X-Git-Url: http://ftp.carnet.hr/carnet-debian/scm?a=blobdiff_plain;f=src%2Fanalysisd%2Fdecoders%2Frootcheck.c;h=1c303232896d2f95456aa4d1543d15c32861129a;hb=3f728675941dc69d4e544d3a880a56240a6e394a;hp=b72a6774718e02fe6a7c85f9b7f5f6400ec75f3c;hpb=6ef2f786c6c8ead94841b5f93baf9f43421f08c8;p=ossec-hids.git diff --git a/src/analysisd/decoders/rootcheck.c b/src/analysisd/decoders/rootcheck.c old mode 100755 new mode 100644 index b72a677..1c30323 --- a/src/analysisd/decoders/rootcheck.c +++ b/src/analysisd/decoders/rootcheck.c @@ -1,6 +1,3 @@ -/* @(#) $Id: ./src/analysisd/decoders/rootcheck.c, 2011/09/08 dcid Exp $ - */ - /* Copyright (C) 2009 Trend Micro Inc. * All right reserved. * @@ -10,47 +7,38 @@ * Foundation */ - /* Rootcheck decoder */ - #include "config.h" #include "os_regex/os_regex.h" #include "eventinfo.h" #include "alerts/alerts.h" #include "decoder.h" - #define ROOTCHECK_DIR "/queue/rootcheck" - -/** Global variables **/ -char *rk_agent_ips[MAX_AGENTS]; -FILE *rk_agent_fps[MAX_AGENTS]; - -int rk_err; +/* Local variables */ +static char *rk_agent_ips[MAX_AGENTS]; +static FILE *rk_agent_fps[MAX_AGENTS]; +static int rk_err; /* Rootcheck decoder */ -OSDecoderInfo *rootcheck_dec = NULL; +static OSDecoderInfo *rootcheck_dec = NULL; -/* SyscheckInit - * Initialize the necessary information to process the syscheck information - */ +/* Initialize the necessary information to process the rootcheck information */ void RootcheckInit() { int i = 0; rk_err = 0; - for(;iid = getDecoderfromlist(ROOTCHECK_MOD); rootcheck_dec->type = OSSEC_RL; @@ -62,23 +50,18 @@ void RootcheckInit() return; } - -/* RK_File - * Return the file pointer to be used - */ -FILE *RK_File(char *agent, int *agent_id) +/* Return the file pointer to be used */ +static FILE *RK_File(const char *agent, int *agent_id) { int i = 0; - char rk_buf[OS_SIZE_1024 +1]; - - while(rk_agent_ips[i] != NULL) - { - if(strcmp(rk_agent_ips[i],agent) == 0) - { - /* pointing to the beginning of the file */ - fseek(rk_agent_fps[i],0, SEEK_SET); + char rk_buf[OS_SIZE_1024 + 1]; + + while (rk_agent_ips[i] != NULL) { + if (strcmp(rk_agent_ips[i], agent) == 0) { + /* Pointing to the beginning of the file */ + fseek(rk_agent_fps[i], 0, SEEK_SET); *agent_id = i; - return(rk_agent_fps[i]); + return (rk_agent_fps[i]); } i++; @@ -87,48 +70,42 @@ FILE *RK_File(char *agent, int *agent_id) /* If here, our agent wasn't found */ rk_agent_ips[i] = strdup(agent); - if(rk_agent_ips[i] != NULL) - { - snprintf(rk_buf,OS_SIZE_1024, "%s/%s", ROOTCHECK_DIR,agent); + if (rk_agent_ips[i] != NULL) { + snprintf(rk_buf, OS_SIZE_1024, "%s/%s", ROOTCHECK_DIR, agent); /* r+ to read and write. Do not truncate */ - rk_agent_fps[i] = fopen(rk_buf,"r+"); - if(!rk_agent_fps[i]) - { - /* try opening with a w flag, file probably does not exist */ + rk_agent_fps[i] = fopen(rk_buf, "r+"); + if (!rk_agent_fps[i]) { + /* Try opening with a w flag, file probably does not exist */ rk_agent_fps[i] = fopen(rk_buf, "w"); - if(rk_agent_fps[i]) - { + if (rk_agent_fps[i]) { fclose(rk_agent_fps[i]); rk_agent_fps[i] = fopen(rk_buf, "r+"); } } - if(!rk_agent_fps[i]) - { - merror(FOPEN_ERROR, ARGV0, rk_buf); + if (!rk_agent_fps[i]) { + merror(FOPEN_ERROR, ARGV0, rk_buf, errno, strerror(errno)); free(rk_agent_ips[i]); rk_agent_ips[i] = NULL; - return(NULL); + return (NULL); } - /* Returning the opened pointer (the beginning of it) */ - fseek(rk_agent_fps[i],0, SEEK_SET); + /* Return the opened pointer (the beginning of it) */ + fseek(rk_agent_fps[i], 0, SEEK_SET); *agent_id = i; - return(rk_agent_fps[i]); + return (rk_agent_fps[i]); } - else - { - merror(MEM_ERROR,ARGV0); - return(NULL); + else { + merror(MEM_ERROR, ARGV0, errno, strerror(errno)); + return (NULL); } - return(NULL); + return (NULL); } - /* Special decoder for rootcheck * Not using the default rendering tools for simplicity * and to be less resource intensive @@ -138,106 +115,93 @@ int DecodeRootcheck(Eventinfo *lf) int agent_id; char *tmpstr; - char rk_buf[OS_SIZE_2048 +1]; + char rk_buf[OS_SIZE_2048 + 1]; FILE *fp; fpos_t fp_pos; - /* Zeroing rk_buf */ + /* Zero rk_buf */ rk_buf[0] = '\0'; rk_buf[OS_SIZE_2048] = '\0'; fp = RK_File(lf->location, &agent_id); - if(!fp) - { - merror("%s: Error handling rootcheck database.",ARGV0); - rk_err++; /* Increment rk error */ + if (!fp) { + merror("%s: Error handling rootcheck database.", ARGV0); + rk_err++; - return(0); + return (0); } - /* Getting initial position */ - if(fgetpos(fp, &fp_pos) == -1) - { - merror("%s: Error handling rootcheck database (fgetpos).",ARGV0); - return(0); + /* Get initial position */ + if (fgetpos(fp, &fp_pos) == -1) { + merror("%s: Error handling rootcheck database (fgetpos).", ARGV0); + return (0); } - /* Reads the file and search for a possible - * entry - */ - while(fgets(rk_buf, OS_SIZE_2048 -1, fp) != NULL) - { + /* Reads the file and search for a possible entry */ + while (fgets(rk_buf, OS_SIZE_2048 - 1, fp) != NULL) { /* Ignore blank lines and lines with a comment */ - if(rk_buf[0] == '\n' || rk_buf[0] == '#') - { - if(fgetpos(fp, &fp_pos) == -1) - { + if (rk_buf[0] == '\n' || rk_buf[0] == '#') { + if (fgetpos(fp, &fp_pos) == -1) { merror("%s: Error handling rootcheck database " - "(fgetpos2).",ARGV0); - return(0); + "(fgetpos2).", ARGV0); + return (0); } continue; } - /* Removing new line */ + /* Remove newline */ tmpstr = strchr(rk_buf, '\n'); - if(tmpstr) - { + if (tmpstr) { *tmpstr = '\0'; } - - /* Old format without the time stampts */ - if(rk_buf[0] != '!') - { + /* Old format without the time stamps */ + if (rk_buf[0] != '!') { /* Cannot use strncmp to avoid errors with crafted files */ - if(strcmp(lf->log, rk_buf) == 0) - { + if (strcmp(lf->log, rk_buf) == 0) { rootcheck_dec->fts = 0; lf->decoder_info = rootcheck_dec; - return(1); + return (1); } } /* New format */ - else - { - /* Going past time: !1183431603!1183431603 (last, first saw) */ + else { + /* Going past time: !1183431603!1183431603 (last, first seen) */ tmpstr = rk_buf + 23; /* Matches, we need to upgrade last time saw */ - if(strcmp(lf->log, tmpstr) == 0) - { - fsetpos(fp, &fp_pos); - fprintf(fp, "!%d", lf->time); + if (strcmp(lf->log, tmpstr) == 0) { + if(fsetpos(fp, &fp_pos)) { + merror("%s: Error handling rootcheck database " + "(fsetpos).", ARGV0); + return (0); + } + fprintf(fp, "!%ld", (long int)lf->time); rootcheck_dec->fts = 0; lf->decoder_info = rootcheck_dec; - return(1); + return (1); } } - /* Getting current position */ - if(fgetpos(fp, &fp_pos) == -1) - { - merror("%s: Error handling rootcheck database (fgetpos3).",ARGV0); - return(0); + /* Get current position */ + if (fgetpos(fp, &fp_pos) == -1) { + merror("%s: Error handling rootcheck database (fgetpos3).", ARGV0); + return (0); } } - - /* Adding the new entry at the end of the file */ + /* Add the new entry at the end of the file */ fseek(fp, 0, SEEK_END); - fprintf(fp,"!%d!%d %s\n",lf->time, lf->time, lf->log); + fprintf(fp, "!%ld!%ld %s\n", (long int)lf->time, (long int)lf->time, lf->log); fflush(fp); rootcheck_dec->fts = 0; rootcheck_dec->fts |= FTS_DONE; lf->decoder_info = rootcheck_dec; - return(1); + return (1); } - -/* EOF */