1 /* @(#) $Id: syscheck.c,v 1.53 2009/11/04 18:45:38 dcid Exp $ */
3 /* Copyright (C) 2009 Trend Micro Inc.
6 * This program is a free software; you can redistribute it
7 * and/or modify it under the terms of the GNU General Public
8 * License (version 3) as published by the FSF - Free Software
13 /* Syscheck decoder */
15 #include "eventinfo.h"
16 #include "os_regex/os_regex.h"
18 #include "alerts/alerts.h"
24 char buf[OS_MAXSTR + 1];
25 char comment[OS_MAXSTR +1];
27 char size[OS_FLSIZE +1];
28 char perm[OS_FLSIZE +1];
29 char owner[OS_FLSIZE +1];
30 char gowner[OS_FLSIZE +1];
31 char md5[OS_FLSIZE +1];
32 char sha1[OS_FLSIZE +1];
34 char agent_cp[MAX_AGENTS +1][1];
35 char *agent_ips[MAX_AGENTS +1];
36 FILE *agent_fps[MAX_AGENTS +1];
50 OSDecoderInfo *syscheck_dec;
53 /* File search variables */
56 }_sdb; /* syscheck db information */
65 * Initialize the necessary information to process the syscheck information
73 for(;i <= MAX_AGENTS;i++)
75 sdb.agent_ips[i] = NULL;
76 sdb.agent_fps[i] = NULL;
77 sdb.agent_cp[i][0] = '0';
80 /* Clearing db memory */
81 memset(sdb.buf, '\0', OS_MAXSTR +1);
82 memset(sdb.comment, '\0', OS_MAXSTR +1);
84 memset(sdb.size, '\0', OS_FLSIZE +1);
85 memset(sdb.perm, '\0', OS_FLSIZE +1);
86 memset(sdb.owner, '\0', OS_FLSIZE +1);
87 memset(sdb.gowner, '\0', OS_FLSIZE +1);
88 memset(sdb.md5, '\0', OS_FLSIZE +1);
89 memset(sdb.sha1, '\0', OS_FLSIZE +1);
92 /* Creating decoder */
93 os_calloc(1, sizeof(OSDecoderInfo), sdb.syscheck_dec);
94 sdb.syscheck_dec->id = getDecoderfromlist(SYSCHECK_MOD);
95 sdb.syscheck_dec->name = SYSCHECK_MOD;
96 sdb.syscheck_dec->type = OSSEC_RL;
97 sdb.syscheck_dec->fts = 0;
99 sdb.id1 = getDecoderfromlist(SYSCHECK_MOD);
100 sdb.id2 = getDecoderfromlist(SYSCHECK_MOD2);
101 sdb.id3 = getDecoderfromlist(SYSCHECK_MOD3);
102 sdb.idn = getDecoderfromlist(SYSCHECK_NEW);
103 sdb.idd = getDecoderfromlist(SYSCHECK_DEL);
105 debug1("%s: SyscheckInit completed.", ARGV0);
110 * Checks if the db is completed for that specific agent.
112 #define DB_IsCompleted(x) (sdb.agent_cp[x][0] == '1')?1:0
115 void __setcompleted(char *agent)
119 /* Getting agent file */
120 snprintf(sdb.buf, OS_FLSIZE , "%s/.%s.cpt", SYSCHECK_DIR, agent);
122 fp = fopen(sdb.buf,"w");
131 int __iscompleted(char *agent)
135 /* Getting agent file */
136 snprintf(sdb.buf, OS_FLSIZE , "%s/.%s.cpt", SYSCHECK_DIR, agent);
138 fp = fopen(sdb.buf,"r");
148 /* void DB_SetCompleted(Eventinfo *lf).
149 * Set the database of a specific agent as completed.
