1 /* @(#) $Id: ./src/config/active-response.c, 2011/09/08 dcid Exp $
4 /* Copyright (C) 2009 Trend Micro Inc.
7 * This program is a free software; you can redistribute it
8 * and/or modify it under the terms of the GNU General Public
9 * License (version 2) as published by the FSF - Free Software
15 #include "os_xml/os_xml.h"
16 #include "os_regex/os_regex.h"
18 #include "active-response.h"
21 /** int ReadActiveResponses(XML_NODE node, void *d1, void *d2)
22 * Generates a list with all active responses.
24 int ReadActiveResponses(XML_NODE node, void *d1, void *d2)
34 char *xml_ar_command = "command";
35 char *xml_ar_location = "location";
36 char *xml_ar_agent_id = "agent_id";
37 char *xml_ar_rules_id = "rules_id";
38 char *xml_ar_rules_group = "rules_group";
39 char *xml_ar_level = "level";
40 char *xml_ar_timeout = "timeout";
41 char *xml_ar_disabled = "disabled";
42 char *xml_ar_repeated = "repeated_offenders";
47 /* Currently active response */
48 active_response *tmp_ar;
51 /* Opening shared ar file */
52 fp = fopen(DEFAULTARPATH, "a");
55 merror(FOPEN_ERROR, ARGV0, DEFAULTARPATH);
58 chmod(DEFAULTARPATH, 0440);
61 /* Allocating for the active-response */
62 tmp_ar = calloc(1, sizeof(active_response));
65 merror(MEM_ERROR, ARGV0);
69 /* Initializing variables */
71 tmp_ar->command = NULL;
75 tmp_ar->agent_id = NULL;
76 tmp_ar->rules_id = NULL;
77 tmp_ar->rules_group = NULL;
78 tmp_ar->ar_cmd = NULL;
83 /* Searching for the commands */
88 merror(XML_ELEMNULL, ARGV0);
91 else if(!node[i]->content)
93 merror(XML_VALUENULL, ARGV0, node[i]->element);
98 if(strcmp(node[i]->element, xml_ar_command) == 0)
100 tmp_ar->command = strdup(node[i]->content);
103 else if(strcmp(node[i]->element, xml_ar_location) == 0)
105 tmp_location = strdup(node[i]->content);
107 else if(strcmp(node[i]->element, xml_ar_agent_id) == 0)
109 tmp_ar->agent_id = strdup(node[i]->content);
111 else if(strcmp(node[i]->element, xml_ar_rules_id) == 0)
113 tmp_ar->rules_id = strdup(node[i]->content);
115 else if(strcmp(node[i]->element, xml_ar_rules_group) == 0)
117 tmp_ar->rules_group = strdup(node[i]->content);
119 else if(strcmp(node[i]->element, xml_ar_level) == 0)
121 /* Level must be numeric */
122 if(!OS_StrIsNum(node[i]->content))
124 merror(XML_VALUEERR,ARGV0,node[i]->element,node[i]->content);
128 tmp_ar->level = atoi(node[i]->content);
130 /* Making sure the level is valid */
131 if((tmp_ar->level < 0) || (tmp_ar->level > 20))
133 merror(XML_VALUEERR,ARGV0,node[i]->element,node[i]->content);
137 else if(strcmp(node[i]->element, xml_ar_timeout) == 0)
139 tmp_ar->timeout = atoi(node[i]->content);
141 else if(strcmp(node[i]->element, xml_ar_disabled) == 0)
143 if(strcmp(node[i]->content, "yes") == 0)
147 else if(strcmp(node[i]->content, "no") == 0)
149 /* Don't do anything if disabled is set to "no" */
153 merror(XML_VALUEERR,ARGV0,node[i]->element,node[i]->content);
157 else if(strcmp(node[i]->element, xml_ar_repeated) == 0)
159 /* Nothing - we deal with it on execd. */
164 merror(XML_INVELEM, ARGV0, node[i]->element);
170 /* Checking if ar is disabled */
177 /* Command and location must be there */
178 if(!tmp_ar->command || !tmp_location)
185 merror(AR_MISS, ARGV0);
190 if(OS_Regex("AS|analysisd|analysis-server|server", tmp_location))
192 tmp_ar->location|= AS_ONLY;
195 if(OS_Regex("local", tmp_location))
197 tmp_ar->location|= REMOTE_AGENT;
200 if(OS_Regex("defined-agent", tmp_location))
202 if(!tmp_ar->agent_id)
204 merror(AR_DEF_AGENT, ARGV0);
208 tmp_ar->location|= SPECIFIC_AGENT;
211 if(OS_Regex("all|any", tmp_location))
