-/* @(#) $Id: syscheck.c,v 1.53 2009/11/04 18:45:38 dcid Exp $ */
+/* @(#) $Id: ./src/analysisd/decoders/syscheck.c, 2012/02/07 dcid Exp $
+ */
/* Copyright (C) 2009 Trend Micro Inc.
* All right reserved.
*
* This program is a free software; you can redistribute it
* and/or modify it under the terms of the GNU General Public
- * License (version 3) as published by the FSF - Free Software
+ * License (version 2) as published by the FSF - Free Software
* Foundation
*/
int id3;
int idn;
int idd;
-
+
/* Syscheck rule */
OSDecoderInfo *syscheck_dec;
/* File search variables */
fpos_t init_pos;
-
+
}_sdb; /* syscheck db information */
int i = 0;
sdb.db_err = 0;
-
+
for(;i <= MAX_AGENTS;i++)
{
sdb.agent_ips[i] = NULL;
/* Clearing db memory */
memset(sdb.buf, '\0', OS_MAXSTR +1);
memset(sdb.comment, '\0', OS_MAXSTR +1);
-
+
memset(sdb.size, '\0', OS_FLSIZE +1);
memset(sdb.perm, '\0', OS_FLSIZE +1);
memset(sdb.owner, '\0', OS_FLSIZE +1);
sdb.syscheck_dec->name = SYSCHECK_MOD;
sdb.syscheck_dec->type = OSSEC_RL;
sdb.syscheck_dec->fts = 0;
-
+
sdb.id1 = getDecoderfromlist(SYSCHECK_MOD);
sdb.id2 = getDecoderfromlist(SYSCHECK_MOD2);
sdb.id3 = getDecoderfromlist(SYSCHECK_MOD3);
sdb.idn = getDecoderfromlist(SYSCHECK_NEW);
sdb.idd = getDecoderfromlist(SYSCHECK_DEL);
-
+
debug1("%s: SyscheckInit completed.", ARGV0);
return;
}
void __setcompleted(char *agent)
{
FILE *fp;
-
+
/* Getting agent file */
snprintf(sdb.buf, OS_FLSIZE , "%s/.%s.cpt", SYSCHECK_DIR, agent);
int i = 0;
/* Finding file pointer */
- while(sdb.agent_ips[i] != NULL)
+ while(sdb.agent_ips[i] != NULL && i < MAX_AGENTS)
{
if(strcmp(sdb.agent_ips[i], lf->location) == 0)
{
{
return;
}
-
+
__setcompleted(lf->location);
int i = 0;
/* Finding file pointer */
- while(sdb.agent_ips[i] != NULL)
+ while(sdb.agent_ips[i] != NULL && i < MAX_AGENTS)
{
if(strcmp(sdb.agent_ips[i], agent) == 0)
{
*agent_id = i;
return(sdb.agent_fps[i]);
}
-
- i++;
+
+ i++;
}
/* If here, our agent wasn't found */
+ if (i == MAX_AGENTS)
+ {
+ merror("%s: Unable to open integrity file. Increase MAX_AGENTS.",ARGV0);
+ return(NULL);
+ }
+
os_strdup(agent, sdb.agent_ips[i]);
/* Getting agent file */
snprintf(sdb.buf, OS_FLSIZE , "%s/%s", SYSCHECK_DIR,agent);
-
-
+
+
/* r+ to read and write. Do not truncate */
sdb.agent_fps[i] = fopen(sdb.buf,"r+");
if(!sdb.agent_fps[i])
sdb.agent_fps[i] = fopen(sdb.buf, "r+");
}
}
-
- /* Checking again */
+
+ /* Checking again */
if(!sdb.agent_fps[i])
{
merror("%s: Unable to open '%s'",ARGV0, sdb.buf);
/* Returning the opened pointer (the beginning of it) */
fseek(sdb.agent_fps[i],0, SEEK_SET);
*agent_id = i;
-
-
+
+
/* Getting if the agent was completed */
if(__iscompleted(agent))
{
- sdb.agent_cp[i][0] = '1';
+ sdb.agent_cp[i][0] = '1';
}
return(sdb.agent_fps[i]);
int p = 0;
int sn_size;
int agent_id;
-
+
char *saved_sum;
char *saved_name;
-
+
FILE *fp;
{
merror("%s: Error handling integrity database.",ARGV0);
sdb.db_err++; /* Increment db error */
+ lf->data = NULL;
return(0);
}
merror("%s: Error handling integrity database (fgetpos).",ARGV0);
return(0);
}
-
-
+
+
/* Looping the file */
while(fgets(sdb.buf, OS_MAXSTR, fp) != NULL)
{
}
- /* Getting name */
+ /* Getting name */
saved_name = strchr(sdb.buf, ' ');
if(saved_name == NULL)
{
}
*saved_name = '\0';
saved_name++;
-
-
+
+
/* New format - with a timestamp */
if(*saved_name == '!')