151 void DB_SetCompleted(Eventinfo *lf)
155 /* Finding file pointer */
156 while(sdb.agent_ips[i] != NULL)
158 if(strcmp(sdb.agent_ips[i], lf->location) == 0)
160 /* Return if already set as completed. */
161 if(DB_IsCompleted(i))
166 __setcompleted(lf->location);
169 /* Setting as completed in memory */
170 sdb.agent_cp[i][0] = '1';
180 * Return the file pointer to be used to verify the integrity
182 FILE *DB_File(char *agent, int *agent_id)
186 /* Finding file pointer */
187 while(sdb.agent_ips[i] != NULL)
189 if(strcmp(sdb.agent_ips[i], agent) == 0)
191 /* Pointing to the beginning of the file */
192 fseek(sdb.agent_fps[i],0, SEEK_SET);
194 return(sdb.agent_fps[i]);
200 /* If here, our agent wasn't found */
201 os_strdup(agent, sdb.agent_ips[i]);
204 /* Getting agent file */
205 snprintf(sdb.buf, OS_FLSIZE , "%s/%s", SYSCHECK_DIR,agent);
208 /* r+ to read and write. Do not truncate */
209 sdb.agent_fps[i] = fopen(sdb.buf,"r+");
210 if(!sdb.agent_fps[i])
212 /* try opening with a w flag, file probably does not exist */
213 sdb.agent_fps[i] = fopen(sdb.buf, "w");
216 fclose(sdb.agent_fps[i]);
217 sdb.agent_fps[i] = fopen(sdb.buf, "r+");
222 if(!sdb.agent_fps[i])
224 merror("%s: Unable to open '%s'",ARGV0, sdb.buf);
226 free(sdb.agent_ips[i]);
227 sdb.agent_ips[i] = NULL;
232 /* Returning the opened pointer (the beginning of it) */
233 fseek(sdb.agent_fps[i],0, SEEK_SET);
237 /* Getting if the agent was completed */
238 if(__iscompleted(agent))
240 sdb.agent_cp[i][0] = '1';
243 return(sdb.agent_fps[i]);
248 * Search the DB for any entry related to the file being received
250 int DB_Search(char *f_name, char *c_sum, Eventinfo *lf)
262 /* Getting db pointer */
263 fp = DB_File(lf->location, &agent_id);
266 merror("%s: Error handling integrity database.",ARGV0);
267 sdb.db_err++; /* Increment db error */
272 /* Reads the integrity file and search for a possible
275 if(fgetpos(fp, &sdb.init_pos) == -1)
277 merror("%s: Error handling integrity database (fgetpos).",ARGV0);
282 /* Looping the file */
283 while(fgets(sdb.buf, OS_MAXSTR, fp) != NULL)
285 /* Ignore blank lines and lines with a comment */
286 if(sdb.buf[0] == '\n' || sdb.buf[0] == '#')
288 fgetpos(fp, &sdb.init_pos); /* getting next location */
294 saved_name = strchr(sdb.buf, ' ');
295 if(saved_name == NULL)
297 merror("%s: Invalid integrity message in the database.",ARGV0);
298 fgetpos(fp, &sdb.init_pos); /* getting next location */
305 /* New format - with a timestamp */
306 if(*saved_name == '!')
308 saved_name = strchr(saved_name, ' ');
309 if(saved_name == NULL)
311 merror("%s: Invalid integrity message in the database",ARGV0);
312 fgetpos(fp, &sdb.init_pos); /* getting next location */
319 /* Removing new line from saved_name */
320 sn_size = strlen(saved_name);
322 if(saved_name[sn_size] == '\n')
323 saved_name[sn_size] = '\0';
326 /* If name is different, go to next one. */
327 if(strcmp(f_name,saved_name) != 0)
329 /* Saving currently location */
330 fgetpos(fp, &sdb.init_pos);
338 /* First three bytes are for frequency check */
342 /* checksum match, we can just return and keep going */
343 if(strcmp(saved_sum, c_sum) == 0)
347 /* If we reached here, the checksum of the file has changed */
348 if(saved_sum[-3] == '!')
