projects
/
ossec-hids.git
/ blobdiff
commit
grep
author
committer
pickaxe
?
search:
re
summary
|
shortlog
|
log
|
commit
|
commitdiff
|
tree
raw
|
inline
| side by side
- add fortify to lintian
[ossec-hids.git]
/
src
/
analysisd
/
decoders
/
syscheck.c
diff --git
a/src/analysisd/decoders/syscheck.c
b/src/analysisd/decoders/syscheck.c
index
840ed9d
..
8618813
100755
(executable)
--- a/
src/analysisd/decoders/syscheck.c
+++ b/
src/analysisd/decoders/syscheck.c
@@
-1,4
+1,5
@@
-/* @(#) $Id$ */
+/* @(#) $Id: ./src/analysisd/decoders/syscheck.c, 2012/02/07 dcid Exp $
+ */
/* Copyright (C) 2009 Trend Micro Inc.
* All right reserved.
/* Copyright (C) 2009 Trend Micro Inc.
* All right reserved.
@@
-44,7
+45,7
@@
typedef struct __sdb
int id3;
int idn;
int idd;
int id3;
int idn;
int idd;
-
+
/* Syscheck rule */
OSDecoderInfo *syscheck_dec;
/* Syscheck rule */
OSDecoderInfo *syscheck_dec;
@@
-52,7
+53,7
@@
typedef struct __sdb
/* File search variables */
fpos_t init_pos;
/* File search variables */
fpos_t init_pos;
-
+
}_sdb; /* syscheck db information */
}_sdb; /* syscheck db information */
@@
-69,7
+70,7
@@
void SyscheckInit()
int i = 0;
sdb.db_err = 0;
int i = 0;
sdb.db_err = 0;
-
+
for(;i <= MAX_AGENTS;i++)
{
sdb.agent_ips[i] = NULL;
for(;i <= MAX_AGENTS;i++)
{
sdb.agent_ips[i] = NULL;
@@
-80,7
+81,7
@@
void SyscheckInit()
/* Clearing db memory */
memset(sdb.buf, '\0', OS_MAXSTR +1);
memset(sdb.comment, '\0', OS_MAXSTR +1);
/* Clearing db memory */
memset(sdb.buf, '\0', OS_MAXSTR +1);
memset(sdb.comment, '\0', OS_MAXSTR +1);
-
+
memset(sdb.size, '\0', OS_FLSIZE +1);
memset(sdb.perm, '\0', OS_FLSIZE +1);
memset(sdb.owner, '\0', OS_FLSIZE +1);
memset(sdb.size, '\0', OS_FLSIZE +1);
memset(sdb.perm, '\0', OS_FLSIZE +1);
memset(sdb.owner, '\0', OS_FLSIZE +1);
@@
-95,13
+96,13
@@
void SyscheckInit()
sdb.syscheck_dec->name = SYSCHECK_MOD;
sdb.syscheck_dec->type = OSSEC_RL;
sdb.syscheck_dec->fts = 0;
sdb.syscheck_dec->name = SYSCHECK_MOD;
sdb.syscheck_dec->type = OSSEC_RL;
sdb.syscheck_dec->fts = 0;
-
+
sdb.id1 = getDecoderfromlist(SYSCHECK_MOD);
sdb.id2 = getDecoderfromlist(SYSCHECK_MOD2);
sdb.id3 = getDecoderfromlist(SYSCHECK_MOD3);
sdb.idn = getDecoderfromlist(SYSCHECK_NEW);
sdb.idd = getDecoderfromlist(SYSCHECK_DEL);
sdb.id1 = getDecoderfromlist(SYSCHECK_MOD);
sdb.id2 = getDecoderfromlist(SYSCHECK_MOD2);
