sayoder · June 3, 2014 18:09
diff --git a/gistfile1.py b/gistfile1.py
 #!/usr/bin/env python3
 '''
 log_session_file_lifespan.py

 Every second, get the contents of the /tmp/ directory. Files starting with sess_
 will be tracked, and their lifespan and information will be dumped to a logfile
 when they are deleted.
 '''

 import os
 import sys
 import subprocess
 import time
 from datetime import datetime as dt

 '''
 Returns: [(filename::str, file_age::int)] representing PHP session files in /tmp
 and their lifetimes, which will be initially set to 0.
 '''
 def get_sess_files():
    return [(i,0) for i in list(filter(lambda item: item[:5] == "sess_",
                                       os.listdir("/tmp")) )]

 '''
 Will be given a list of tuples: [(filename::str, file_age::int)] (file ages
 are approximate and incorrect if the sessions were there when the script was
 executed. Each tuple represents a PHP session file that existed in the /tmp
 directory 1 second ago.

 Returns: ([(filename::str, file_age::int)], [(filename::str, file_age::int)])
 where the first list represents all of the files currently in the /tmp
 directory, and the second list represents the files that were not there 1 second
 ago.
 '''
 def generate_newlist(oldlist):
    newlist = get_sess_files()
    to_return = []
    new_files = []
    #This is such an inefficient way to do this. TODO use set logic later
    oldlist_names = [i for (i,j) in oldlist]
    for (i,j) in newlist:
        try:
            old_item = oldlist_names.index(i)
            to_return.append((i,oldlist[old_item][1]+1))
        except ValueError:
            to_return.append((i,j))
            new_files.append((i,j))

    return (to_return, new_files)

 '''
 Will be given newlist and oldlist, each of which are a list of tuples describing
 files in the /tmp directory as in the above function. newlist represents the
 current contents of the directory, while oldlist represents the contents of the
 directory 1 second ago.

 Returns: A list of file tuples describing files that have been deleted between
 the last second and this second.
 '''
 def get_deleted_files(newlist, oldlist):
    to_return = []
    for i in oldlist:
        if i[0] not in [i for(i,j) in newlist]:
            to_return.append(i)

    return to_return

 '''
 Will be given a list of file tuples as in the above functions.

 Returns: nothing, but will ask auditd to keep track of all of the files in the
 list.
 '''
 def audit_files(ls):
    for f in ls:
        (stdout,stderr) = subprocess.Popen(["auditctl", "-w", "/tmp/" + f[0], "-p", "wxra", "-k", f[0]], stdout=subprocess.PIPE).communicate()


 '''
 Will be given a list of file tuples describing PHP session files that have been
 deleted from the /tmp directory.

 Returns: Nothing, but will log timestamp, file lifetime, and auditing info to a
 file. Audit info will display who deleted the file and with what syscall.
 '''
 def log_to_file(deleted_files):
        if(len(deleted_files) > 0):
            with open('/var/log/session_lifetime', 'a+') as f:
                for info in deleted_files:
                    p1 = subprocess.Popen(["ausearch", "-f", info[0]], 
                                            stdout=subprocess.PIPE)
                    p2 = subprocess.Popen(["grep","type=SYSCALL"], 
                                            stdin=p1.stdout, 
                                            stdout=subprocess.PIPE)
                    (stdout,stderr) = p2.communicate()
                    #Janky way to indent lines
                    audit_info = map(lambda x: "\n     " + x, 
                                stdout.decode(sys.stdout.encoding).split('\n'))

                    cur_time = dt.fromtimestamp(time.time()).strftime('%Y-%m-%d %H:%M:%S')
                    f.write("\n");
                    f.write("%s: Session %s lived for %s seconds." % 
                                (cur_time,info[0], str(info[1])))
                    f.write('\n     Auditing the file revealed the following:')
                    for line in audit_info:
                        f.write(line)

 def main():
    oldlist = get_sess_files()
    audit_files(oldlist)

    while True:
        time.sleep(1)
        (newlist,new_files) = generate_newlist(oldlist)
        deleted_files = get_deleted_files(newlist, oldlist)
        audit_files(new_files)
        
        log_to_file(deleted_files)


        oldlist = newlist

 main()
	#!/usr/bin/env python3
	'''
	log_session_file_lifespan.py

	Every second, get the contents of the /tmp/ directory. Files starting with sess_
	will be tracked, and their lifespan and information will be dumped to a logfile
	when they are deleted.
	'''

	import os
	import sys
	import subprocess
	import time
	from datetime import datetime as dt

