* deploy.sh: allow to set a group for hosts upon installation * patch by Yoann: fix an issue when setting the idmef_inode_t object * fix memory leaks in error paths in sh_prelude.c * fix concurrent inserts with postgres in sh_database.c * code cleanup * fix manual version in spec file, noticed by Imre Gergely 2.2.0: * patch by Jim Simmons for samhainadmin.pl.in * fix testsuite portability problems * fix md5 endianess problem detected on HP-UX 11i / PA-RISC 8700 * fix potential NULL dereference in sh_utmp_endutent() * patch by Neil Gorsuch for suidchk.c (do not scan lustre, afs, mmfs) * fix sh_ext_popen (OpenBSD needs non-null argv[0] in execve) * fix make_tests.sh portability (echo '"\n"' does not work on OpenBSD) * fix bug in sh_utils_obscurename (check isascii) * scan h_aliases for FQDN if h_name is not * add copyright/license info to test scripts * add copyright/license info to deployment system scripts * support server-to-server relay * new CL option --server-port * minor improvements in manual * patch by Yoann Vandoorselaere for sh_prelude.c * allow --longopt arg as well as --longopt=arg * verify checksum of growing log files (up to previous size) * rewrite of the test suite * added a bit of unit testing * minor optimizations in various places * optimized implementation of tiger checksum algorithm * read in 64k blocks (faster than 4k) * sh_unix.c, sh_hash.c: support file flags on *BSD, update Linux file attribute code * kern_head: fix compilation of kernel check module on OpenBSD * updated samhainrc.linux, samhainrc.freebsd * sh_unix.c: fix setrlimit (RLIMIT_NOFILE, ..) * sh_files.c: fix missing use of flag_err_info * sh_tiger0.c: remove repetitive use of mlock * slib.c: remove fcntl's from sl_read_timeout (caller sets O_NONBLOCK), add function sl_read_timeout_prep 2.1.3 (13-03-2006): * fix compile problem in slib.c (reported by Lawrence Bowie) * fix bug with combination of one-shot update mode and file check schedule (reportedby Dan Track) * improved the windows howto according to suggestions by Jorge Morgado * fix samhain_hide kernel module for new linux kernel versions * fix minor problem with dead client detection (problem reported by Michal Kustosik) 2.1.2 (10-01-2006): * fix startup error with combination of gpg+prelude 2.1.1a (22-12-2005): * fixed a stupid bug in sh_files.c (break if file = dir) 2.1.1 (21-12-2005): * sh_calls.c: protect sh_calls_set_bind_addr against overriding * comINSTALL, updateDB: use locking * samhainadmin.pl: use locking * fix typos in samhainrc.solaris (noticed by Robby Cauwerts) * improve zAVLSearch (remove redundant strcmp) * use AVL tree in sh_files.c instead of linked list (better scaling) * fix bug with suidcheck (no update/check in one-shot mode with schedule instead of check interval; noticed by R. Rati) * fix for problem with '-t update -i' if daemon mode (problem report by Peter van der Does) * fix for bug in sh_util_ask_update (two returns were required ...) 2.1.0 (31-10-2005): * minor fix for cross-compiling with --with-kcheck * sh_forward.c: handle bad fds in the select() fd sets (reported by hmy) * sh_extern.c: fix debugging code * slib.c, sh_calls.c, sh_calls.h: improve handling of O_NOATIME (reported by Gabor Kiss) * makefile.in: fix for solaris package creation * sh_mail.c, sh_readconf.c: mail filtering options * sh_database.c: Oracle reconnect on connection failure (bug report by Alexander A. Sobyanin) * sh_unix.c: don't purge MYSQL_UNIX_PORT environment variable (problem reported by Peter) * sh_calls.c: fix for a HP-UX accept() problem caused by the gcc4 fix * fixes for gcc 4.0.2 compiler warnings * ability to use daemon mode together with