source: tags/4.1.0/include/samhain.h

Last change on this file was 488, checked in by katerina, 5 years ago

Fix for tickets #386 (silent check) and #387 (linux audit support).

File size: 15.5 KB
Line 
1/* SAMHAIN file system integrity testing                                   */
2/* Copyright (C) 1999 Rainer Wichmann                                      */
3/*                                                                         */
4/*  This program is free software; you can redistribute it                 */
5/*  and/or modify                                                          */
6/*  it under the terms of the GNU General Public License as                */
7/*  published by                                                           */
8/*  the Free Software Foundation; either version 2 of the License, or      */
9/*  (at your option) any later version.                                    */
10/*                                                                         */
11/*  This program is distributed in the hope that it will be useful,        */
12/*  but WITHOUT ANY WARRANTY; without even the implied warranty of         */
13/*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the          */
14/*  GNU General Public License for more details.                           */
15/*                                                                         */
16/*  You should have received a copy of the GNU General Public License      */
17/*  along with this program; if not, write to the Free Software            */
18/*  Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.              */
19
20#ifndef SAMHAIN_H
21#define SAMHAIN_H
22
23#include <sys/types.h>
24#include "slib.h"
25
26#ifdef SH_ENCRYPT
27#include "rijndael-api-fst.h"
28#endif
29
30#if defined(__GNUC__) && (__GNUC__ >= 4)
31#define SH_GNUC_SENTINEL __attribute__((__sentinel__))
32#else
33#define SH_GNUC_SENTINEL
34#endif
35
36#if defined(__GNUC__) && (__GNUC__ >= 3)
37#undef  SH_GNUC_PURE
38#define SH_GNUC_PURE     __attribute__((pure))
39#undef  SH_GNUC_CONST
40#define SH_GNUC_CONST    __attribute__((const))
41#undef  SH_GNUC_NORETURN
42#define SH_GNUC_NORETURN __attribute__((noreturn))
43#undef  SH_GNUC_MALLOC
44#define SH_GNUC_MALLOC   __attribute__((malloc))
45#else
46#undef  SH_GNUC_PURE
47#define SH_GNUC_PURE
48#undef  SH_GNUC_CONST
49#define SH_GNUC_CONST
50#undef  SH_GNUC_NORETURN
51#define SH_GNUC_NORETURN
52#undef  SH_GNUC_MALLOC
53#define SH_GNUC_MALLOC
54#endif
55
56/**************************************************
57 *
58 * STANDARD DEFINES
59 *
60 **************************************************/
61
62/* IPv6 */
63#if defined(HAVE_GETNAMEINFO) && defined(HAVE_GETADDRINFO)
64
65#if defined(SH_COMPILE_STATIC) && defined(__linux__)
66#undef USE_IPVX
67#define SH_SOCKMAX 1
68#else
69
70#if defined(USE_IPV4)
71#undef USE_IPVX
72#else
73#define USE_IPVX 1
74#endif
75
76#define SH_SOCKMAX 8
77#endif
78
79#else
80#undef USE_IPVX
81#define SH_SOCKMAX 1
82#endif
83
84/* end IPv6 */
85
86/* Standard buffer sizes.
87 * IPv6 is 8 groups of 4 hex digits seperated by colons.
88 */
89#define SH_IP_BUF        48
90#define SH_MINIBUF       64
91#define SH_BUFSIZE     1024
92#define SH_MAXBUF      4096
93#define SH_PATHBUF      256
94#define SH_MSG_BUF    64512
95
96#define SH_ERRBUF_SIZE   64
97
98/* MAX_PATH_STORE must be >= KEY_LEN
99 */
100#define MAX_PATH_STORE 12287
101
102/* Sizes for arrays (user, group, timestamp).
103 */
104#define SOCKPASS_MAX 14
105#define USER_MAX     20
106#define GROUP_MAX    20
107#define TIM_MAX      32
108
109#define CMODE_SIZE   11
110
111#define ATTRBUF_SIZE 16
112#define ATTRBUF_USED 12
113
114/* The number of bytes in a key, 
115 * the number of chars in its hex repesentation,
116 * and the block size of the hash algorithm.
117 */
118#define KEY_BYT   24
119#define KEY_LEN   48
120#define KEY_BLOCK 24
121#define KEYBUF_SIZE (KEY_LEN+1)
122
123/* The length of the compiled-in password.
