-
Notifications
You must be signed in to change notification settings - Fork 2
/
sec.py
143 lines (130 loc) · 4.38 KB
/
sec.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
#!/usr/bin/env python
#coding:UTF-8
from pyinotify import ProcessEvent,WatchManager,Notifier,IN_CREATE,IN_MODIFY,IN_DELETE,WatchManagerError,PyinotifyError
import os
import re
import base
import hashlib
import subprocess
class CheckLogin(object):
def __init__(self,access_ip_list):
self.access_ip_list = access_ip_list
self.pattern = re.compile('\d{0,3}\.\d{0,3}\.\d{0,3}\.\d{0,3}')
if os.path.exists('/var/log/secure'):
self.f = open('/var/log/secure')
self.f_pos = os.path.getsize('/var/log/secure')
self.f.seek(self.f_pos)
else:
self.f = None
self.f_pos = 0
base.MQ.put("%s [ERROR] 系统日志文件:/var/log/secure 丢失!"%base.TIME())
def check(self):
count = []
try:
pos = os.path.getsize('/var/log/secure')
if pos < self.f_pos:
self.close()
self.f = open('/var/log/secure')
self.f_pos = 0
self.f.seek(self.f_pos)
return
records = self.f.readlines()
if records:
self.f_pos = os.path.getsize('/var/log/secure')
for record in records:
if 'Accepted' in record:
base.MQ.put("%s [DEBUG] CheckLogin Accepted记录:%s"%(base.TIME(),record))
timestamp_year = base.time.strftime('%Y',base.time.localtime())
timestamp_log = "%s%s"%(record[:16],timestamp_year)
timestamp_now_sec = base.time.time()
timestamp_log_sec = base.time.mktime(base.time.strptime(timestamp_log,"%b %d %H:%M:%S %Y"))
find_ip = self.pattern.findall(record)
for i in find_ip:
t =timestamp_now_sec - timestamp_log_sec
#print "时间判断:%s,%s"%(t,i)
if (timestamp_now_sec - timestamp_log_sec) < 10:
if not i in self.access_ip_list:
#print "%s IP:%s login accepted!"%(base.TIME(),i)
base.MQ.put("%s [WARNING] IP:%s login!"%(base.TIME(),i))
count.append(i)
if count:
base.ALARM_DICT['sec'][0] = "IP:%s异常登陆!"%(','.join(count))
except Exception,e:
base.MQ.put("%s [ERROR] 读取日志文件:/var/log/secure 出错!%s"%(base.TIME(),e))
def close(self):
if self.f:
self.f.close()
#定义事件处理器
class FSMonitor(ProcessEvent):
def process_default(self,event):
if event.name.endswith('.swp') or event.name.endswith('.swx') or event.name.endswith('.swpx') or event.name.endswith('~') or event.name.endswith('.swo') or ('prelink' in event.name) :
# print 'tmpfile:%s'%event.name
pass
elif event.maskname == 'IN_MODIFY':
base.MQ.put('%s [WARNING] %s Modified! EVENT NAME:%s'%(base.TIME(),event.pathname,event.name))
base.ALARM_DICT['sec'][1] += 1
elif event.maskname == 'IN_DELETE':
base.MQ.put('%s [WARNING] %s Deleted!'%(base.TIME(),event.pathname))
base.ALARM_DICT['sec'][1] += 1
def process_IN_MODIFY(self,event):
self.process_default(event)
def process_IN_DELETE(self,event):
self.process_default(event)
class CheckHash(object):
def __init__(self,fs):
self.hash = {}
for f in fs:
self.hash.setdefault(f,self.hash_file(f))
self.iptables = self.hash_iptables()
def hash_iptables(self):
return subprocess.Popen("iptables -nL|md5sum|awk '{print $1}'",stdout=subprocess.PIPE,shell=True).stdout.readline().strip()
def hash_file(self,f):
if os.path.exists(f):
return hashlib.md5(open(f).read()).hexdigest()
else:
base.MQ.put("%s [ERROR] 监控文件不存在:%s"%(base.TIME(),f))
def check(self):
ret = []
tmp_hash = None
for f in self.hash.keys():
tmp_hash = self.hash_file(f)
if self.hash[f] == tmp_hash:
pass
else:
ret.append(f)
self.hash[f]=tmp_hash
tmp_hash = self.hash_iptables()
if self.iptables == tmp_hash:
pass
else:
ret.append('iptables')
self.iptables = tmp_hash
return ret
if __name__=='__main__':
#定义监视的事件
mask = IN_MODIFY | IN_DELETE
path = ['/etc', '/usr/local/sbin', '/usr/local/bin', '/sbin', '/bin', '/usr/sbin', '/usr/bin']
m_file = ['/root/.bash_profile','/root/.bash_logout','/root/.bashrc']
#监视管理器实例
wm = WatchManager()
wm.add_watch(path,mask)
#创建事件监视器
notifier = Notifier(wm,FSMonitor())
print 'start monitoring %s with mask ox%08x' %(path,mask)
checkhash = CheckHash(m_file)
while True:
try:
notifier.process_events()
if notifier.check_events(60000):
notifier.read_events()
hash = checkhash.check()
#print 'checkhash result!%s'%hash
if hash:
for i in hash:
print '%s modified!'%i
except KeyboardInterrupt:
print 'stop monitoring...'
notifier.stop()
break
except Exception,err:
print err