update (wishlist Yoan Vandoorselaere) * fixes for debugging 2.0.10a (22-08-2005): * fix for overlapping directory check specification (reported by Bub) 2.0.10 (21-08-2005): * fix for segfault (free() on a constant string) with libprelude (problem reported by Grae Noble) * upgrade FreeBSD kernel check to 5.4, minor fixes * useful script for users of Linux kernel check (contributed by marc heisterkamp) * documentation improvements (suggested by Brian Seklecki and Robby) 2.0.9 (25-08-2005): * samhain_erase.c: add #define for NULL * sh_suidchk.c: fix incorrect use of escaped filename * sh_prelude.[ch], sh_readconf.c: configurable mapping from samhain severity to prelude severity * sh_unix.h: second arg of gettimeofday should be NULL * sh_files.c: fix checking of directory special file (use specified policy, not that of parent dir, problem found by Brian A. Seklecki) * sh_entropy.c: longer timeout for entropy collector * sh_socket.c, sh_forward.c: allow probing of clients for necessity of configuration reload * yulectl: minor fixes, option -v (verbose), new command PROBE * fix 'File not found' messages for files flagged with IgnoreMissing * sh_database.c: strip newline from oracle error messages * sh_files.c: fix rsrc fork issue with MacOS X Tiger (reported by A. Koren) * never compute checksum if not checked (problem report by D.Hughes) * sh_prelude.c: cleanup and bugfix by Yoann * sh_hash.c: for prelude, make sure mode is supplied with user/group and vice versa * sh_prelude.c: provide proper FileAccess objects (bug report by Mihai Ilinca) 2.0.8 (03-07-2005): * configure.ac: use $LIBPRELUDE_PTHREAD_CFLAGS rather than $LIBPRELUDE_CFLAGS (bugfix by Yoann) * samhain.spec.in: remove support for chkconfig (it's too buggy). Strangely, if invoked as install_initd it behaves sanely ... * src/sh_err_log.c: fix key input (this time for real) * fix --with-altlogserver (bug from 2.0.7b) * remove server socket in start/stop script 2.0.7e (not released): * Makefile.in: introduce a total of 6 sec delay for 'make' utilities that use 1 sec resolution, and consider target out-of-date if timestamp(target) = timestamp(dependency) ... * src/sh_err_log.c: fix key input * another fix for yulectl (use pwent->pw_dir) * dsys/comINSTALL, dsys/comUNINSTALL, dsys/comBUILD: fix PATH 2.0.7d (not released): * one more fix for the spec file (stupid rpm finds tags in comments!!!) 2.0.7c (not released): * test/testrun_1b.sh, test/testrun_2b.sh: use $GPG_PATH * dsys/comINSTALL, dsys/funcDB, dsys/funcINSTALL: some bugfixes * samhain-install.sh.in: fix test -z $verbose * sh_hash.c: speedup database reading * Makefile.in: fix the problem that BSD make would make too much * deploy: yulerc.clients -> yulerc.install.db, provide $defdatabase for backward compatibility * deploy: allow for comma in client_install_date 2.0.7b (not released): * hp_ux.psf.in: fix psf file * dsys/comINSTALL: fix $yule_date -> $yule_data * Makefile.in: fix 'make depot' * sh_tools.c, sh_unix.c: fix detection of open file limit * sh_readconf.c: reset read_mode after reading conf file * yulectl.c: better error messages, use homedir from getpwuid(geteuid) * init/samhain.startLSB.in: fix misleading message in lsb init script * sh_forward.c: better display for nonce u in debug mode * sh_tiger*.c: fix checksum for HP-UX 64bit * samhain.c: don't fetch database twice * configure.ac: accept nodename for --with-logserver=... * samhain_setpwd.c: return proper exit status for samhain_setpwd * respond to SIGTERM on initializing * fix problems with samhainadmin.pl * sh_utils.c: fix bug with AddOKChars (found by Karol) 2.0.7a (not released): * remove 'df' from entropy gatherer (NFS