124 */
125#define PW_LEN     8
126
127#undef  S_TRUE
128#define S_TRUE    1
129#undef  S_FALSE
130#define S_FALSE   0
131
132#undef  GOOD
133#define GOOD  S_TRUE
134#undef  BAD
135#define BAD   S_FALSE
136
137#define SH_SILENT_FULL 2
138#define SH_SILENT_STD  1
139
140
141#ifdef HAVE_INTTYPES_H
142#include <inttypes.h>
143#endif
144#ifdef HAVE_STDINT_H
145#include <stdint.h>
146#endif
147
148#if !defined(HAVE_UINT16_T)
149#define UINT16 unsigned short
150#else
151#define UINT16 uint16_t
152#endif
153
154#if !defined(HAVE_UINT32_T)
155
156/* An unsigned integer guaranteed to be 32 bit.
157 */
158#if defined(HAVE_INT_32)
159#define UINT32 unsigned int
160#define SINT32 int
161#elif defined(HAVE_LONG_32)
162#define UINT32 unsigned long
163#define SINT32 long
164#elif defined(HAVE_SHORT_32)
165#define UINT32 unsigned short
166#define SINT32 short
167#else
168#error "No 32 bit integer type found"
169#endif
170
171#else
172#define UINT32 uint32_t
173#define SINT32 int32_t
174
175#endif
176
177#if !defined(HAVE_UINT64_T)
178
179#ifdef HAVE_LONG_LONG_64
180#define  UINT64 unsigned long long
181#else
182#ifdef HAVE_LONG_64
183#define  UINT64 unsigned long
184#else
185#error "no 64bit type found"
186#endif
187#endif
188
189#else
190#define  UINT64 uint64_t
191#endif
192
193
194
195#define UBYTE unsigned char
196
197enum {
198  SH_TIGER192    = 0, 
199  SH_SHA1        = 1,
200  SH_MD5         = 2,
201  SH_SHA256      = 3
202};
203
204
205enum {
206  SH_CHECK_NONE    = 0, 
207  SH_CHECK_INIT    = 1,
208  SH_CHECK_CHECK   = 2
209};
210
211#define SH_MOD_THREAD  1
212#define SH_MOD_ACTIVE  0
213#define SH_MOD_FAILED -1
214#define SH_MOD_OFFSET 10
215
216/* Flags for file status
217 */
218#define SH_FFLAG_ALLIGNORE (1<<0)
219#define SH_FFLAG_VISITED   (1<<1)
220#define SH_FFLAG_CHECKED   (1<<3)
221#define SH_FFLAG_REPORTED  (1<<3)
222#define SH_FFLAG_SUIDCHK   (1<<4)
223#define SH_FFLAG_ENOENT    (1<<5)
224
225#define SH_FFLAG_ALLIGNORE_SET(a)   (((a) & SH_FFLAG_ALLIGNORE) != 0)
226#define SET_SH_FFLAG_ALLIGNORE(a)   ((a) |= SH_FFLAG_ALLIGNORE)
227#define CLEAR_SH_FFLAG_ALLIGNORE(a) ((a) &= ~SH_FFLAG_ALLIGNORE)
228
229#define SH_FFLAG_VISITED_SET(a)     (((a) & SH_FFLAG_VISITED) != 0)
230#define SET_SH_FFLAG_VISITED(a)     ((a) |= SH_FFLAG_VISITED)
231#define CLEAR_SH_FFLAG_VISITED(a)   ((a) &= ~SH_FFLAG_VISITED)
232
233#define SH_FFLAG_CHECKED_SET(a)     (((a) & SH_FFLAG_VISITED) != 0)
234#define SET_SH_FFLAG_CHECKED(a)     ((a) |= SH_FFLAG_VISITED)
235#define CLEAR_SH_FFLAG_CHECKED(a)   ((a) &= ~SH_FFLAG_VISITED)
236
237#define SH_FFLAG_REPORTED_SET(a)    (((a) & SH_FFLAG_REPORTED) != 0)
238#define SET_SH_FFLAG_REPORTED(a)    ((a) |= SH_FFLAG_REPORTED)
239#define CLEAR_SH_FFLAG_REPORTED(a)  ((a) &= ~SH_FFLAG_REPORTED)
240
241#define SH_FFLAG_SUIDCHK_SET(a)     (((a) & SH_FFLAG_SUIDCHK) != 0)
242#define SET_SH_FFLAG_SUIDCHK(a)     ((a) |= SH_FFLAG_SUIDCHK)
243#define CLEAR_SH_FFLAG_SUIDCHK(a)   ((a) &= ~SH_FFLAG_SUIDCHK)
244
245#define SH_FFLAG_ENOENT_SET(a)      (((a) & SH_FFLAG_ENOENT) != 0)
246#define SET_SH_FFLAG_ENOENT(a)      ((a) |= SH_FFLAG_ENOENT)
247#define CLEAR_SH_FFLAG_ENOENT(a)    ((a) &= ~SH_FFLAG_ENOENT)
248
249/* Flags for inotify
250 */
251#define SH_INOTIFY_USE      (1<<0)
252#define SH_INOTIFY_DOSCAN   (1<<1)
253#define SH_INOTIFY_NEEDINIT (1<<2)
254#define SH_INOTIFY_INSCAN   (1<<3)
255#define SH_INOTIFY_IFUSED(a)   if ((sh.flag.inotify & SH_INOTIFY_USE) != 0) { a }
256
257