213 tmp_ar->location|=ALL_AGENTS;
216 /* If we didn't set any value for the location */
217 if(tmp_ar->location == 0)
219 merror(AR_INV_LOC, ARGV0, tmp_location);
224 /* cleaning tmp_location */
229 /* Checking if command name is valid */
231 OSListNode *my_commands_node;
233 my_commands_node = OSList_GetFirstNode(d1);
234 while(my_commands_node)
236 ar_command *my_command;
237 my_command = (ar_command *)my_commands_node->data;
239 if(strcmp(my_command->name, tmp_ar->command) == 0)
241 tmp_ar->ar_cmd = my_command;
245 my_commands_node = OSList_GetNextNode(d1);
248 /* Didn't find a valid command */
249 if(tmp_ar->ar_cmd == NULL)
251 merror(AR_INV_CMD, ARGV0, tmp_ar->command);
256 /* Checking if timeout is allowed */
257 if(tmp_ar->timeout && !tmp_ar->ar_cmd->timeout_allowed)
259 merror(AR_NO_TIMEOUT, ARGV0, tmp_ar->ar_cmd->name);
263 /* d1 is the active response list */
264 if(!OSList_AddData(d2, (void *)tmp_ar))
266 merror(LIST_ADD_ERROR, ARGV0);
271 /* Setting a unique active response name */
272 tmp_ar->name = calloc(OS_FLSIZE +1, sizeof(char));
275 ErrorExit(MEM_ERROR, ARGV0);
277 snprintf(tmp_ar->name, OS_FLSIZE, "%s%d",
278 tmp_ar->ar_cmd->name,
282 /* Adding to shared file */
283 fprintf(fp, "%s - %s - %d\n",
285 tmp_ar->ar_cmd->executable,
289 /* Setting the configs to start the right queues */
290 if(tmp_ar->location & AS_ONLY)
294 if(tmp_ar->location & ALL_AGENTS)
298 if(tmp_ar->location & REMOTE_AGENT)
303 if(tmp_ar->location & SPECIFIC_AGENT)
308 /* Setting the configuration for the active response */
309 if(r_ar && (!(ar_flag & REMOTE_AR)))
313 if(l_ar && (!(ar_flag & LOCAL_AR)))
318 /* Closing shared file for active response */
327 /** int ReadActiveCommands(XML_NODE node, void *d1, void *d2)
329 int ReadActiveCommands(XML_NODE node, void *d1, void *d2)
333 char *tmp_str = NULL;
336 char *command_name = "name";
337 char *command_expect = "expect";
338 char *command_executable = "executable";
339 char *timeout_allowed = "timeout_allowed";
341 ar_command *tmp_command;
344 /* Allocating the active-response command */
345 tmp_command = calloc(1, sizeof(ar_command));
348 merror(MEM_ERROR, ARGV0);
352 tmp_command->name = NULL;
353 tmp_command->expect= 0;
354 tmp_command->executable = NULL;
355 tmp_command->timeout_allowed = 0;
358 /* Searching for the commands */
361 if(!node[i]->element)
363 merror(XML_ELEMNULL, ARGV0);
366 else if(!node[i]->content)
368 merror(XML_VALUENULL, ARGV0, node[i]->element);
371 if(strcmp(node[i]->element, command_name) == 0)
373 tmp_command->name = strdup(node[i]->content);
375 else if(strcmp(node[i]->element, command_expect) == 0)
377 tmp_str = strdup(node[i]->content);
379 else if(strcmp(node[i]->element, command_executable) == 0)
381 tmp_command->executable = strdup(node[i]->content);
383 else if(strcmp(node[i]->element, timeout_allowed) == 0)
385 if(strcmp(node[i]->content, "yes") == 0)
386 tmp_command->timeout_allowed = 1;
387 else if(strcmp(node[i]->content, "no") == 0)
388 tmp_command->timeout_allowed = 0;
391 merror(XML_VALUEERR,ARGV0,node[i]->element,node[i]->content);
397 merror(XML_INVELEM, ARGV0, node[i]->element);
403 if(!tmp_command->name || !tmp_str || !tmp_command->executable)
405 merror(AR_CMD_MISS, ARGV0);
410 /* Getting the expect */
411 if(strlen(tmp_str) >= 4)
413 if(OS_Regex("user", tmp_str))
414 tmp_command->expect |= USERNAME;
415 if(OS_Regex("srcip", tmp_str))
416 tmp_command->expect |= SRCIP;
423 /* Adding command to the list */
424 if(!OSList_AddData(d1, (void *)tmp_command))
426 merror(LIST_ADD_ERROR, ARGV0);