sdb.id3 = getDecoderfromlist(SYSCHECK_MOD3);
sdb.idn = getDecoderfromlist(SYSCHECK_NEW);
sdb.idd = getDecoderfromlist(SYSCHECK_DEL);
-
+
debug1("%s: SyscheckInit completed.", ARGV0);
return;
}
debug1("%s: SyscheckInit completed.", ARGV0);
return;
}
@@
-115,7
+116,7
@@
void SyscheckInit()
void __setcompleted(char *agent)
{
FILE *fp;
void __setcompleted(char *agent)
{
FILE *fp;
-
+
/* Getting agent file */
snprintf(sdb.buf, OS_FLSIZE , "%s/.%s.cpt", SYSCHECK_DIR, agent);
/* Getting agent file */
snprintf(sdb.buf, OS_FLSIZE , "%s/.%s.cpt", SYSCHECK_DIR, agent);
@@
-153,7
+154,7
@@
void DB_SetCompleted(Eventinfo *lf)
int i = 0;
/* Finding file pointer */
int i = 0;
/* Finding file pointer */
- while(sdb.agent_ips[i] != NULL)
+ while(sdb.agent_ips[i] != NULL && i < MAX_AGENTS)
{
if(strcmp(sdb.agent_ips[i], lf->location) == 0)
{
{
if(strcmp(sdb.agent_ips[i], lf->location) == 0)
{
@@
-162,7
+163,7
@@
void DB_SetCompleted(Eventinfo *lf)
{
return;
}
{
return;
}
-
+
__setcompleted(lf->location);
__setcompleted(lf->location);
@@
-184,7
+185,7
@@
FILE *DB_File(char *agent, int *agent_id)
int i = 0;
/* Finding file pointer */
int i = 0;
/* Finding file pointer */
- while(sdb.agent_ips[i] != NULL)
+ while(sdb.agent_ips[i] != NULL && i < MAX_AGENTS)
{
if(strcmp(sdb.agent_ips[i], agent) == 0)
{
{
if(strcmp(sdb.agent_ips[i], agent) == 0)
{
@@
-193,18
+194,24
@@
FILE *DB_File(char *agent, int *agent_id)
*agent_id = i;
return(sdb.agent_fps[i]);
}
*agent_id = i;
return(sdb.agent_fps[i]);
}
-
- i++;
+
+ i++;
}
/* If here, our agent wasn't found */
}
/* If here, our agent wasn't found */
+ if (i == MAX_AGENTS)
+ {
+ merror("%s: Unable to open integrity file. Increase MAX_AGENTS.",ARGV0);
+ return(NULL);
+ }
+
os_strdup(agent, sdb.agent_ips[i]);
/* Getting agent file */
snprintf(sdb.buf, OS_FLSIZE , "%s/%s", SYSCHECK_DIR,agent);
os_strdup(agent, sdb.agent_ips[i]);
/* Getting agent file */
snprintf(sdb.buf, OS_FLSIZE , "%s/%s", SYSCHECK_DIR,agent);
-
-
+
+
/* r+ to read and write. Do not truncate */
sdb.agent_fps[i] = fopen(sdb.buf,"r+");
if(!sdb.agent_fps[i])
/* r+ to read and write. Do not truncate */
sdb.agent_fps[i] = fopen(sdb.buf,"r+");
if(!sdb.agent_fps[i])
@@
-217,8
+224,8
@@
FILE *DB_File(char *agent, int *agent_id)
sdb.agent_fps[i] = fopen(sdb.buf, "r+");
}
}
sdb.agent_fps[i] = fopen(sdb.buf, "r+");
}
}
-
- /* Checking again */
