X-Git-Url: http://ftp.carnet.hr/pub/carnet-debian/scm?a=blobdiff_plain;f=src%2Fanalysisd%2Fdecoders%2Frootcheck.c;h=1c303232896d2f95456aa4d1543d15c32861129a;hb=HEAD;hp=d134ae2723ad087976e1ec3d1b06bf38ca100da9;hpb=914feba5d54f979cd5d7e69c349c3d01f630042a;p=ossec-hids.git diff --git a/src/analysisd/decoders/rootcheck.c b/src/analysisd/decoders/rootcheck.c old mode 100755 new mode 100644 index d134ae2..1c30323 --- a/src/analysisd/decoders/rootcheck.c +++ b/src/analysisd/decoders/rootcheck.c @@ -1,55 +1,44 @@ -/* @(#) $Id: rootcheck.c,v 1.26 2009/07/24 18:34:11 dcid Exp $ */ - /* Copyright (C) 2009 Trend Micro Inc. * All right reserved. * * This program is a free software; you can redistribute it * and/or modify it under the terms of the GNU General Public - * License (version 3) as published by the FSF - Free Software + * License (version 2) as published by the FSF - Free Software * Foundation */ - /* Rootcheck decoder */ - #include "config.h" #include "os_regex/os_regex.h" #include "eventinfo.h" #include "alerts/alerts.h" #include "decoder.h" - #define ROOTCHECK_DIR "/queue/rootcheck" - -/** Global variables **/ -char *rk_agent_ips[MAX_AGENTS]; -FILE *rk_agent_fps[MAX_AGENTS]; - -int rk_err; +/* Local variables */ +static char *rk_agent_ips[MAX_AGENTS]; +static FILE *rk_agent_fps[MAX_AGENTS]; +static int rk_err; /* Rootcheck decoder */ -OSDecoderInfo *rootcheck_dec = NULL; +static OSDecoderInfo *rootcheck_dec = NULL; -/* SyscheckInit - * Initialize the necessary information to process the syscheck information - */ +/* Initialize the necessary information to process the rootcheck information */ void RootcheckInit() { int i = 0; rk_err = 0; - - for(;iid = getDecoderfromlist(ROOTCHECK_MOD); rootcheck_dec->type = OSSEC_RL; @@ -57,77 +46,66 @@ void RootcheckInit() rootcheck_dec->fts = 0; debug1("%s: RootcheckInit completed.", ARGV0); - + return; } - -/* RK_File - * Return the file pointer to be used - */ -FILE *RK_File(char *agent, int *agent_id) +/* Return the file pointer to be used */ +static FILE *RK_File(const char *agent, int *agent_id) { int i = 0; - char rk_buf[OS_SIZE_1024 +1]; - - while(rk_agent_ips[i] != NULL) - { - if(strcmp(rk_agent_ips[i],agent) == 0) - { - /* pointing to the beginning of the file */ - fseek(rk_agent_fps[i],0, SEEK_SET); + char rk_buf[OS_SIZE_1024 + 1]; + + while (rk_agent_ips[i] != NULL) { + if (strcmp(rk_agent_ips[i], agent) == 0) { + /* Pointing to the beginning of the file */ + fseek(rk_agent_fps[i], 0, SEEK_SET); *agent_id = i; - return(rk_agent_fps[i]); + return (rk_agent_fps[i]); } - - i++; + + i++; } /* If here, our agent wasn't found */ rk_agent_ips[i] = strdup(agent); - if(rk_agent_ips[i] != NULL) - { - snprintf(rk_buf,OS_SIZE_1024, "%s/%s", ROOTCHECK_DIR,agent); - + if (rk_agent_ips[i] != NULL) { + snprintf(rk_buf, OS_SIZE_1024, "%s/%s", ROOTCHECK_DIR, agent); + /* r+ to read and write. Do not truncate */ - rk_agent_fps[i] = fopen(rk_buf,"r+"); - if(!rk_agent_fps[i]) - { - /* try opening with a w flag, file probably does not exist */ + rk_agent_fps[i] = fopen(rk_buf, "r+"); + if (!rk_agent_fps[i]) { + /* Try opening with a w flag, file probably does not exist */ rk_agent_fps[i] = fopen(rk_buf, "w"); - if(rk_agent_fps[i]) - { + if (rk_agent_fps[i]) { fclose(rk_agent_fps[i]); rk_agent_fps[i] = fopen(rk_buf, "r+"); } } - if(!rk_agent_fps[i]) - { - merror(FOPEN_ERROR, ARGV0, rk_buf); - + if (!rk_agent_fps[i]) { + merror(FOPEN_ERROR, ARGV0, rk_buf, errno, strerror(errno)); + free(rk_agent_ips[i]); rk_agent_ips[i] = NULL; - return(NULL); + return (NULL); } - /* Returning the opened pointer (the beginning of it) */ - fseek(rk_agent_fps[i],0, SEEK_SET); + /* Return the opened pointer (the beginning of it) */ + fseek(rk_agent_fps[i], 0, SEEK_SET); *agent_id = i; - return(rk_agent_fps[i]); + return (rk_agent_fps[i]); } - else - { - merror(MEM_ERROR,ARGV0); - return(NULL); + else { + merror(MEM_ERROR, ARGV0, errno, strerror(errno)); + return (NULL); } - return(NULL); + return (NULL); } - /* Special decoder for rootcheck * Not using the default rendering tools for simplicity * and to be less resource intensive @@ -137,106 +115,93 @@ int DecodeRootcheck(Eventinfo *lf) int agent_id; char *tmpstr; - char rk_buf[OS_SIZE_2048 +1]; + char rk_buf[OS_SIZE_2048 + 1]; FILE *fp; fpos_t fp_pos; - /* Zeroing rk_buf */ + /* Zero rk_buf */ rk_buf[0] = '\0'; rk_buf[OS_SIZE_2048] = '\0'; fp = RK_File(lf->location, &agent_id); - if(!fp) - { - merror("%s: Error handling rootcheck database.",ARGV0); - rk_err++; /* Increment rk error */ + if (!fp) { + merror("%s: Error handling rootcheck database.", ARGV0); + rk_err++; - return(0); + return (0); } - /* Getting initial position */ - if(fgetpos(fp, &fp_pos) == -1) - { - merror("%s: Error handling rootcheck database (fgetpos).",ARGV0); - return(0); + /* Get initial position */ + if (fgetpos(fp, &fp_pos) == -1) { + merror("%s: Error handling rootcheck database (fgetpos).", ARGV0); + return (0); } - - /* Reads the file and search for a possible - * entry - */ - while(fgets(rk_buf, OS_SIZE_2048 -1, fp) != NULL) - { + + /* Reads the file and search for a possible entry */ + while (fgets(rk_buf, OS_SIZE_2048 - 1, fp) != NULL) { /* Ignore blank lines and lines with a comment */ - if(rk_buf[0] == '\n' || rk_buf[0] == '#') - { - if(fgetpos(fp, &fp_pos) == -1) - { + if (rk_buf[0] == '\n' || rk_buf[0] == '#') { + if (fgetpos(fp, &fp_pos) == -1) { merror("%s: Error handling rootcheck database " - "(fgetpos2).",ARGV0); - return(0); + "(fgetpos2).", ARGV0); + return (0); } continue; } - /* Removing new line */ + /* Remove newline */ tmpstr = strchr(rk_buf, '\n'); - if(tmpstr) - { - *tmpstr = '\0'; + if (tmpstr) { + *tmpstr = '\0'; } - - /* Old format without the time stampts */ - if(rk_buf[0] != '!') - { - /* Cannot use strncmp to avoid errors with crafted files */ - if(strcmp(lf->log, rk_buf) == 0) - { + /* Old format without the time stamps */ + if (rk_buf[0] != '!') { + /* Cannot use strncmp to avoid errors with crafted files */ + if (strcmp(lf->log, rk_buf) == 0) { rootcheck_dec->fts = 0; lf->decoder_info = rootcheck_dec; - return(1); + return (1); } } /* New format */ - else - { - /* Going past time: !1183431603!1183431603 (last, first saw) */ + else { + /* Going past time: !1183431603!1183431603 (last, first seen) */ tmpstr = rk_buf + 23; - + /* Matches, we need to upgrade last time saw */ - if(strcmp(lf->log, tmpstr) == 0) - { - fsetpos(fp, &fp_pos); - fprintf(fp, "!%d", lf->time); + if (strcmp(lf->log, tmpstr) == 0) { + if(fsetpos(fp, &fp_pos)) { + merror("%s: Error handling rootcheck database " + "(fsetpos).", ARGV0); + return (0); + } + fprintf(fp, "!%ld", (long int)lf->time); rootcheck_dec->fts = 0; - lf->decoder_info = rootcheck_dec; - return(1); + lf->decoder_info = rootcheck_dec; + return (1); } } - /* Getting current position */ - if(fgetpos(fp, &fp_pos) == -1) - { - merror("%s: Error handling rootcheck database (fgetpos3).",ARGV0); - return(0); + /* Get current position */ + if (fgetpos(fp, &fp_pos) == -1) { + merror("%s: Error handling rootcheck database (fgetpos3).", ARGV0); + return (0); } - } + } - - /* Adding the new entry at the end of the file */ + /* Add the new entry at the end of the file */ fseek(fp, 0, SEEK_END); - fprintf(fp,"!%d!%d %s\n",lf->time, lf->time, lf->log); + fprintf(fp, "!%ld!%ld %s\n", (long int)lf->time, (long int)lf->time, lf->log); fflush(fp); rootcheck_dec->fts = 0; rootcheck_dec->fts |= FTS_DONE; lf->decoder_info = rootcheck_dec; - return(1); + return (1); } - -/* EOF */