258/**************************************************
259 *
260 * TYPEDEFS
261 *
262 **************************************************/
263
264enum {
265  SH_LEVEL_READONLY    = 1, 
266  SH_LEVEL_LOGFILES    = 2,
267  SH_LEVEL_LOGGROW     = 3,
268  SH_LEVEL_NOIGNORE    = 4,
269  SH_LEVEL_ALLIGNORE   = 5,
270  SH_LEVEL_ATTRIBUTES  = 6,
271  SH_LEVEL_USER0       = 7,
272  SH_LEVEL_USER1       = 8,
273  SH_LEVEL_USER2       = 9,
274  SH_LEVEL_USER3       = 10,
275  SH_LEVEL_USER4       = 11,
276  SH_LEVEL_PRELINK     = 12
277};
278
279typedef struct {
280  time_t  alarm_interval;
281  time_t  alarm_last;
282} sh_timer_t;
283
284typedef struct {
285  char   path[SH_PATHBUF];
286  char   hash[KEY_LEN+1];
287} sh_sh_df;
288
289typedef struct {
290  char   user[USER_MAX];
291  char   group[GROUP_MAX];
292  char   home[SH_PATHBUF];
293  uid_t  uid;
294  gid_t  gid;
295} sh_sh_user;
296
297typedef struct {
298  char   name[SH_PATHBUF];      /* local hostname                  */
299  char   system[SH_MINIBUF];    /* system                          */
300  char   release[SH_MINIBUF];   /* release                         */
301  char   machine[SH_MINIBUF];   /* machine                         */
302} sh_sh_local;
303
304typedef struct {
305  char   name[SH_PATHBUF];
306  char   alt[SH_PATHBUF];
307} sh_sh_remote;
308
309typedef struct {
310  unsigned long   bytes_hashed;  /* bytes     last check */
311  unsigned long   bytes_speed;   /* bytes/sec last check */
312  unsigned long   mail_success;  /* mails sent           */ 
313  unsigned long   mail_failed;   /* mails not sent       */
314  time_t          time_start;    /* start     last check */
315  time_t          time_check;    /* time      last check */
316  unsigned long   dirs_checked;  /* #dirs     last check */
317  unsigned long   files_checked; /* #files    last check */
318  unsigned long   files_report;  /* #file reports        */
319  unsigned long   files_error;   /* #file access error   */
320  unsigned long   files_nodir;   /* #file not a directory*/
321} sh_sh_stat;
322
323typedef struct {
324  int    exit;                     /* exit value                      */
325  int    checkSum;                 /* whether to init/check checksums */
326  int    update;                   /* update db                       */
327  int    opts;                     /* reading cl options              */
328  int    started;                  /* finished with startup stuff     */
329  int    isdaemon;                 /* daemon or not                   */
330  int    loop;                     /* go in loop even if not daemon   */
331  int    nice;                     /* desired nicety                  */
332  int    isserver;                 /* server or not                   */
333  int    islocked;                 /* BAD if logfile not locked       */
334  int    smsg;                     /* GOOD if end message sent        */
335  int    log_start;                /* TRUE if new audit trail         */
336  int    reportonce;               /* TRUE if bad files only once rep.*/
337  int    fulldetail;               /* TRUE if full details requested  */
338  int    client_severity;          /* TRUE if client severity used    */
339  int    client_class;             /* TRUE if client class used       */
340  int    hidefile;                 /* TRUE if file not shown in log   */
341  int    inotify;                  /* Flags for inotify               */