{
fgetpos(fp, &sdb.init_pos);
continue;
}
-
+
saved_sum = sdb.buf;
/* checksum match, we can just return and keep going */
if(strcmp(saved_sum, c_sum) == 0)
+ {
+ lf->data = NULL;
return(0);
+ }
/* If we reached here, the checksum of the file has changed */
if(saved_sum[-2] == '!')
{
p++;
- if(saved_sum[-1] == '!')
+ if(saved_sum[-1] == '!')
p++;
else if(saved_sum[-1] == '?')
- p+=2;
+ p+=2;
}
}
break;
default:
+ lf->data = NULL;
return(0);
break;
}
"File '%.756s' was deleted. Unable to retrieve "
"checksum.", f_name);
}
-
+
/* If file was re-added, do not compare changes */
else if(saved_sum[0] == '-' && saved_sum[1] == '1')
{
"File '%.756s' was re-added.", f_name);
}
- else
+ else
{
int oldperm = 0, newperm = 0;
-
+
/* Providing more info about the file change */
char *oldsize = NULL, *newsize = NULL;
char *olduid = NULL, *newuid = NULL;
snprintf(sdb.size, OS_FLSIZE,
"Size changed from '%s' to '%s'\n",
oldsize, newsize);
+
+ #ifdef PRELUDE
+ os_strdup(oldsize, lf->size_before);
+ os_strdup(newsize, lf->size_after);
+ #endif
}
/* Permission message */
}
else if(oldperm > 0 && newperm > 0)
{
+
snprintf(sdb.perm, OS_FLSIZE, "Permissions changed from "
"'%c%c%c%c%c%c%c%c%c' "
"to '%c%c%c%c%c%c%c%c%c'\n",
(oldperm & S_IRUSR)? 'r' : '-',
(oldperm & S_IWUSR)? 'w' : '-',
-
+
(oldperm & S_ISUID)? 's' :
(oldperm & S_IXUSR)? 'x' : '-',
-
+
(oldperm & S_IRGRP)? 'r' : '-',
(oldperm & S_IWGRP)? 'w' : '-',
(oldperm & S_ISGID)? 's' :
(oldperm & S_IXGRP)? 'x' : '-',
-
+
(oldperm & S_IROTH)? 'r' : '-',
(oldperm & S_IWOTH)? 'w' : '-',
(newperm & S_ISUID)? 's' :
(newperm & S_IXUSR)? 'x' : '-',
-
+
(newperm & S_IRGRP)? 'r' : '-',
(newperm & S_IWGRP)? 'w' : '-',
-
+
(newperm & S_ISGID)? 's' :
(newperm & S_IXGRP)? 'x' : '-',
(newperm & S_ISVTX)? 't' :
(newperm & S_IXOTH)? 'x' : '-');
+
+ #ifdef PRELUDE
+ lf->perm_before = oldperm;
+ lf->perm_after = newperm;
+ #endif
}
/* Ownership message */
snprintf(sdb.owner, OS_FLSIZE, "Ownership was '%s', "
"now it is '%s'\n",
olduid, newuid);
- }
+
+
+ #ifdef PRELUDE
+ os_strdup(olduid, lf->owner_before);
+ os_strdup(newuid, lf->owner_after);
+ #endif
+ }
/* group ownership message */
if(!newgid || !oldgid || strcmp(newgid, oldgid) == 0)
snprintf(sdb.gowner, OS_FLSIZE,"Group ownership was '%s', "
"now it is '%s'\n",
oldgid, newgid);
+ #ifdef PRELUDE
+ os_strdup(oldgid, lf->gowner_before);
+ os_strdup(newgid, lf->gowner_after);
+ #endif
}
/* md5 message */
snprintf(sdb.md5, OS_FLSIZE, "Old md5sum was: '%s'\n"
"New md5sum is : '%s'\n",
oldmd5, newmd5);
