From 1d36f64956bd87fb78f1a2984f32ecb544764de2 Mon Sep 17 00:00:00 2001 From: Dario Borreguero Rincon Date: Fri, 1 Dec 2023 14:29:55 +0100 Subject: [PATCH] Bug fixing on timeliner analyser: - PowerLogs EventPoint Process Exit: Check for the existence of IsPermanent field. - PowerLogs ProcessMonitor Process Exit Histogram: missing f-string format field - SWC Util: try exception now provides more information on the error when parsing timestamp and simply skips the record while continue processing the rest. - TCC: removed transformation to hashtable. It was not needed. Tested on Python 3.11.5 - Wifi Known Networks: try exception per timestamp field (added, updated, modified password), so that it only skips the one that has problem with the value. --- analyzers/sysdiagnose-timeliner.py | 69 +++++++++++++++--------------- 1 file changed, 34 insertions(+), 35 deletions(-) diff --git a/analyzers/sysdiagnose-timeliner.py b/analyzers/sysdiagnose-timeliner.py index e405980..bdcd3bf 100644 --- a/analyzers/sysdiagnose-timeliner.py +++ b/analyzers/sysdiagnose-timeliner.py @@ -84,12 +84,16 @@ def __extract_ts_powerlogs__PLProcessMonitorAgent_EventPoint_ProcessExit(jdata): proc_exit = jdata["PLProcessMonitorAgent_EventPoint_ProcessExit"] for proc in proc_exit: timestamp = datetime.fromtimestamp(int(proc["timestamp"])) + + extra_field = "" + if "IsPermanent" in proc.keys(): + extra_field = "Is permanent: %d" % proc["IsPermanent"] ts_event = { "message": proc["ProcessName"], "timestamp": int(timestamp.timestamp() * 1000000), "datetime": timestamp.strftime("%Y-%m-%dT%H:%M:%S+00:00"), - "timestamp_desc": "Process Exit with reason code: %d reason namespace" % (proc["ReasonCode"], proc["ReasonNamespace"]), - "extra_field_1": "Is permanent: %d" % proc["IsPermanent"], + "timestamp_desc": "Process Exit with reason code: %d reason namespace %d" % (proc["ReasonCode"], proc["ReasonNamespace"]), + "extra_field_1": extra_field } timeline.append(ts_event) return @@ -103,7 +107,7 @@ def __extract_ts_powerlogs__PLProcessMonitorAgent_EventBackward_ProcessExitHisto "message": event["ProcessName"], "timestamp": int(timestamp.timestamp() * 1000000), "datetime": timestamp.strftime("%Y-%m-%dT%H:%M:%S+00:00"), - "timestamp_desc": "Process Exit with reason code: %d reason namespace" % (event["ReasonCode"], event["ReasonNamespace"]), + "timestamp_desc": "Process Exit with reason code: %d reason namespace %d" % (event["ReasonCode"], event["ReasonNamespace"]), "extra_field_1": "Crash frequency: [0-5s]: %d, [5-10s]: %d, [10-60s]: %d, [60s+]: %d" % (event["0s-5s"], event["5s-10s"], event["10s-60s"], event["60s+"]) } timeline.append(ts_event) @@ -139,11 +143,11 @@ def __extract_ts_swcutil(filename): "Next Check": "2023-02-28 22:06:35 +0000" }, """ - try: - with open(filename, 'r') as fd: - data = json.load(fd) - if "db" in data.keys(): - for service in data["db"]: + with open(filename, 'r') as fd: + data = json.load(fd) + if "db" in data.keys(): + for service in data["db"]: + try: timestamp = datetime.strptime(service["Last Checked"], "%Y-%m-%d %H:%M:%S %z") ts_event = { "message": service["Service"], @@ -153,11 +157,9 @@ def __extract_ts_swcutil(filename): "extra_field_1": "application: %s" % service["App ID"] } timeline.append(ts_event) - return True - except Exception as e: - print(f"ERROR while