342  int    audit;
343  unsigned long aud_mask;
344} sh_sh_flag;
345
346typedef struct {
347
348  char   prg_name[8];
349
350  UINT64 pid; 
351 
352  sh_sh_df     exec;
353  sh_sh_df     conf;
354  sh_sh_df     data;
355
356  sh_sh_user   real;
357  sh_sh_user   effective;
358  sh_sh_user   run;
359
360  sh_sh_local  host;
361
362  sh_sh_remote srvtime;
363  sh_sh_remote srvmail;
364  sh_sh_remote srvexport;
365  sh_sh_remote srvcons;
366  sh_sh_remote srvlog;
367
368  sh_sh_stat   statistics;
369  sh_sh_flag   flag;
370
371#ifdef SH_STEALTH
372  unsigned long off_data;
373#endif
374
375  sh_timer_t mailNum;
376  sh_timer_t mailTime;
377  sh_timer_t fileCheck;
378
379  int    looptime;                 /* timing for main loop            */
380  /*@null@*//*@out@*/ char   * timezone;
381
382  int delayload;
383
384#ifdef SCREW_IT_UP
385  int sigtrap_max_duration;
386#endif
387
388  char * outpath;
389} sh_struct;
390
391
392extern volatile  int      sig_raised;
393extern volatile  int      sig_urgent;
394extern volatile  int      sig_debug_switch;       /* SIGUSR1 */
395extern volatile  int      sig_suspend_switch;     /* SIGUSR2 */
396extern volatile  int      sh_global_suspend_flag;
397extern volatile  int      sig_fresh_trail;        /* SIGIOT  */
398extern volatile  int      sh_thread_pause_flag;
399extern volatile  int      sig_config_read_again;  /* SIGHUP  */
400extern volatile  int      sig_terminate;          /* SIGQUIT */
401extern volatile  int      sig_termfast;           /* SIGTERM */
402extern volatile  int      sig_force_check;        /* SIGTTOU */
403extern volatile  int      sig_force_silent;       /* SIGTSTP */
404extern volatile  int      sh_global_check_silent;
405extern volatile  int      sh_load_delta_flag;
406
407extern long int eintr__result;
408
409extern int     sh_argc_store;
410extern char ** sh_argv_store;
411
412#include "sh_calls.h"
413
414
415typedef struct {
416  char   sh_sockpass[2*SOCKPASS_MAX+2];
417  char   sigkey_old[KEY_LEN+1];
418  char   sigkey_new[KEY_LEN+1];
419  char   mailkey_old[KEY_LEN+1];
420  char   mailkey_new[KEY_LEN+1];
421  char   crypt[KEY_LEN+1]; 
422  char   session[KEY_LEN+1]; 
423  char   vernam[KEY_LEN+1];
424  int    mlock_failed;
425
426  char   pw[PW_LEN];
427
428  char   poolv[KEY_BYT];
429  int    poolc;
430
431  int    rngI;
432  UINT32 rng0[3];
433  UINT32 rng1[3];
434  UINT32 rng2[3];
435
436  UINT32 res_vec[6];
437
438  UINT32 ErrFlag[2];
439
440#ifdef SH_ENCRYPT
441  /*@out@*/ keyInstance             keyInstE;
442  /*@out@*/ keyInstance             keyInstD;
443#endif
444} sh_key_t;
445
446extern sh_struct sh; 
447/*@null@*/ extern sh_key_t  *skey; 
448
449/**************************************************
450 *
451 * macros
452 *
453 **************************************************/
454
455#if defined(SH_ABORT_ON_ERROR)
456#define SH_ABORT abort()
457#else
458#define SH_ABORT
459#endif
460
461
462
463/* The semantics of the built-in are that it is expected that expr == const
464 * for __builtin_expect ((expr), const)
465 */
466#if defined(__GNUC__) && (__GNUC__ > 2) && defined(__OPTIMIZE__)
467#define SH_LIKELY(expr)   (__builtin_expect((expr), 1))
468#define SH_UNLIKELY(expr) (__builtin_expect((expr), 0))
469#else
470#define SH_LIKELY(expr) (expr)
471#define SH_UNLIKELY(expr) (expr)
472#endif
473
474/* signal-safe log function
475 */
476int  safe_logger (int thesignal, int method, char * details);
