X-Git-Url: http://ftp.carnet.hr/carnet-debian/scm?p=ossec-hids.git;a=blobdiff_plain;f=src%2Fanalysisd%2Fdecoders%2Fsyscheck.c;fp=src%2Fanalysisd%2Fdecoders%2Fsyscheck.c;h=840ed9df96716b085ff5b9988c72225b352c6d22;hp=b8c4a89c45fa461e93dc316f94a204352c2fe126;hb=a62b46c229549212d536867b7e5e24d7576ebe8b;hpb=d623b82886b9b5fbba3fa27c3bfac51f3f8af108 diff --git a/src/analysisd/decoders/syscheck.c b/src/analysisd/decoders/syscheck.c index b8c4a89..840ed9d 100755 --- a/src/analysisd/decoders/syscheck.c +++ b/src/analysisd/decoders/syscheck.c @@ -1,11 +1,11 @@ -/* @(#) $Id: syscheck.c,v 1.53 2009/11/04 18:45:38 dcid Exp $ */ +/* @(#) $Id$ */ /* Copyright (C) 2009 Trend Micro Inc. * All right reserved. * * This program is a free software; you can redistribute it * and/or modify it under the terms of the GNU General Public - * License (version 3) as published by the FSF - Free Software + * License (version 2) as published by the FSF - Free Software * Foundation */ @@ -265,6 +265,7 @@ int DB_Search(char *f_name, char *c_sum, Eventinfo *lf) { merror("%s: Error handling integrity database.",ARGV0); sdb.db_err++; /* Increment db error */ + lf->data = NULL; return(0); } @@ -341,7 +342,10 @@ int DB_Search(char *f_name, char *c_sum, Eventinfo *lf) /* checksum match, we can just return and keep going */ if(strcmp(saved_sum, c_sum) == 0) + { + lf->data = NULL; return(0); + } /* If we reached here, the checksum of the file has changed */ @@ -381,6 +385,7 @@ int DB_Search(char *f_name, char *c_sum, Eventinfo *lf) break; default: + lf->data = NULL; return(0); break; } @@ -519,6 +524,11 @@ int DB_Search(char *f_name, char *c_sum, Eventinfo *lf) snprintf(sdb.size, OS_FLSIZE, "Size changed from '%s' to '%s'\n", oldsize, newsize); + + #ifdef PRELUDE + os_strdup(oldsize, lf->size_before); + os_strdup(newsize, lf->size_after); + #endif } /* Permission message */ @@ -528,6 +538,7 @@ int DB_Search(char *f_name, char *c_sum, Eventinfo *lf) } else if(oldperm > 0 && newperm > 0) { + snprintf(sdb.perm, OS_FLSIZE, "Permissions changed from " "'%c%c%c%c%c%c%c%c%c' " "to '%c%c%c%c%c%c%c%c%c'\n", @@ -569,6 +580,11 @@ int DB_Search(char *f_name, char *c_sum, Eventinfo *lf) (newperm & S_ISVTX)? 't' : (newperm & S_IXOTH)? 'x' : '-'); + + #ifdef PRELUDE + lf->perm_before = oldperm; + lf->perm_after = newperm; + #endif } /* Ownership message */ @@ -581,6 +597,12 @@ int DB_Search(char *f_name, char *c_sum, Eventinfo *lf) snprintf(sdb.owner, OS_FLSIZE, "Ownership was '%s', " "now it is '%s'\n", olduid, newuid); + + + #ifdef PRELUDE + os_strdup(olduid, lf->owner_before); + os_strdup(newuid, lf->owner_after); + #endif } /* group ownership message */ @@ -593,6 +615,10 @@ int DB_Search(char *f_name, char *c_sum, Eventinfo *lf) snprintf(sdb.gowner, OS_FLSIZE,"Group ownership was '%s', " "now it is '%s'\n", oldgid, newgid); + #ifdef PRELUDE + os_strdup(oldgid, lf->gowner_before); + os_strdup(newgid, lf->gowner_after); + #endif } /* md5 message */ @@ -605,6 +631,10 @@ int DB_Search(char *f_name, char *c_sum, Eventinfo *lf) snprintf(sdb.md5, OS_FLSIZE, "Old md5sum was: '%s'\n" "New md5sum is : '%s'\n", oldmd5, newmd5); + #ifdef PRELUDE + os_strdup(oldmd5, lf->md5_before); + os_strdup(newmd5, lf->md5_after); + #endif } /* sha1 */ @@ -617,25 +647,36 @@ int DB_Search(char *f_name, char *c_sum, Eventinfo *lf) snprintf(sdb.sha1, OS_FLSIZE, "Old sha1sum was: '%s'\n" "New sha1sum is : '%s'\n", oldsha1, newsha1); + #ifdef PRELUDE + os_strdup(oldsha1, lf->sha1_before); + os_strdup(newsha1, lf->sha1_after); + #endif } + #ifdef PRELUDE + os_strdup(f_name, lf->filename); + #endif /* Provide information about the file */ - snprintf(sdb.comment, 512, "Integrity checksum changed for: " + snprintf(sdb.comment, OS_MAXSTR, "Integrity checksum changed for: " "'%.756s'\n" "%s" "%s" "%s" "%s" "%s" - "%s", + "%s" + "%s%s", f_name, sdb.size, sdb.perm, sdb.owner, sdb.gowner, sdb.md5, - sdb.sha1); + sdb.sha1, + lf->data == NULL?"":"What changed:\n", + lf->data == NULL?"":lf->data + ); } @@ -643,6 +684,7 @@ int DB_Search(char *f_name, char *c_sum, Eventinfo *lf) free(lf->full_log); os_strdup(sdb.comment, lf->full_log); lf->log = lf->full_log; + lf->data = NULL; /* Setting decoder */ @@ -679,10 +721,12 @@ int DB_Search(char *f_name, char *c_sum, Eventinfo *lf) /* Setting decoder */ lf->decoder_info = sdb.syscheck_dec; + lf->data = NULL; return(1); } + lf->data = NULL; return(0); } @@ -715,13 +759,27 @@ int DecodeSyscheck(Eventinfo *lf) merror(SK_INV_MSG, ARGV0); return(0); } - - + + /* Zeroing to get the check sum */ *f_name = '\0'; f_name++; + /* Getting diff. */ + lf->data = strchr(f_name, '\n'); + if(lf->data) + { + *lf->data = '\0'; + lf->data++; + } + else + { + lf->data = NULL; + } + + + /* Checking if file is supposed to be ignored */ if(Config.syscheck_ignore) { @@ -731,6 +789,7 @@ int DecodeSyscheck(Eventinfo *lf) { if(strncasecmp(*ff_ig, f_name, strlen(*ff_ig)) == 0) { + lf->data = NULL; return(0); }