extracting timestamp from {filename}. Reason: {str(e)}") - return False - return False + except Exception as e: + print(f"ERROR {filename} while extracting timestamp from {(service['Service'])} - {(service['App ID'])}. Record not inserted.") + return True def __extract_ts_accessibility_tcc(filename): @@ -182,21 +184,14 @@ def __extract_ts_accessibility_tcc(filename): data = json.load(fd) if "access" in data.keys(): for access in data["access"]: - # convert to hashtable - service = {} - for line in access: - keys = line.keys() - for key in keys: - service[key] = line[key] - # create timeline entry - timestamp = datetime.fromtimestamp(int(service["last_modified"])) + timestamp = datetime.fromtimestamp(int(access["last_modified"])) ts_event = { - "message": service["service"], + "message": access["service"], "timestamp": int(timestamp.timestamp() * 1000000), "datetime": timestamp.strftime("%Y-%m-%dT%H:%M:%S+00:00"), "timestamp_desc": "Accessibility TC Last Modified", - "extra_field_1": "client: %s" % service["client"] + "extra_field_1": "client: %s" % access["client"] } timeline.append(ts_event) return True @@ -315,14 +310,12 @@ def __extract_ts_wifisecurity(filename): def __extract_ts_wifi_known_networks(filename): - try: - with open(filename, 'r') as fd: - data = json.load(fd) - for wifi in data.keys(): - ssid = data[wifi]["SSID"] + with open(filename, 'r') as fd: + data = json.load(fd) + for wifi in data.keys(): + ssid = data[wifi]["SSID"] + try: added = datetime.strptime(data[wifi]["AddedAt"], "%Y-%m-%d %H:%M:%S.%f") - updated = datetime.strptime(data[wifi]["UpdatedAt"], "%Y-%m-%d %H:%M:%S.%f") - modified_password = datetime.strptime(data[wifi]["__OSSpecific__"]["WiFiNetworkPasswordModificationDate"], "%Y-%m-%d %H:%M:%S.%f") # WIFI added ts_event = { @@ -333,8 +326,12 @@ def __extract_ts_wifi_known_networks(filename): "extra_field_1": "Add reason: %s" % data[wifi]["AddReason"] } timeline.append(ts_event) + except Exception as e: + print(f"ERROR {filename} while extracting timestamp from {ssid}. Reason: {str(e)}. Record not inserted.") # WIFI modified + try: + updated = datetime.strptime(data[wifi]["UpdatedAt"], "%Y-%m-%d %H:%M:%S.%f") ts_event = { "message": "WIFI %s added" % updated, "timestamp": updated.timestamp(), @@ -343,8 +340,12 @@ def __extract_ts_wifi_known_networks(filename): "extra_field_1": "Add reason: %s" % data[wifi]["AddReason"] } timeline.append(ts_event) + except Exception as e: + print(f"ERROR {filename} while extracting timestamp from {ssid}. Reason: {str(e)}. Record not inserted.") # Password for wifi modified + try: + modified_password = datetime.strptime(data[wifi]["__OSSpecific__"]["WiFiNetworkPasswordModificationDate"], "%Y-%m-%d %H:%M:%S.%f") ts_event = { "message": "Password for WIFI %s modified" % ssid, "timestamp": modified_password.timestamp(), @@ -353,12 +354,10 @@ def __extract_ts_wifi_known_networks(filename): "extra_field_1": "AP mode: %s" % data[wifi]["__OSSpecific__"]["AP_MODE"] } timeline.append(ts_event) + except Exception as e: + print(f"ERROR {filename} while extracting timestamp from {ssid}. Reason: {str(e)}. Record not inserted.") - return True - except Exception as e: - print(f"ERROR while extracting timestamp from {filename}. Reason: {str(e)}") - return False - return False + return True def parse_json(jsondir):