351 if(saved_sum[-2] == '!')
354 if(saved_sum[-1] == '!')
356 else if(saved_sum[-1] == '?')
362 /* Checking the number of changes */
363 if(!Config.syscheck_auto_ignore)
365 sdb.syscheck_dec->id = sdb.id1;
372 sdb.syscheck_dec->id = sdb.id1;
376 sdb.syscheck_dec->id = sdb.id2;
380 sdb.syscheck_dec->id = sdb.id3;
390 /* Adding new checksum to the database */
391 /* Commenting the file entry and adding a new one latter */
392 fsetpos(fp, &sdb.init_pos);
396 /* Adding the new entry at the end of the file */
397 fseek(fp, 0, SEEK_END);
398 fprintf(fp,"%c%c%c%s !%d %s\n",
401 p == 2? '!' : (p > 2)?'?':'+',
409 if(c_sum[0] == '-' && c_sum[1] == '1')
411 sdb.syscheck_dec->id = sdb.idd;
412 snprintf(sdb.comment, OS_MAXSTR,
413 "File '%.756s' was deleted. Unable to retrieve "
414 "checksum.", f_name);
417 /* If file was re-added, do not compare changes */
418 else if(saved_sum[0] == '-' && saved_sum[1] == '1')
420 sdb.syscheck_dec->id = sdb.idn;
421 snprintf(sdb.comment, OS_MAXSTR,
422 "File '%.756s' was re-added.", f_name);
427 int oldperm = 0, newperm = 0;
429 /* Providing more info about the file change */
430 char *oldsize = NULL, *newsize = NULL;
431 char *olduid = NULL, *newuid = NULL;
432 char *c_oldperm = NULL, *c_newperm = NULL;
433 char *oldgid = NULL, *newgid = NULL;
434 char *oldmd5 = NULL, *newmd5 = NULL;
435 char *oldsha1 = NULL, *newsha1 = NULL;
440 c_oldperm = strchr(saved_sum, ':');
441 c_newperm = strchr(c_sum, ':');
443 /* Get old/new permissions */
444 if(c_oldperm && c_newperm)
452 /* Get old/new uid/gid */
453 olduid = strchr(c_oldperm, ':');
454 newuid = strchr(c_newperm, ':');
464 oldgid = strchr(olduid, ':');
465 newgid = strchr(newuid, ':');
477 oldmd5 = strchr(oldgid, ':');
478 newmd5 = strchr(newgid, ':');
489 oldsha1 = strchr(oldmd5, ':');
490 newsha1 = strchr(newmd5, ':');
492 if(oldsha1 && newsha1)
505 /* Getting integer values */
506 if(c_newperm && c_oldperm)
508 newperm = atoi(c_newperm);
509 oldperm = atoi(c_oldperm);
512 /* Generating size message */
513 if(!oldsize || !newsize || strcmp(oldsize, newsize) == 0)
519 snprintf(sdb.size, OS_FLSIZE,
520 "Size changed from '%s' to '%s'\n",
524 /* Permission message */
525 if(oldperm == newperm)
529 else if(oldperm > 0 && newperm > 0)
531 snprintf(sdb.perm, OS_FLSIZE, "Permissions changed from "
532 "'%c%c%c%c%c%c%c%c%c' "
533 "to '%c%c%c%c%c%c%c%c%c'\n",
534 (oldperm & S_IRUSR)? 'r' : '-',
535 (oldperm & S_IWUSR)? 'w' : '-',
537 (oldperm & S_ISUID)? 's' :
538 (oldperm & S_IXUSR)? 'x' : '-',
540 (oldperm & S_IRGRP)? 'r' : '-',
541 (oldperm & S_IWGRP)? 'w' : '-',
543 (oldperm & S_ISGID)? 's' :
544 (oldperm & S_IXGRP)? 'x' : '-',
546 (oldperm & S_IROTH)? 'r' : '-',
547 (oldperm & S_IWOTH)? 'w' : '-',
549 (oldperm & S_ISVTX)? 't' :