	'''
	Returns: [(filename::str, file_age::int)] representing PHP session files in /tmp
	and their lifetimes, which will be initially set to 0.
	'''
	def get_sess_files():
	return [(i,0) for i in list(filter(lambda item: item[:5] == "sess_",
	os.listdir("/tmp")) )]

	'''
	Will be given a list of tuples: [(filename::str, file_age::int)] (file ages
	are approximate and incorrect if the sessions were there when the script was
	executed. Each tuple represents a PHP session file that existed in the /tmp
	directory 1 second ago.

	Returns: ([(filename::str, file_age::int)], [(filename::str, file_age::int)])
	where the first list represents all of the files currently in the /tmp
	directory, and the second list represents the files that were not there 1 second
	ago.
	'''
	def generate_newlist(oldlist):
	newlist = get_sess_files()
	to_return = []
	new_files = []
	#This is such an inefficient way to do this. TODO use set logic later
	oldlist_names = [i for (i,j) in oldlist]
	for (i,j) in newlist:
	try:
	old_item = oldlist_names.index(i)
	to_return.append((i,oldlist[old_item][1]+1))
	except ValueError:
	to_return.append((i,j))
	new_files.append((i,j))

	return (to_return, new_files)

	'''
	Will be given newlist and oldlist, each of which are a list of tuples describing
	files in the /tmp directory as in the above function. newlist represents the
	current contents of the directory, while oldlist represents the contents of the
	directory 1 second ago.

	Returns: A list of file tuples describing files that have been deleted between
	the last second and this second.
	'''
	def get_deleted_files(newlist, oldlist):
	to_return = []
	for i in oldlist:
	if i[0] not in [i for(i,j) in newlist]:
	to_return.append(i)

	return to_return

	'''
	Will be given a list of file tuples as in the above functions.

	Returns: nothing, but will ask auditd to keep track of all of the files in the
	list.
	'''
	def audit_files(ls):
	for f in ls:
	(stdout,stderr) = subprocess.Popen(["auditctl", "-w", "/tmp/" + f[0], "-p", "wxra", "-k", f[0]], stdout=subprocess.PIPE).communicate()


	'''
	Will be given a list of file tuples describing PHP session files that have been
	deleted from the /tmp directory.

	Returns: Nothing, but will log timestamp, file lifetime, and auditing info to a
	file. Audit info will display who deleted the file and with what syscall.
	'''
	def log_to_file(deleted_files):
	if(len(deleted_files) > 0):
	with open('/var/log/session_lifetime', 'a+') as f:
	for info in deleted_files:
	p1 = subprocess.Popen(["ausearch", "-f", info[0]],
	stdout=subprocess.PIPE)
	p2 = subprocess.Popen(["grep","type=SYSCALL"],
	stdin=p1.stdout,
	stdout=subprocess.PIPE)
	(stdout,stderr) = p2.communicate()
	#Janky way to indent lines
	audit_info = map(lambda x: "\n " + x,
	stdout.decode(sys.stdout.encoding).split('\n'))

	cur_time = dt.fromtimestamp(time.time()).strftime('%Y-%m-%d %H:%M:%S')
	f.write("\n");
	f.write("%s: Session %s lived for %s seconds." %
	(cur_time,info[0], str(info[1])))
	f.write('\n Auditing the file revealed the following:')
	for line in audit_info:
	f.write(line)

	def main():
	oldlist = get_sess_files()
	audit_files(oldlist)

	while True:
	time.sleep(1)
	(newlist,new_files) = generate_newlist(oldlist)
	deleted_files = get_deleted_files(newlist, oldlist)
	audit_files(new_files)

	log_to_file(deleted_files)


	oldlist = newlist

	main()