+ #ifdef PRELUDE
+ os_strdup(oldmd5, lf->md5_before);
+ os_strdup(newmd5, lf->md5_after);
+ #endif
}
/* sha1 */
snprintf(sdb.sha1, OS_FLSIZE, "Old sha1sum was: '%s'\n"
"New sha1sum is : '%s'\n",
oldsha1, newsha1);
+ #ifdef PRELUDE
+ os_strdup(oldsha1, lf->sha1_before);
+ os_strdup(newsha1, lf->sha1_after);
+ #endif
}
+ #ifdef PRELUDE
+ os_strdup(f_name, lf->filename);
+ #endif
- /* Provide information about the file */
- snprintf(sdb.comment, 512, "Integrity checksum changed for: "
+ /* Provide information about the file */
+ snprintf(sdb.comment, OS_MAXSTR, "Integrity checksum changed for: "
"'%.756s'\n"
"%s"
"%s"
"%s"
"%s"
"%s"
- "%s",
- f_name,
+ "%s"
+ "%s%s",
+ f_name,
sdb.size,
sdb.perm,
sdb.owner,
sdb.gowner,
sdb.md5,
- sdb.sha1);
+ sdb.sha1,
+ lf->data == NULL?"":"What changed:\n",
+ lf->data == NULL?"":lf->data
+ );
}
free(lf->full_log);
os_strdup(sdb.comment, lf->full_log);
lf->log = lf->full_log;
+ lf->data = NULL;
+
-
/* Setting decoder */
lf->decoder_info = sdb.syscheck_dec;
-
- return(1);
+
+ return(1);
} /* continuiing... */
/* If we reach here, this file is not present on our database */
fseek(fp, 0, SEEK_END);
-
+
fprintf(fp,"+++%s !%d %s\n", c_sum, lf->time, f_name);
+ fflush(fp);
/* Alert if configured to notify on new files */
if((Config.syscheck_alert_new == 1) && (DB_IsCompleted(agent_id)))
snprintf(sdb.comment, OS_MAXSTR,
"New file '%.756s' "
"added to the file system.", f_name);
-
+
/* Creating a new log message */
free(lf->full_log);
/* Setting decoder */
lf->decoder_info = sdb.syscheck_dec;
+ lf->data = NULL;
return(1);
}
+ lf->data = NULL;
return(0);
}
{
char *c_sum;
char *f_name;
-
-
+
+
/* Every syscheck message must be in the following format:
- * checksum filename
+ * checksum filename
*/
f_name = strchr(lf->log, ' ');
if(f_name == NULL)
DB_SetCompleted(lf);
return(0);
}
-
+
merror(SK_INV_MSG, ARGV0);
return(0);
}
-
-
+
+
/* Zeroing to get the check sum */
*f_name = '\0';
f_name++;
+ /* Getting diff. */
+ lf->data = strchr(f_name, '\n');
+ if(lf->data)
+ {
+ *lf->data = '\0';
+ lf->data++;
+ }
+ else
+ {
+ lf->data = NULL;
+ }
+
+
+
/* Checking if file is supposed to be ignored */
if(Config.syscheck_ignore)
{
char **ff_ig = Config.syscheck_ignore;
-
+
while(*ff_ig)
{
if(strncasecmp(*ff_ig, f_name, strlen(*ff_ig)) == 0)
{
+ lf->data = NULL;
return(0);
}
-
+
ff_ig++;
}
}
-
-
+
+
/* Checksum is at the beginning of the log */
c_sum = lf->log;
-
-
+
+
/* Searching for file changes */
return(DB_Search(f_name, c_sum, lf));
}
projects / ossec-hids.git / blobdiff