550 (oldperm & S_IXOTH)? 'x' : '-',
554 (newperm & S_IRUSR)? 'r' : '-',
555 (newperm & S_IWUSR)? 'w' : '-',
557 (newperm & S_ISUID)? 's' :
558 (newperm & S_IXUSR)? 'x' : '-',
561 (newperm & S_IRGRP)? 'r' : '-',
562 (newperm & S_IWGRP)? 'w' : '-',
564 (newperm & S_ISGID)? 's' :
565 (newperm & S_IXGRP)? 'x' : '-',
567 (newperm & S_IROTH)? 'r' : '-',
568 (newperm & S_IWOTH)? 'w' : '-',
570 (newperm & S_ISVTX)? 't' :
571 (newperm & S_IXOTH)? 'x' : '-');
574 /* Ownership message */
575 if(!newuid || !olduid || strcmp(newuid, olduid) == 0)
581 snprintf(sdb.owner, OS_FLSIZE, "Ownership was '%s', "
586 /* group ownership message */
587 if(!newgid || !oldgid || strcmp(newgid, oldgid) == 0)
589 sdb.gowner[0] = '\0';
593 snprintf(sdb.gowner, OS_FLSIZE,"Group ownership was '%s', "
599 if(!newmd5 || !oldmd5 || strcmp(newmd5, oldmd5) == 0)
605 snprintf(sdb.md5, OS_FLSIZE, "Old md5sum was: '%s'\n"
606 "New md5sum is : '%s'\n",
611 if(!newsha1 || !oldsha1 || strcmp(newsha1, oldsha1) == 0)
617 snprintf(sdb.sha1, OS_FLSIZE, "Old sha1sum was: '%s'\n"
618 "New sha1sum is : '%s'\n",
623 /* Provide information about the file */
624 snprintf(sdb.comment, 512, "Integrity checksum changed for: "
642 /* Creating a new log message */
644 os_strdup(sdb.comment, lf->full_log);
645 lf->log = lf->full_log;
648 /* Setting decoder */
649 lf->decoder_info = sdb.syscheck_dec;
654 } /* continuiing... */
657 /* If we reach here, this file is not present on our database */
658 fseek(fp, 0, SEEK_END);
660 fprintf(fp,"+++%s !%d %s\n", c_sum, lf->time, f_name);
663 /* Alert if configured to notify on new files */
664 if((Config.syscheck_alert_new == 1) && (DB_IsCompleted(agent_id)))
666 sdb.syscheck_dec->id = sdb.idn;
668 /* New file message */
669 snprintf(sdb.comment, OS_MAXSTR,
671 "added to the file system.", f_name);
674 /* Creating a new log message */
676 os_strdup(sdb.comment, lf->full_log);
677 lf->log = lf->full_log;
680 /* Setting decoder */
681 lf->decoder_info = sdb.syscheck_dec;
690 /* Special decoder for syscheck
691 * Not using the default decoding lib for simplicity
692 * and to be less resource intensive
694 int DecodeSyscheck(Eventinfo *lf)
700 /* Every syscheck message must be in the following format:
703 f_name = strchr(lf->log, ' ');
706 /* If we don't have a valid syscheck message, it may be
707 * a database completed message.
709 if(strcmp(lf->log, HC_SK_DB_COMPLETED) == 0)
715 merror(SK_INV_MSG, ARGV0);
720 /* Zeroing to get the check sum */
725 /* Checking if file is supposed to be ignored */
726 if(Config.syscheck_ignore)
728 char **ff_ig = Config.syscheck_ignore;
732 if(strncasecmp(*ff_ig, f_name, strlen(*ff_ig)) == 0)
742 /* Checksum is at the beginning of the log */
746 /* Searching for file changes */
747 return(DB_Search(f_name, c_sum, lf));