+
+ /* Checking again */
if(!sdb.agent_fps[i])
{
merror("%s: Unable to open '%s'",ARGV0, sdb.buf);
if(!sdb.agent_fps[i])
{
merror("%s: Unable to open '%s'",ARGV0, sdb.buf);
@@
-232,12
+239,12
@@
FILE *DB_File(char *agent, int *agent_id)
/* Returning the opened pointer (the beginning of it) */
fseek(sdb.agent_fps[i],0, SEEK_SET);
*agent_id = i;
/* Returning the opened pointer (the beginning of it) */
fseek(sdb.agent_fps[i],0, SEEK_SET);
*agent_id = i;
-
-
+
+
/* Getting if the agent was completed */
if(__iscompleted(agent))
{
/* Getting if the agent was completed */
if(__iscompleted(agent))
{
- sdb.agent_cp[i][0] = '1';
+ sdb.agent_cp[i][0] = '1';
}
return(sdb.agent_fps[i]);
}
return(sdb.agent_fps[i]);
@@
-252,10
+259,10
@@
int DB_Search(char *f_name, char *c_sum, Eventinfo *lf)
int p = 0;
int sn_size;
int agent_id;
int p = 0;
int sn_size;
int agent_id;
-
+
char *saved_sum;
char *saved_name;
char *saved_sum;
char *saved_name;
-
+
FILE *fp;
FILE *fp;
@@
-278,8
+285,8
@@
int DB_Search(char *f_name, char *c_sum, Eventinfo *lf)
merror("%s: Error handling integrity database (fgetpos).",ARGV0);
return(0);
}
merror("%s: Error handling integrity database (fgetpos).",ARGV0);
return(0);
}
-
-
+
+
/* Looping the file */
while(fgets(sdb.buf, OS_MAXSTR, fp) != NULL)
{
/* Looping the file */
while(fgets(sdb.buf, OS_MAXSTR, fp) != NULL)
{
@@
-291,7
+298,7
@@
int DB_Search(char *f_name, char *c_sum, Eventinfo *lf)
}
}
- /* Getting name */
+ /* Getting name */
saved_name = strchr(sdb.buf, ' ');
if(saved_name == NULL)
{
saved_name = strchr(sdb.buf, ' ');
if(saved_name == NULL)
{
@@
-301,8
+308,8
@@
int DB_Search(char *f_name, char *c_sum, Eventinfo *lf)
}
*saved_name = '\0';
saved_name++;
}
*saved_name = '\0';
saved_name++;
-
-
+
+
/* New format - with a timestamp */
if(*saved_name == '!')
{
/* New format - with a timestamp */
if(*saved_name == '!')
{
@@
-331,7
+338,7
@@
int DB_Search(char *f_name, char *c_sum, Eventinfo *lf)
fgetpos(fp, &sdb.init_pos);
continue;
}
fgetpos(fp, &sdb.init_pos);
continue;
}
-
+
saved_sum = sdb.buf;
saved_sum = sdb.buf;
@@
-355,10
+362,10
@@
int DB_Search(char *f_name, char *c_sum, Eventinfo *lf)
if(saved_sum[-2] == '!')
{
p++;
if(saved_sum[-2] == '!')
{
p++;
- if(saved_sum[-1] == '!')
+ if(saved_sum[-1] == '!')
p++;
else if(saved_sum[-1] == '?')
p++;
else if(saved_sum[-1] == '?')