477void safe_fatal  (const char * details, const char *f, int l);
478
479#define SH_VALIDATE_EQ(a,b) \
480     do { \
481         if ((a) != (b)) safe_fatal(#a " != " #b, FIL__, __LINE__);\
482     } while (0)
483
484#define SH_VALIDATE_NE(a,b) \
485     do { \
486         if ((a) == (b)) safe_fatal(#a " == " #b, FIL__, __LINE__);\
487     } while (0)
488
489#define SH_VALIDATE_GE(a,b) \
490     do { \
491         if ((a) < (b)) safe_fatal(#a " < " #b, FIL__, __LINE__);\
492     } while (0)
493
494#if defined(HAVE_MLOCK) && !defined(HAVE_BROKEN_MLOCK)
495#ifdef USE_SUID
496#define MLOCK(a, b) \
497      if ((skey != NULL) && skey->mlock_failed == S_FALSE){ \
498        (void) sl_set_suid(); \
499        if (sh_unix_mlock(FIL__, __LINE__, a, b) < 0) skey->mlock_failed = S_TRUE; \
500        (void) sl_unset_suid(); }
501#else
502#define MLOCK(a, b) \
503      if ((skey != NULL) && skey->mlock_failed == S_FALSE){ \
504        if (sh_unix_mlock(FIL__, __LINE__, a, b) < 0) skey->mlock_failed = S_TRUE; }
505#endif
506#else
507#define MLOCK(a, b) \
508  ;
509#endif
510
511#if defined(HAVE_MLOCK) && !defined(HAVE_BROKEN_MLOCK)
512#ifdef USE_SUID
513#define MUNLOCK(a, b) \
514      if ((skey != NULL) && skey->mlock_failed == S_FALSE){ \
515        (void) sl_set_suid(); \
516        (void) sh_unix_munlock( a, b );\
517        (void) sl_unset_suid(); }
518#else
519#define MUNLOCK(a, b) \
520      if ((skey != NULL) && skey->mlock_failed == S_FALSE){ \
521        (void) sh_unix_munlock( a, b ); }
522#endif
523#else
524#define MUNLOCK(a, b) \
525  ;
526#endif
527
528#ifdef SH_STEALTH
529void sh_do_encode (char * str, int len);
530#define sh_do_decode sh_do_encode
531#endif
532
533/* #if defined(SCREW_IT_UP)
534 * extern volatile int sh_not_traced;
535 * inline int  sh_sigtrap_prepare();
536 * inline int  sh_derr();
537 * #endif
538 */
539
540#if defined(SCREW_IT_UP) && (defined(__FreeBSD__) || defined(__linux__)) && defined(__i386__)
541#define BREAKEXIT(expr) \
542  do { \
543    int ixi; \
544    for (ixi = 0; ixi < 8; ++ixi) { \
545      if ((*(volatile unsigned *)((unsigned) expr + ixi) & 0xff) == 0xcc) \
546        _exit(EXIT_FAILURE); \
547      } \
548    } \
549  while (1 == 0)
550#else
551#define BREAKEXIT(expr)
552#endif
553 
554
555
556#include "sh_cat.h"
557#include "sh_trace.h"
558#include "sh_mem.h"
559
560#endif
561
562/* CRIT:                                       */
563/* NEW_CLIENT  <client>                        */
564/* BAD_CLIENT  <client> -- <details>           */
565/* ERR_CLIENT  <client> -- <details>           */
566
567/* ALERT:                                      */
568/* LOG_KEY     samhain|yule <key>              */
569/* STARTUP     samhain|yule -- user <username> */
570/* EXIT        samhain|yule                    */
571/* GOODSIG     <file> <user>                   */
572/* FP_KEY      <fingerprint>                   */
573/* GOODSIG_DAT <file> <user>                   */
574/* FP_KEY_DAT  <fingerprint>                   */
575/* TIGER_CFG   <file> <checksum>               */
576/* TIGER_DAT   <file> <checksum>               */
577
578/* PANIC       -- <details>                    */
579/* ERROR       -- <details>                    */
580
581/* Policy                                      */
582/* POLICY      <code> <file>                   */
583/* <code> = MISSING || ADDED || NOT_A_DIRECTORY || <policy> */
584
585
586
Note: See TracBrowser for help on using the repository browser.