1 /* @(#) $Id: ./src/analysisd/decoders/rootcheck.c, 2011/09/08 dcid Exp $
4 /* Copyright (C) 2009 Trend Micro Inc.
7 * This program is a free software; you can redistribute it
8 * and/or modify it under the terms of the GNU General Public
9 * License (version 2) as published by the FSF - Free Software
14 /* Rootcheck decoder */
18 #include "os_regex/os_regex.h"
19 #include "eventinfo.h"
20 #include "alerts/alerts.h"
24 #define ROOTCHECK_DIR "/queue/rootcheck"
27 /** Global variables **/
28 char *rk_agent_ips[MAX_AGENTS];
29 FILE *rk_agent_fps[MAX_AGENTS];
33 /* Rootcheck decoder */
34 OSDecoderInfo *rootcheck_dec = NULL;
38 * Initialize the necessary information to process the syscheck information
46 for(;i<MAX_AGENTS;i++)
48 rk_agent_ips[i] = NULL;
49 rk_agent_fps[i] = NULL;
54 os_calloc(1, sizeof(OSDecoderInfo), rootcheck_dec);
55 rootcheck_dec->id = getDecoderfromlist(ROOTCHECK_MOD);
56 rootcheck_dec->type = OSSEC_RL;
57 rootcheck_dec->name = ROOTCHECK_MOD;
58 rootcheck_dec->fts = 0;
60 debug1("%s: RootcheckInit completed.", ARGV0);
67 * Return the file pointer to be used
69 FILE *RK_File(char *agent, int *agent_id)
72 char rk_buf[OS_SIZE_1024 +1];
74 while(rk_agent_ips[i] != NULL)
76 if(strcmp(rk_agent_ips[i],agent) == 0)
78 /* pointing to the beginning of the file */
79 fseek(rk_agent_fps[i],0, SEEK_SET);
81 return(rk_agent_fps[i]);
87 /* If here, our agent wasn't found */
88 rk_agent_ips[i] = strdup(agent);
90 if(rk_agent_ips[i] != NULL)
92 snprintf(rk_buf,OS_SIZE_1024, "%s/%s", ROOTCHECK_DIR,agent);
94 /* r+ to read and write. Do not truncate */
95 rk_agent_fps[i] = fopen(rk_buf,"r+");
98 /* try opening with a w flag, file probably does not exist */
99 rk_agent_fps[i] = fopen(rk_buf, "w");
102 fclose(rk_agent_fps[i]);
103 rk_agent_fps[i] = fopen(rk_buf, "r+");
108 merror(FOPEN_ERROR, ARGV0, rk_buf);
110 free(rk_agent_ips[i]);
111 rk_agent_ips[i] = NULL;
116 /* Returning the opened pointer (the beginning of it) */
117 fseek(rk_agent_fps[i],0, SEEK_SET);
119 return(rk_agent_fps[i]);
124 merror(MEM_ERROR,ARGV0);
132 /* Special decoder for rootcheck
133 * Not using the default rendering tools for simplicity
134 * and to be less resource intensive
136 int DecodeRootcheck(Eventinfo *lf)
141 char rk_buf[OS_SIZE_2048 +1];
149 rk_buf[OS_SIZE_2048] = '\0';
151 fp = RK_File(lf->location, &agent_id);
155 merror("%s: Error handling rootcheck database.",ARGV0);
156 rk_err++; /* Increment rk error */
161 /* Getting initial position */
162 if(fgetpos(fp, &fp_pos) == -1)
164 merror("%s: Error handling rootcheck database (fgetpos).",ARGV0);
169 /* Reads the file and search for a possible
172 while(fgets(rk_buf, OS_SIZE_2048 -1, fp) != NULL)
174 /* Ignore blank lines and lines with a comment */
175 if(rk_buf[0] == '\n' || rk_buf[0] == '#')
177 if(fgetpos(fp, &fp_pos) == -1)
179 merror("%s: Error handling rootcheck database "
180 "(fgetpos2).",ARGV0);
186 /* Removing new line */
187 tmpstr = strchr(rk_buf, '\n');
194 /* Old format without the time stampts */
197 /* Cannot use strncmp to avoid errors with crafted files */
198 if(strcmp(lf->log, rk_buf) == 0)
200 rootcheck_dec->fts = 0;
201 lf->decoder_info = rootcheck_dec;
208 /* Going past time: !1183431603!1183431603 (last, first saw) */
209 tmpstr = rk_buf + 23;
211 /* Matches, we need to upgrade last time saw */
212 if(strcmp(lf->log, tmpstr) == 0)
214 fsetpos(fp, &fp_pos);
215 fprintf(fp, "!%d", lf->time);
216 rootcheck_dec->fts = 0;
217 lf->decoder_info = rootcheck_dec;
222 /* Getting current position */
223 if(fgetpos(fp, &fp_pos) == -1)
225 merror("%s: Error handling rootcheck database (fgetpos3).",ARGV0);
231 /* Adding the new entry at the end of the file */
232 fseek(fp, 0, SEEK_END);
233 fprintf(fp,"!%d!%d %s\n",lf->time, lf->time, lf->log);
236 rootcheck_dec->fts = 0;
237 rootcheck_dec->fts |= FTS_DONE;
238 lf->decoder_info = rootcheck_dec;
projects / ossec-hids.git / blob