- p+=2;
+ p+=2;
}
}
}
}
@@
-418,7
+425,7
@@
int DB_Search(char *f_name, char *c_sum, Eventinfo *lf)
"File '%.756s' was deleted. Unable to retrieve "
"checksum.", f_name);
}
"File '%.756s' was deleted. Unable to retrieve "
"checksum.", f_name);
}
-
+
/* If file was re-added, do not compare changes */
else if(saved_sum[0] == '-' && saved_sum[1] == '1')
{
/* If file was re-added, do not compare changes */
else if(saved_sum[0] == '-' && saved_sum[1] == '1')
{
@@
-427,10
+434,10
@@
int DB_Search(char *f_name, char *c_sum, Eventinfo *lf)
"File '%.756s' was re-added.", f_name);
}
"File '%.756s' was re-added.", f_name);
}
- else
+ else
{
int oldperm = 0, newperm = 0;
{
int oldperm = 0, newperm = 0;
-
+
/* Providing more info about the file change */
char *oldsize = NULL, *newsize = NULL;
char *olduid = NULL, *newuid = NULL;
/* Providing more info about the file change */
char *oldsize = NULL, *newsize = NULL;
char *olduid = NULL, *newuid = NULL;
@@
-544,16
+551,16
@@
int DB_Search(char *f_name, char *c_sum, Eventinfo *lf)
"to '%c%c%c%c%c%c%c%c%c'\n",
(oldperm & S_IRUSR)? 'r' : '-',
(oldperm & S_IWUSR)? 'w' : '-',
"to '%c%c%c%c%c%c%c%c%c'\n",
(oldperm & S_IRUSR)? 'r' : '-',
(oldperm & S_IWUSR)? 'w' : '-',
-
+
(oldperm & S_ISUID)? 's' :
(oldperm & S_IXUSR)? 'x' : '-',
(oldperm & S_ISUID)? 's' :
(oldperm & S_IXUSR)? 'x' : '-',
-
+
(oldperm & S_IRGRP)? 'r' : '-',
(oldperm & S_IWGRP)? 'w' : '-',
(oldperm & S_ISGID)? 's' :
(oldperm & S_IXGRP)? 'x' : '-',
(oldperm & S_IRGRP)? 'r' : '-',
(oldperm & S_IWGRP)? 'w' : '-',
(oldperm & S_ISGID)? 's' :
(oldperm & S_IXGRP)? 'x' : '-',
-
+
(oldperm & S_IROTH)? 'r' : '-',
(oldperm & S_IWOTH)? 'w' : '-',
(oldperm & S_IROTH)? 'r' : '-',
(oldperm & S_IWOTH)? 'w' : '-',
@@
-568,10
+575,10
@@
int DB_Search(char *f_name, char *c_sum, Eventinfo *lf)
(newperm & S_ISUID)? 's' :
(newperm & S_IXUSR)? 'x' : '-',
(newperm & S_ISUID)? 's' :
(newperm & S_IXUSR)? 'x' : '-',
-
+
(newperm & S_IRGRP)? 'r' : '-',
(newperm & S_IWGRP)? 'w' : '-',
(newperm & S_IRGRP)? 'r' : '-',
(newperm & S_IWGRP)? 'w' : '-',
-
+
(newperm & S_ISGID)? 's' :
(newperm & S_IXGRP)? 'x' : '-',
(newperm & S_ISGID)? 's' :
(newperm & S_IXGRP)? 'x' : '-',
@@
-603,7
+610,7
@@
int DB_Search(char *f_name, char *c_sum, Eventinfo *lf)
os_strdup(olduid, lf->owner_before);
os_strdup(newuid, lf->owner_after);
#endif
os_strdup(olduid, lf->owner_before);
os_strdup(newuid, lf->owner_after);
#endif
- }
+ }
/* group ownership message */
if(!newgid || !oldgid || strcmp(newgid, oldgid) == 0)
/* group ownership message */
if(!newgid || !oldgid || strcmp(newgid, oldgid) == 0)
@@
-657,7
+664,7
@@
int DB_Search(char *f_name, char *c_sum, Eventinfo *lf)
#endif
#endif
- /* Provide information about the file */
+ /* Provide information about the file */
snprintf(sdb.comment, OS_MAXSTR, "Integrity checksum changed for: "
"'%.756s'\n"
"%s"
snprintf(sdb.comment, OS_MAXSTR, "Integrity checksum changed for: "
"'%.756s'\n"
"%s"
@@
-667,7
+674,7
@@
