-/* @(#) $Id: run_realtime.c,v 1.12 2009/12/01 15:40:08 dcid Exp $ */
+/* @(#) $Id: ./src/syscheckd/run_realtime.c, 2011/09/08 dcid Exp $
+ */
/* Copyright (C) 2009 Trend Micro Inc.
* All right reserved.
*
* This program is a free software; you can redistribute it
* and/or modify it under the terms of the GNU General Public
- * License (version 3) as published by the FSF - Free Software
+ * License (version 2) as published by the FSF - Free Software
* Foundation
*/
#ifdef USEINOTIFY
#include <sys/inotify.h>
+#define OS_SIZE_6144 6144
+#define OS_MAXSTR OS_SIZE_6144 /* Size for logs, sockets, etc */
+#else
+#include "shared.h"
#endif
/* Checking sum of the realtime file being monitored. */
int realtime_checksumfile(char *file_name)
{
- char buf[MAX_LINE +2];
- buf[MAX_LINE +1] = '\0';
+ char *buf;
-
- fseek(syscheck.fp, 0, SEEK_SET);
- while(fgets(buf, MAX_LINE, syscheck.fp) != NULL)
+ buf = OSHash_Get(syscheck.fp, file_name);
+ if(buf != NULL)
{
- if((buf[0] != '#') && (buf[0] != ' ') && (buf[0] != '\n'))
- {
- char *n_buf;
-
- /* Removing the new line */
- n_buf = strchr(buf,'\n');
- if(n_buf == NULL)
- continue;
-
- *n_buf = '\0';
-
-
- /* First 6 characters are for internal use */
- n_buf = buf;
- n_buf+=6;
-
- n_buf = strchr(n_buf, ' ');
- if(n_buf)
- {
- n_buf++;
-
- /* Checking if name matches */
- if(strcmp(n_buf, file_name) == 0)
- {
- char c_sum[256 +2];
- c_sum[0] = '\0';
- c_sum[255] = '\0';
-
+ char c_sum[256 +2];
+
+ c_sum[0] = '\0';
+ c_sum[255] = '\0';
+
+
+ /* If it returns < 0, we will already have alerted. */
+ if(c_read_file(file_name, buf, c_sum) < 0)
+ {
+ return(0);
+ }
+
+
+ if(strcmp(c_sum, buf+6) != 0)
+ {
+ char *fullalert = NULL;
+ char alert_msg[OS_MAXSTR +1];
+ alert_msg[OS_MAXSTR] = '\0';
+ if(buf[5] == 's' || buf[5] == 'n')
+ {
+ fullalert = seechanges_addfile(file_name);
+ if(fullalert)
+ {
+ snprintf(alert_msg, OS_MAXSTR, "%s %s\n%s", c_sum, file_name, fullalert);
+ free(fullalert);
+ fullalert = NULL;
+ }
+ else
+ {
+ snprintf(alert_msg, 912, "%s %s", c_sum, file_name);
+ }
+ }
+ else
+ {
+ snprintf(alert_msg, 912, "%s %s", c_sum, file_name);
+ }
+ send_syscheck_msg(alert_msg);
+
+ return(1);
+ }
+
+ return(0);
- /* If it returns < 0, we will already have alerted. */
- if(c_read_file(file_name, buf, c_sum) < 0)
- continue;
-
-
- if(strcmp(c_sum, buf+6) != 0)
- {
- char alert_msg[912 +2];
-
- /* Sending the new checksum to the analysis server */
- alert_msg[912 +1] = '\0';
- snprintf(alert_msg, 912, "%s %s", c_sum, file_name);
- send_syscheck_msg(alert_msg);
-
- return(1);
- }
-
- return(0);
-
- }
- }
- }
}
-
- /* Adding entry if not in there. */
- fseek(syscheck.fp, 0, SEEK_END);
return(0);
}
#include <sys/inotify.h>
-#define REALTIME_MONITOR_FLAGS IN_MODIFY|IN_ATTRIB|IN_MOVED_TO|IN_DELETE|IN_MOVED_FROM
+#define REALTIME_MONITOR_FLAGS IN_MODIFY|IN_ATTRIB|IN_MOVED_FROM|IN_MOVED_TO|IN_CREATE|IN_DELETE|IN_DELETE_SELF
#define REALTIME_EVENT_SIZE (sizeof (struct inotify_event))
#define REALTIME_EVENT_BUFFER (2048 * (REALTIME_EVENT_SIZE + 16))
merror("%s: ERROR: Unable to initialize inotify.", ARGV0);
return(-1);
}
- #endif
+ #endif
return(1);
}
wd = inotify_add_watch(syscheck.realtime->fd,
dir,
- REALTIME_MONITOR_FLAGS);
+ REALTIME_MONITOR_FLAGS);
if(wd < 0)
{
- merror("%s: ERROR: Unable to add directory to real time "
+ merror("%s: ERROR: Unable to add directory to real time "
"monitoring: '%s'. %d %d", ARGV0, dir, wd, errno);
}
else
len = read(syscheck.realtime->fd, buf, REALTIME_EVENT_BUFFER);
- if (len < 0)
+ if (len < 0)
{
merror("%s: ERROR: Unable to read from real time buffer.", ARGV0);
- }
+ }
else if (len > 0)
{
- while (i < len)
+ while (i < len)
{
event = (struct inotify_event *) &buf[i];
snprintf(wdchar, 32, "%d", event->wd);
- snprintf(final_name, MAX_LINE, "%s/%s",
+ snprintf(final_name, MAX_LINE, "%s/%s",
(char *)OSHash_Get(syscheck.realtime->dirtb, wdchar),
event->name);
realtime_checksumfile(final_name);
if(dwerror != ERROR_SUCCESS)
{
- merror("%s: ERROR: real time call back called, but error is set.",
+ merror("%s: ERROR: real time call back called, but error is set.",
ARGV0);
return;
}
rtlocald = OSHash_Get(syscheck.realtime->dirtb, wdchar);
if(rtlocald == NULL)
{
- merror("%s: ERROR: real time call back called, but hash is empty.",
+ merror("%s: ERROR: real time call back called, but hash is empty.",
ARGV0);
return;
}
-
+
do
{
TRUE,
FILE_NOTIFY_CHANGE_FILE_NAME|FILE_NOTIFY_CHANGE_DIR_NAME|FILE_NOTIFY_CHANGE_SIZE|FILE_NOTIFY_CHANGE_LAST_WRITE,
0,
- &rtlocald->overlap,
+ &rtlocald->overlap,
RTCallBack);
if(rc == 0)
{
- merror("%s: ERROR: Unable to set directory for monitoring: %s",
+ merror("%s: ERROR: Unable to set directory for monitoring: %s",
ARGV0, rtlocald->dir);
sleep(2);
}
os_calloc(1, sizeof(win32rtfim), rtlocald);
-
+
rtlocald->h = CreateFile(dir,
FILE_LIST_DIRECTORY,
NULL);
- if(rtlocald->h == INVALID_HANDLE_VALUE ||
- rtlocald->h == NULL)
+ if(rtlocald->h == INVALID_HANDLE_VALUE ||
+ rtlocald->h == NULL)
{
free(rtlocald);
rtlocald = NULL;
if(OSHash_Get(syscheck.realtime->dirtb, wdchar))
{
- merror("%s: ERROR: Entry already in the real time hash: %s",
+ merror("%s: ERROR: Entry already in the real time hash: %s",
ARGV0, wdchar);
CloseHandle(rtlocald->overlap.hEvent);
free(rtlocald);