From: yeji01.kim <yeji01.kim@samsung.com>
Date: Tue, 12 Jun 2018 07:19:26 +0000 (+0900)
Subject: Add report of audit log for optimizing audit rule
X-Git-Tag: submit/tizen/20180727.090954~2
X-Git-Url: http://review.tizen.org/git/?a=commitdiff_plain;h=360851a09718dd9ce9a501b8eb773d92728befcd;p=platform%2Fcore%2Fsecurity%2Faudit-trail.git

Add report of audit log for optimizing audit rule

Change-Id: I1278e1b850551c4b0985b5854f043d0216e46ebd
Signed-off-by: yeji01.kim <yeji01.kim@samsung.com>
---

diff --git a/common/audit/audit-log-statistics.h b/common/audit/audit-log-statistics.h
new file mode 100644
index 0000000..58f8016
--- /dev/null
+++ b/common/audit/audit-log-statistics.h
@@ -0,0 +1,107 @@
+/*
+ *  Copyright (c) 2018 Samsung Electronics Co., Ltd All Rights Reserved
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License");
+ *  you may not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS,
+ *  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License
+ */
+
+#ifndef __AUDIT_TRAIL_AUDIT_LOG_STATISTICS_H__
+#define __AUDIT_TRAIL_AUDIT_LOG_STATISTICS_H__
+
+#include <algorithm>
+#include <utility>
+#include <vector>
+#include <map>
+
+template <typename T>
+class AuditLogStatistics final {
+public:
+	AuditLogStatistics() {
+		idx = size = 0;
+		sizeFlag = false;
+		table.reserve(windowSize);
+	}
+
+	void addCount(T field) {
+		if (idx == windowSize) {
+			idx = 0;
+			sizeFlag = true;
+		}
+
+		table[idx++] = field;
+		if (!sizeFlag)
+			size = idx;
+	}
+
+	std::vector<T>& getTable() {
+		sortedTable = sortTable();
+		return sortedTable;
+	}
+
+	bool isTableEmpty() {
+		return (size == 0);
+	}
+
+	bool isTableChange() {
+		if (sortedTable == sortTable())
+			return false;
+
+		return true;
+	}
+
+	void resetTable() {
+		idx = size = 0;
+		sizeFlag = false;
+		table.clear();
+	}
+
+private:
+	static bool compare(const std::pair<T, int>&left, const std::pair<T, int>&right) {
+		if (left.second != right.second)
+			return left.second > right.second;
+
+		return left.first < right.first;
+	}
+
+	std::vector<T> sortTable() {
+		std::vector<T> sortedVector;
+		std::vector<std::pair<T, int>> countingVector;
+		std::map<T, int> countingMap;
+
+		for (int i = 0; i < size; i++) {
+			if (countingMap.find(table[i]) == countingMap.end())
+				countingMap[table[i]] = 1;
+			else
+				countingMap[table[i]]++;
+		}
+
+		for (auto iter = countingMap.begin(); iter != countingMap.end(); iter++)
+			countingVector.emplace_back(std::make_pair(iter->first, iter->second));
+
+		std::sort(countingVector.begin(), countingVector.end(), compare);
+
+		for (auto iter = countingVector.begin(); iter != countingVector.end(); iter++)
+			sortedVector.emplace_back(std::move(iter->first));
+
+		return sortedVector;
+	}
+
+	std::vector<T> sortedTable;
+	const int windowSize = 1000;
+	int idx;
+	int size;
+	bool sizeFlag;
+
+	std::vector<T> table;
+};
+
+#endif //!__AUDIT_TRAIL_AUDIT_LOG_STATISTICS_H__
diff --git a/common/audit/audit-logger.h b/common/audit/audit-logger.h
index 906fff5..0ca4a09 100644
--- a/common/audit/audit-logger.h
+++ b/common/audit/audit-logger.h
@@ -51,21 +51,23 @@ public:
 		callback = nullptr;
 	}
 
