1 /* @(#) $Id: ./src/config/active-response.c, 2011/09/08 dcid Exp $
4 /* Copyright (C) 2009 Trend Micro Inc.
7 * This program is a free software; you can redistribute it
8 * and/or modify it under the terms of the GNU General Public
9 * License (version 2) as published by the FSF - Free Software
14 #include <sys/types.h>
18 #include "os_xml/os_xml.h"
19 #include "os_regex/os_regex.h"
21 #include "active-response.h"
24 /** int ReadActiveResponses(XML_NODE node, void *d1, void *d2)
25 * Generates a list with all active responses.
27 int ReadActiveResponses(XML_NODE node, void *d1, void *d2)
37 char *xml_ar_command = "command";
38 char *xml_ar_location = "location";
39 char *xml_ar_agent_id = "agent_id";
40 char *xml_ar_rules_id = "rules_id";
41 char *xml_ar_rules_group = "rules_group";
42 char *xml_ar_level = "level";
43 char *xml_ar_timeout = "timeout";
44 char *xml_ar_disabled = "disabled";
45 char *xml_ar_repeated = "repeated_offenders";
50 /* Currently active response */
51 active_response *tmp_ar;
54 /* Opening shared ar file */
55 fp = fopen(DEFAULTARPATH, "a");
58 merror(FOPEN_ERROR, ARGV0, DEFAULTARPATH);
63 struct group *os_group;
64 if((os_group = getgrnam(USER)) == NULL)
66 merror("Could not get ossec gid.");
71 if((chown(DEFAULTARPATH, -1, os_group->gr_gid)) == -1)
73 merror("Could not change the group to ossec: %d", errno);
79 if((chmod(DEFAULTARPATH, 0440)) == -1)
81 merror("Could not chmod to 0440: %d", errno);
87 /* Allocating for the active-response */
88 tmp_ar = calloc(1, sizeof(active_response));
91 merror(MEM_ERROR, ARGV0);
96 /* Initializing variables */
98 tmp_ar->command = NULL;
102 tmp_ar->agent_id = NULL;
103 tmp_ar->rules_id = NULL;
104 tmp_ar->rules_group = NULL;
105 tmp_ar->ar_cmd = NULL;
110 /* Searching for the commands */
113 if(!node[i]->element)
115 merror(XML_ELEMNULL, ARGV0);
118 else if(!node[i]->content)
120 merror(XML_VALUENULL, ARGV0, node[i]->element);
125 if(strcmp(node[i]->element, xml_ar_command) == 0)
127 tmp_ar->command = strdup(node[i]->content);
130 else if(strcmp(node[i]->element, xml_ar_location) == 0)
132 tmp_location = strdup(node[i]->content);
134 else if(strcmp(node[i]->element, xml_ar_agent_id) == 0)
136 tmp_ar->agent_id = strdup(node[i]->content);
138 else if(strcmp(node[i]->element, xml_ar_rules_id) == 0)
140 tmp_ar->rules_id = strdup(node[i]->content);
142 else if(strcmp(node[i]->element, xml_ar_rules_group) == 0)
144 tmp_ar->rules_group = strdup(node[i]->content);
146 else if(strcmp(node[i]->element, xml_ar_level) == 0)
148 /* Level must be numeric */
149 if(!OS_StrIsNum(node[i]->content))
151 merror(XML_VALUEERR,ARGV0,node[i]->element,node[i]->content);
155 tmp_ar->level = atoi(node[i]->content);
157 /* Making sure the level is valid */
158 if((tmp_ar->level < 0) || (tmp_ar->level > 20))
160 merror(XML_VALUEERR,ARGV0,node[i]->element,node[i]->content);
164 else if(strcmp(node[i]->element, xml_ar_timeout) == 0)
166 tmp_ar->timeout = atoi(node[i]->content);
168 else if(strcmp(node[i]->element, xml_ar_disabled) == 0)
170 if(strcmp(node[i]->content, "yes") == 0)
174 else if(strcmp(node[i]->content, "no") == 0)
176 /* Don't do anything if disabled is set to "no" */
180 merror(XML_VALUEERR,ARGV0,node[i]->element,node[i]->content);
184 else if(strcmp(node[i]->element, xml_ar_repeated) == 0)
186 /* Nothing - we deal with it on execd. */
191 merror(XML_INVELEM, ARGV0, node[i]->element);
197 /* Checking if ar is disabled */
205 /* Command and location must be there */
206 if(!tmp_ar->command || !tmp_location)
214 merror(AR_MISS, ARGV0);
221 if(OS_Regex("AS|analysisd|analysis-server|server", tmp_location))
223 tmp_ar->location|= AS_ONLY;
226 if(OS_Regex("local", tmp_location))
228 tmp_ar->location|= REMOTE_AGENT;
231 if(OS_Regex("defined-agent", tmp_location))
