10 security_logfile = '/var/log/auth.log'
16 def Error (msg = '', errno = 0):
17 sys.stderr.write ('Error: ' + msg)
22 def Verbose (msg, linefeed = True):
36 Usage: bice.py [-u|sage] [-v|erbose] [-d|ebug] [-nou|pdate] [-nom|ail]
37 [-f|ilename <filename> ]
40 -u|sage Print this usage
41 -v|erbose: Verbose mode (Default: -verbose)
42 -nou|pdate: Don't update security logfile file (Default: -update)
43 -nom|ail: Don't send emails (Default: -mail)
44 -f|ilename: Open alternate messages file (Default: /var/log/auth.log)
49 def processLogfile (logfile):
53 readlog = open (logfile)
55 fcntl.flock (readlog, fcntl.LOCK_EX)
57 Error ("Unable to get exclusive access to " + logfile + " - $!", 1)
59 invalid_user = re.compile ("^(\S+\s+\S+\s+\S+)\s+.*Invalid user (\w+) from (\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})")
60 authentication_failure = re.compile ("^(\S+\s+\S+\s+\S+)\s+.*authentication failure.*ruser=(\S+).*rhost=(\S+)")
61 failed_password = re.compile ("^(\S+\s+\S+\s+\S+)\s+.*Failed password for (\w+) from (\d{1,3}\.\d{1,3}\.d{1,3}\.d{1,3})")
63 for newline in readlog:
65 newline = newline.strip ()
71 for (timestamp, user, ip) in invalid_user.findall (newline):
74 for (timestamp, user, ip) in authentication_failure.findall (newline):
77 for (timestamp, user, ip) in failed_password.findall (newline):
83 if (ip in violations):
84 violation = violations[ip]
86 if (user in violation):
87 violation[user].append (timestamp)
90 violation[user].append (timestamp)
92 violations[ip] = violation
96 def ReportBreakins (logfile):
97 violations = processLogfile (logfile)
99 nbrViolations = len (violations)
101 if (nbrViolations == 0):
102 Verbose ('No violations found')
103 elif (nbrViolations == 1):
104 Verbose ('1 site attempting to violate our perimeter')
106 Verbose ('{} violations'.format(nbrViolations))
108 for ip in violations:
109 print 'IP: ' + ip + ' violations:'
110 for key in sorted (violations[ip].iterkeys ()):
111 print "\t{}: {}".format (key, violations[ip][key])
114 global verbose, debug, update, email, security_logfile
117 print 'verbose', verbose
119 print 'update', update
121 print 'file', security_logfile
124 global verbose, debug, update, email, security_logfile
127 opts, args = getopt.getopt (argv, "vd", ['verbose', 'debug', 'usage', 'update', 'mail', 'file='])
128 except getopt.GetoptError:
132 for opt, arg in opts:
133 if opt in ['-v', '--verbose']:
135 elif opt in ['-d', '--debug']:
137 elif opt in ['-u', '--usage']:
139 elif opt in ['--update']:
141 elif opt in ['-m', '--mail']:
143 elif opt in ['-f', '--file']:
144 security_logfile = arg
146 if security_logfile == '':
147 Usage ('Must specify filename')
149 ReportBreakins (security_logfile)
152 if __name__ == '__main__':