Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- require 'yaml'
- require 'ostruct'
- require 'time'
- require 'date'
- db = []
- log = File.new("selinux-avc.txt", "r")
- selinux_avc_types = {}
- selinux_avc_types[/audit\((.+?)\): avc: denied \{ (.+?) \} for pid=(.+?) comm="(.+?)" name="(.+?)" dev=(.+?) ino=(.+?) scontext=(.+?) tcontext=(.+?) tclass=(.*)/] =
- [:timestamp, :permision, :pid, :comm, :name, :device, :inode, :scontext, :tcontext, :tclass]
- selinux_avc_types[/audit\((.+?)\): avc: denied \{ (.+?) \} for pid=(.+?) comm="(.+?)" capability=(.+?) scontext=(.+?) tcontext=(.+?) tclass=(.*)/] =
- [:timestamp, :permision, :pid, :comm, :capability, :scontext, :tcontext, :tclass]
- selinux_avc_types[/audit\((.+?)\): avc: denied \{ (.+?) \} for pid=(.+?) comm="(.+?)" saddr=(.+) src=(.+?) daddr=(.+?) dest=(.+?) netif=(.+?) scontext=(.+?) tcontext=(.+?) tclass=(.*)/] =
- [:timestamp, :permision, :pid, :comm, :saddr, :src, :daddr, :dest, :netif, :scontext, :tcontext, :tclass]
- selinux_avc_types[/audit\((.*)\): avc: denied \{ (.+?) \} for pid=(.+?) exe=(.+?) path=(.+?) dev=(.+?) ino=(.+?) scontext=(.+?) tcontext=(.+?) tclass=(.+?)/] =
- [:timestamp, :permision, :pid, :exe, :path, :device, :inode, :scontext, :tcontext, :tclass]
- log.each_line do |line|
- line = line.strip # remove \r\n stuff and spaces at start/end
- catch(:found) do #speed it a bit up when we found something
- selinux_avc_types.each do |regexp, mask|
- unless (temp = line.scan(regexp).flatten).empty?
- s = OpenStruct.new(Hash[*mask.zip(temp).flatten])
- s.timestamp = Time.at(s.timestamp.to_i)
- s.pid = s.pid.to_i
- s.inode = s.inode.to_i
- db << s
- throw :found
- end
- end
- end
- end
Add Comment
Please, Sign In to add comment
