3 /* Copyright (C) 2009 Trend Micro Inc.
6 * This program is a free software; you can redistribute it
7 * and/or modify it under the terms of the GNU General Public
8 * License (version 2) as published by the FSF - Free Software
13 /* Rootcheck decoder */
17 #include "os_regex/os_regex.h"
18 #include "eventinfo.h"
19 #include "alerts/alerts.h"
23 #define ROOTCHECK_DIR "/queue/rootcheck"
26 /** Global variables **/
27 char *rk_agent_ips[MAX_AGENTS];
28 FILE *rk_agent_fps[MAX_AGENTS];
32 /* Rootcheck decoder */
33 OSDecoderInfo *rootcheck_dec = NULL;
37 * Initialize the necessary information to process the syscheck information
45 for(;i<MAX_AGENTS;i++)
47 rk_agent_ips[i] = NULL;
48 rk_agent_fps[i] = NULL;
53 os_calloc(1, sizeof(OSDecoderInfo), rootcheck_dec);
54 rootcheck_dec->id = getDecoderfromlist(ROOTCHECK_MOD);
55 rootcheck_dec->type = OSSEC_RL;
56 rootcheck_dec->name = ROOTCHECK_MOD;
57 rootcheck_dec->fts = 0;
59 debug1("%s: RootcheckInit completed.", ARGV0);
66 * Return the file pointer to be used
68 FILE *RK_File(char *agent, int *agent_id)
71 char rk_buf[OS_SIZE_1024 +1];
73 while(rk_agent_ips[i] != NULL)
75 if(strcmp(rk_agent_ips[i],agent) == 0)
77 /* pointing to the beginning of the file */
78 fseek(rk_agent_fps[i],0, SEEK_SET);
80 return(rk_agent_fps[i]);
86 /* If here, our agent wasn't found */
87 rk_agent_ips[i] = strdup(agent);
89 if(rk_agent_ips[i] != NULL)
91 snprintf(rk_buf,OS_SIZE_1024, "%s/%s", ROOTCHECK_DIR,agent);
93 /* r+ to read and write. Do not truncate */
94 rk_agent_fps[i] = fopen(rk_buf,"r+");
97 /* try opening with a w flag, file probably does not exist */
98 rk_agent_fps[i] = fopen(rk_buf, "w");
101 fclose(rk_agent_fps[i]);
102 rk_agent_fps[i] = fopen(rk_buf, "r+");
107 merror(FOPEN_ERROR, ARGV0, rk_buf);
109 free(rk_agent_ips[i]);
110 rk_agent_ips[i] = NULL;
115 /* Returning the opened pointer (the beginning of it) */
116 fseek(rk_agent_fps[i],0, SEEK_SET);
118 return(rk_agent_fps[i]);
123 merror(MEM_ERROR,ARGV0);
131 /* Special decoder for rootcheck
132 * Not using the default rendering tools for simplicity
133 * and to be less resource intensive
135 int DecodeRootcheck(Eventinfo *lf)
140 char rk_buf[OS_SIZE_2048 +1];
148 rk_buf[OS_SIZE_2048] = '\0';
150 fp = RK_File(lf->location, &agent_id);
154 merror("%s: Error handling rootcheck database.",ARGV0);
155 rk_err++; /* Increment rk error */
160 /* Getting initial position */
161 if(fgetpos(fp, &fp_pos) == -1)
163 merror("%s: Error handling rootcheck database (fgetpos).",ARGV0);
168 /* Reads the file and search for a possible
171 while(fgets(rk_buf, OS_SIZE_2048 -1, fp) != NULL)
173 /* Ignore blank lines and lines with a comment */
174 if(rk_buf[0] == '\n' || rk_buf[0] == '#')
176 if(fgetpos(fp, &fp_pos) == -1)
178 merror("%s: Error handling rootcheck database "
179 "(fgetpos2).",ARGV0);
185 /* Removing new line */
186 tmpstr = strchr(rk_buf, '\n');
193 /* Old format without the time stampts */
196 /* Cannot use strncmp to avoid errors with crafted files */
197 if(strcmp(lf->log, rk_buf) == 0)
199 rootcheck_dec->fts = 0;
200 lf->decoder_info = rootcheck_dec;
207 /* Going past time: !1183431603!1183431603 (last, first saw) */
208 tmpstr = rk_buf + 23;
210 /* Matches, we need to upgrade last time saw */
211 if(strcmp(lf->log, tmpstr) == 0)
213 fsetpos(fp, &fp_pos);
214 fprintf(fp, "!%d", lf->time);
215 rootcheck_dec->fts = 0;
216 lf->decoder_info = rootcheck_dec;
221 /* Getting current position */
222 if(fgetpos(fp, &fp_pos) == -1)
224 merror("%s: Error handling rootcheck database (fgetpos3).",ARGV0);
230 /* Adding the new entry at the end of the file */
231 fseek(fp, 0, SEEK_END);
232 fprintf(fp,"!%d!%d %s\n",lf->time, lf->time, lf->log);
235 rootcheck_dec->fts = 0;
236 rootcheck_dec->fts |= FTS_DONE;
237 lf->decoder_info = rootcheck_dec;