in kif.py [0:0]
def scan_for_triggers(config):
procs = getprocs() # get all current processes
actions = []
# For each rule..
for id, rule in config['rules'].items():
# print(f"- Running rule {id}")
# Is this process running here?
pids = []
if 'host_must_match' in rule:
if not re.match(rule['host_must_match'], ME):
# print(f"Ignoring rule-set '{id}', hostname '{ME}' does not match host_must_match criterion.")
continue
if 'host_must_not_match' in rule:
if re.match(rule['host_must_not_match'], ME):
# print(f"Ignoring rule-set '{id}', hostname '{ME}' matches host_must_not_match criterion.")
continue
if 'procid' in rule:
procid = rule['procid']
# print(f" - Checking for process {procid}")
for xpid, cmdline in procs.items():
cmdstring = " ".join(cmdline)
addit = False
if isinstance(procid, str):
if cmdstring.find(rule['procid']) != -1:
addit = True
elif isinstance(procid, list):
if cmdline == procid:
addit = True
# If uid is specified and doesn't match here, discard match.
if 'uid' in rule:
xuid = getuser(xpid)
if xuid != rule['uid']:
addit = False
if addit:
if not ('ignore' in rule):
addit = True
elif isinstance(rule['ignore'], str) and cmdstring != rule['ignore']:
addit = True
elif isinstance(rule['ignore'], list) and cmdline != rule['ignore']:
addit = True
if 'ignorepidfile' in rule:
try:
ppid = int(open(rule['ignorepidfile']).read())
if ppid == xpid:
# print(f"Ignoring {ppid}, matches pid file {rule['ignorepidfile']}!")
addit = False
except Exception as err:
print(err)
if 'ignorematch' in rule:
ignm = rule['ignorematch']
if isinstance(ignm, str) and ignm in cmdstring:
# print(f"Ignoring {xpid}, matches ignorematch directive {rule['ignorematch']}!")
addit = False
elif isinstance(ignm, list):
for line in ignm:
if line in cmdstring:
# print(f"Ignoring {xpid}, matches ignorematch directive {line}!")
addit = False
break
if addit:
pids.append(xpid)
if 'uid' in rule:
for xpid, cmdline in procs.items():
cmdstring = " ".join(cmdline)
uid = getuser(xpid)
if uid == rule['uid']:
addit = False
if not ('ignore' in rule):
addit = True
elif isinstance(rule['ignore'], str) and cmdstring != rule['ignore']:
addit = True
elif isinstance(rule['ignore'], list) and cmdline != rule['ignore']:
addit = True
if 'ignorepidfile' in rule:
try:
ppid = int(open(rule['ignorepidfile']).read())
if ppid == xpid:
# print(f"Ignoring {ppid}, matches pid file {rule['ignorepidfile']}!")
addit = False
except Exception as err:
print(err)
if 'ignorematch' in rule:
ignm = rule['ignorematch']
if isinstance(ignm, str) and ignm in cmdstring:
# print(f"Ignoring {xpid}, matches ignorematch directive {rule['ignorematch']}!")
addit = False
elif isinstance(ignm, list):
for line in ignm:
if line in cmdstring:
# print(f"Ignoring {xpid}, matches ignorematch directive {line}!")
addit = False
break
if addit:
pids.append(xpid)
# If proc is running, analyze it
analysis = ProcessInfo() # no pid. accumulator.
for pid in pids:
# print(f" - Found process at PID {pid}")
try:
# Get all relevant data from this PID
info = ProcessInfo(pid)
# If combining, combine into the analysis hash
if 'combine' in rule and rule['combine'] == True:
analysis.accumulate(info)
else:
# If running a per-pid test, run it:
err = checkTriggers(id, info, rule['triggers'])
if err:
action = {
'pids': [],
'trigger': "",
'runlist': [],
'notify': rule.get('notify', None),
'kills': {}
}
if 'runlist' in rule and len(rule['runlist']) > 0:
action['runlist'] = rule['runlist']
if 'kill' in rule and rule['kill'] == True:
sig = 9
if 'killwith' in rule:
sig = int(rule['killwith'])
action['kills'][pid] = sig
action['trigger'] = err
actions.append(action)
except:
print(f"Could not analyze proc {pid}, bailing!")
continue
if len(pids) > 0:
# If combined trigger test, run it now
if 'combine' in rule and rule['combine'] == True:
err = checkTriggers(id, analysis, rule['triggers'])
if err:
action = {
'pids': [],
'trigger': "",
'runlist': [],
'notify': rule.get('notify', None),
'kills': {}
}
if 'runlist' in rule and len(rule['runlist']) > 0:
action['runlist'] = rule['runlist']
if 'kill' in rule and rule['kill'] == True:
sig = 9
if 'killwith' in rule:
sig = int(rule['killwith'])
for ypid in pids:
action['kills'][ypid] = sig
action['trigger'] = err
actions.append(action)
else:
pass
# print(" - No matching processes found")
return actions