-	void addMessage(int type, const std::string &log)
+	bool addMessage(int type, const std::string &log)
 	{
+		bool flag = false;
 		builder.addMessage(type, log);
 		if (builder.isCompleted()) {
 			logs.push_back(builder.pop());
 			if (callback)
 				callback(logs.back());
+			flag = true;
 		}
+		return flag;
 	}
 
 private:
 	std::vector<T> logs;
 	AuditLogBuilder<T> builder;
 	std::function<void(T&)> callback;
-
 };
 
 #endif //!__AUDIT_TRAIL_AUDIT_LOGGER_H__
diff --git a/common/audit/audit-message-parser.cpp b/common/audit/audit-message-parser.cpp
index 1d49185..e750815 100644
--- a/common/audit/audit-message-parser.cpp
+++ b/common/audit/audit-message-parser.cpp
@@ -58,8 +58,19 @@ void AuditMessageParser::parse()
 			int type = msg.first;
 			std::string log(msg.second.begin(), msg.second.end());
 
+			if (systemLogs.addMessage(type, log)) {
+				auto &parsedSystemLogs = systemLogs.get();
+
+				if ((parsedSystemLogs[parsedSystemLogs.size() - 1].tag.size() != 0) &&
+					(parsedSystemLogs[parsedSystemLogs.size() - 1].tag.compare("smack") != 0)) {
+					tagStatistics.addCount(parsedSystemLogs[parsedSystemLogs.size() - 1].tag);
+
+					if (parsedSystemLogs[parsedSystemLogs.size() - 1].action.systemCall != 0)
+						syscallStatistics.addCount(parsedSystemLogs[parsedSystemLogs.size() - 1].action.systemCall);
+				}
+			}
+
 			userLogs.addMessage(type, log);
-			systemLogs.addMessage(type, log);
 		} catch (runtime::Exception &e) {
 			break;
 		}
diff --git a/common/audit/audit-message-parser.h b/common/audit/audit-message-parser.h
index afa319b..9df89fc 100644
--- a/common/audit/audit-message-parser.h
+++ b/common/audit/audit-message-parser.h
@@ -27,6 +27,7 @@
 #include "audit/audit-logger.h"
 #include "audit/audit-user-log.h"
 #include "audit/audit-system-log.h"
+#include "audit/audit-log-statistics.h"
 
 class AuditMessageParser final {
 public:
@@ -38,6 +39,9 @@ public:
 	AuditLogger<AuditUserLog> userLogs;
 	AuditLogger<AuditSystemLog> systemLogs;
 
+	AuditLogStatistics<std::string> tagStatistics;
+	AuditLogStatistics<unsigned int> syscallStatistics;
+
 private:
 	void parse();
 
diff --git a/common/audit/audit-system-log.cpp b/common/audit/audit-system-log.cpp
index ed52fb9..39e4d5a 100644
--- a/common/audit/audit-system-log.cpp
+++ b/common/audit/audit-system-log.cpp
@@ -161,6 +161,10 @@ void AuditLogBuilder<AuditSystemLog>::addMessage(int type, const std::string &lo
 					instance.object.uid = std::stoul(value);
 				} else if (name == "ogid") {
 					instance.object.gid = std::stoul(value);
+				} else if (name == "key") { /* tag */
+					if (value != "(null)" && instance.tag != "smack") {
+						instance.tag = value;
+					}
 				}
 			}
 
@@ -184,6 +188,10 @@ void AuditLogBuilder<AuditSystemLog>::addMessage(int type, const std::string &lo
 					instance.object.pid = std::stoul(value);
 				} else if (name == "ouid") {
 					instance.object.uid = std::stoul(value);
+				} else if (name == "key") { /* tag */
+					if (value != "(null)" && instance.tag != "smack") {
+						instance.tag = value;
+					}
 				}
 			}
 			instance.object.type = AuditSystemLog::ProcessObject;
@@ -197,8 +205,13 @@ void AuditLogBuilder<AuditSystemLog>::addMessage(int type, const std::string &lo
 				const auto &name = pair.first;
 				const auto &value = pair.second;
 
-				if (name == "saddr")
+				if (name == "saddr") {
 					instance.object.socketAddr = value;
+				} else if (name == "key") { /* tag */
+					if (value != "(null)" && instance.tag != "smack") {
+						instance.tag = value;
+					}
+				}
 			}
 			instance.object.type = AuditSystemLog::SocketObject;
 		}