int DB_Search(char *f_name, char *c_sum, Eventinfo *lf)
"%s"
"%s"
"%s%s",
"%s"
"%s"
"%s%s",
- f_name,
+ f_name,
sdb.size,
sdb.perm,
sdb.owner,
sdb.size,
sdb.perm,
sdb.owner,
@@
-686,21
+693,22
@@
int DB_Search(char *f_name, char *c_sum, Eventinfo *lf)
lf->log = lf->full_log;
lf->data = NULL;
lf->log = lf->full_log;
lf->data = NULL;
-
+
/* Setting decoder */
lf->decoder_info = sdb.syscheck_dec;
/* Setting decoder */
lf->decoder_info = sdb.syscheck_dec;
-
- return(1);
+
+ return(1);
} /* continuiing... */
/* If we reach here, this file is not present on our database */
fseek(fp, 0, SEEK_END);
} /* continuiing... */
/* If we reach here, this file is not present on our database */
fseek(fp, 0, SEEK_END);
-
+
fprintf(fp,"+++%s !%d %s\n", c_sum, lf->time, f_name);
fprintf(fp,"+++%s !%d %s\n", c_sum, lf->time, f_name);
+ fflush(fp);
/* Alert if configured to notify on new files */
if((Config.syscheck_alert_new == 1) && (DB_IsCompleted(agent_id)))
/* Alert if configured to notify on new files */
if((Config.syscheck_alert_new == 1) && (DB_IsCompleted(agent_id)))
@@
-711,7
+719,7
@@
int DB_Search(char *f_name, char *c_sum, Eventinfo *lf)
snprintf(sdb.comment, OS_MAXSTR,
"New file '%.756s' "
"added to the file system.", f_name);
snprintf(sdb.comment, OS_MAXSTR,
"New file '%.756s' "
"added to the file system.", f_name);
-
+
/* Creating a new log message */
free(lf->full_log);
/* Creating a new log message */
free(lf->full_log);
@@
-739,10
+747,10
@@
int DecodeSyscheck(Eventinfo *lf)
{
char *c_sum;
char *f_name;
{
char *c_sum;
char *f_name;
-
-
+
+
/* Every syscheck message must be in the following format:
/* Every syscheck message must be in the following format:
- * checksum filename
+ * checksum filename
*/
f_name = strchr(lf->log, ' ');
if(f_name == NULL)
*/
f_name = strchr(lf->log, ' ');
if(f_name == NULL)
@@
-755,7
+763,7
@@
int DecodeSyscheck(Eventinfo *lf)
DB_SetCompleted(lf);
return(0);
}
DB_SetCompleted(lf);
return(0);
}
-
+
merror(SK_INV_MSG, ARGV0);
return(0);
}
merror(SK_INV_MSG, ARGV0);
return(0);
}
@@
-777,14
+785,14
@@
int DecodeSyscheck(Eventinfo *lf)
{
lf->data = NULL;
}
{
lf->data = NULL;
}
-
-
+
+
/* Checking if file is supposed to be ignored */
if(Config.syscheck_ignore)
{
char **ff_ig = Config.syscheck_ignore;
/* Checking if file is supposed to be ignored */
if(Config.syscheck_ignore)
{
char **ff_ig = Config.syscheck_ignore;
-
+
while(*ff_ig)
{
if(strncasecmp(*ff_ig, f_name, strlen(*ff_ig)) == 0)
while(*ff_ig)
{
if(strncasecmp(*ff_ig, f_name, strlen(*ff_ig)) == 0)
@@
-792,16
+800,16
@@
int DecodeSyscheck(Eventinfo *lf)
lf->data = NULL;
return(0);
}
lf->data = NULL;
return(0);
}
-
+
ff_ig++;
}
}
ff_ig++;
}
}
-
-
+
+
/* Checksum is at the beginning of the log */
c_sum = lf->log;
/* Checksum is at the beginning of the log */
c_sum = lf->log;
-
-
+
+
/* Searching for file changes */
return(DB_Search(f_name, c_sum, lf));
}
/* Searching for file changes */
return(DB_Search(f_name, c_sum, lf));
}