233 if(!tmp_ar->agent_id)
235 merror(AR_DEF_AGENT, ARGV0);
242 tmp_ar->location|= SPECIFIC_AGENT;
245 if(OS_Regex("all|any", tmp_location))
247 tmp_ar->location|=ALL_AGENTS;
250 /* If we didn't set any value for the location */
251 if(tmp_ar->location == 0)
253 merror(AR_INV_LOC, ARGV0, tmp_location);
261 /* cleaning tmp_location */
266 /* Checking if command name is valid */
268 OSListNode *my_commands_node;
270 my_commands_node = OSList_GetFirstNode(d1);
271 while(my_commands_node)
273 ar_command *my_command;
274 my_command = (ar_command *)my_commands_node->data;
276 if(strcmp(my_command->name, tmp_ar->command) == 0)
278 tmp_ar->ar_cmd = my_command;
282 my_commands_node = OSList_GetNextNode(d1);
285 /* Didn't find a valid command */
286 if(tmp_ar->ar_cmd == NULL)
288 merror(AR_INV_CMD, ARGV0, tmp_ar->command);
295 /* Checking if timeout is allowed */
296 if(tmp_ar->timeout && !tmp_ar->ar_cmd->timeout_allowed)
298 merror(AR_NO_TIMEOUT, ARGV0, tmp_ar->ar_cmd->name);
304 /* d1 is the active response list */
305 if(!OSList_AddData(d2, (void *)tmp_ar))
307 merror(LIST_ADD_ERROR, ARGV0);
314 /* Setting a unique active response name */
315 tmp_ar->name = calloc(OS_FLSIZE +1, sizeof(char));
318 ErrorExit(MEM_ERROR, ARGV0);
320 snprintf(tmp_ar->name, OS_FLSIZE, "%s%d",
321 tmp_ar->ar_cmd->name,
325 /* Adding to shared file */
326 fprintf(fp, "%s - %s - %d\n",
328 tmp_ar->ar_cmd->executable,
332 /* Setting the configs to start the right queues */
333 if(tmp_ar->location & AS_ONLY)
337 if(tmp_ar->location & ALL_AGENTS)
341 if(tmp_ar->location & REMOTE_AGENT)
346 if(tmp_ar->location & SPECIFIC_AGENT)
351 /* Setting the configuration for the active response */
352 if(r_ar && (!(ar_flag & REMOTE_AR)))
356 if(l_ar && (!(ar_flag & LOCAL_AR)))
361 /* Closing shared file for active response */
367 /* in case of an error clean up first*/
376 /** int ReadActiveCommands(XML_NODE node, void *d1, void *d2)
378 int ReadActiveCommands(XML_NODE node, void *d1, void *d2)
382 char *tmp_str = NULL;
385 char *command_name = "name";
386 char *command_expect = "expect";
387 char *command_executable = "executable";
388 char *timeout_allowed = "timeout_allowed";
390 ar_command *tmp_command;
393 /* Allocating the active-response command */
394 tmp_command = calloc(1, sizeof(ar_command));
397 merror(MEM_ERROR, ARGV0);
401 tmp_command->name = NULL;
402 tmp_command->expect= 0;
403 tmp_command->executable = NULL;
404 tmp_command->timeout_allowed = 0;
407 /* Searching for the commands */
410 if(!node[i]->element)
412 merror(XML_ELEMNULL, ARGV0);
416 else if(!node[i]->content)
418 merror(XML_VALUENULL, ARGV0, node[i]->element);
422 if(strcmp(node[i]->element, command_name) == 0)
424 tmp_command->name = strdup(node[i]->content);
426 else if(strcmp(node[i]->element, command_expect) == 0)
428 tmp_str = strdup(node[i]->content);
430 else if(strcmp(node[i]->element, command_executable) == 0)
432 tmp_command->executable = strdup(node[i]->content);
434 else if(strcmp(node[i]->element, timeout_allowed) == 0)
436 if(strcmp(node[i]->content, "yes") == 0)
437 tmp_command->timeout_allowed = 1;
438 else if(strcmp(node[i]->content, "no") == 0)
439 tmp_command->timeout_allowed = 0;
442 merror(XML_VALUEERR,ARGV0,node[i]->element,node[i]->content);
449 merror(XML_INVELEM, ARGV0, node[i]->element);
456 if(!tmp_command->name || !tmp_str || !tmp_command->executable)
458 merror(AR_CMD_MISS, ARGV0);
464 /* Getting the expect */
465 if(strlen(tmp_str) >= 4)
467 if(OS_Regex("user", tmp_str))
468 tmp_command->expect |= USERNAME;
469 if(OS_Regex("srcip", tmp_str))
470 tmp_command->expect |= SRCIP;
471 if(OS_Regex("filename", tmp_str))
472 tmp_command->expect |= FILENAME;
479 /* Adding command to the list */
480 if(!OSList_AddData(d1, (void *)tmp_command))
482 merror(LIST_ADD_ERROR, ARGV0);