�rWN)
rEr�ZAuditRecordr�r
r�r�rarbrc)	r!r
r
r
r
r
Zaudit_recordrOrorrrr

�s




z(LogfileAnalyzer.new_audit_record_handler)
N)
N)r,r-r.r
r�r�Z
TYPE_FLOATr�r�r#r�r{r�r�r�r

rrrrr	Cs�

$r	)+Z
__future__r�__all__rdZ
gi.repositoryr
rr�rwr&rrrgr�rb�	functoolsr
Zsetroubleshoot.configrZsetroubleshoot.avc_auditZsetroubleshoot.errcodeZsetroubleshoot.rpcZsetroubleshoot.rpc_interfacesZsetroubleshoot.signatureZsetroubleshoot.utilZsetroubleshoot.audit_dataZsetroubleshoot.xml_serializerr��objectrr/rrsrrrrr�ZSETroubleshootDatabaseInterfaceZ%SETroubleshootDatabaseNotifyInterfacerZ
type_registerr	rrrr�<module>sL	
















()Qx


�,