may hang) * modify va_copy check (doesn't work with HP-UX PA64 compiler) * fix compile warnings in sh_database.c * samhain-install.sh.in: check for /usr/bin/false in /etc/shells * fix install-boot on HP-UX * aclocal.m4: fix configure CL parsing to recognize VAR=VALUE 2.0.7 (11-06-2005): * yet another fix for the spec file (use internal dependency generator) * sh_error.c, sh_prelude.c: init libprelude after open fds are closed * error message if queue is full * fix two compiler warnings on HP-UX * fix sh_mail.c for Interix (no resolver routines) * fix sh_unix_initgroups2() if no initgroups() function (bug reported by Geries Handal) * remove references to 'struct timezone' (Interix; problem reported by Geries Handal) * init/stop for prelude on SIGHUP * sh_cat.h: fix a stupid bug with messages classes * manual: new section on nagios (with help from kiarna), more on prelude * sh_prelude.c: cleanup and improvements (Yoann Vandorselaere) * default prelude profile name now is 'samhain' (lowercase) * sh_readconf.c: new option PreludeProfile (by Yoann Vandorselaere) * remove obsolete check for linux/module.h, linux/unistd.h * remove dependency on virtual/glibc in gentoo ebuild (problem reported by Willis Sarka) 2.0.6 (01-03-2005): * sh_prelude.c, configure.ac, aclocal.m4: support for libprelude 0.9 (Yoann Vandoorselaere) * sh_html.c: fix bug with entry.html template (reported by Stephane Sanchez) * Install.sh: fix mandir option (reported by Rodney Smith) * Fixed Linux/64bit bug in definition of EUIDSLOT * New targets 'make depot', 'make depot-light' (HP-UX, untested) * Use sstrip for RPMs and DEBs (automatic stripping disabled) * Fix aclocal.m4 for autoconf 2.59 (missing $ac_cr_alnum et al., problem noticed by Yoann Vandoorselaere) * Modify samhain.spec.in to disable automatic stripping upon install * Fix deploy.sh + '--enable-gpg', and fix 'make rpm' and 'make deb' for '--with-khide' (problems reported by Mark) * Fix compile error in sh_tools.c on HP-UX 10.20 (problem reported by Dennis Boylan) * Runtime configuration of server listening port (wishlist) * Runtime configuration of server listening interface (wishlist) * Ignore SIGTTIN (consistency) * Use SIGTTOU to force file check (wishlist) 2.0.5b (01-04-2005): * Fix build problem b/o timestamp on stamp file 2.0.5a (16-03-2005): * Fix problem with 'make rpm' (reported by Dirk Brümmer) 2.0.5 (02-03-2005): * Fix bug with partial reads from clients in server (bug report by Brian) * Support gpg checksum bootstrap with yule * Support mount option check on HP-UX * For MAIL FROM, use 'example.com' as domain part if hostname is numeric (problem reported by Eric Raymond) * The HOWTO-write-modules has been updated. * Convenience functions to insert data in database have been added. * Use int0x03 only on i386 in sh_derr() (portability problem reported by John Mandeville) 2.0.4 (09-02-2005): * Fixed broken 'make deb' (problem report by olfi) * Fixed minor bug in test scripts (detection of gmake vs. make) * Fixed Tru64/OSF compile warnings (reported by B. Terp) * Normalize list parsing to allow comma, space, and tab as separators * Some more descriptive error messages in kern_head.c * Absolute path to utilities in init/samhain.startLinux.in * Fixed is_root variable in deploy.sh * Fixed 'deploy.sh info' * Fixed 'deploy.sh install' client startup * Fixed 'make tbz': don't remove ebuild scripts in 'make dist' (issue reported by W. Sarky) 2.0.3 (14-12-2004): * Fix CPPFLAGS with mysql/postgresql (repoted by P. Smith) * Fix missing sys/time.h include in slib.c (reported by Jonas) * Workaround for file closing problem with Prelude+GPG * Fixed memory leak with Prelude. * Fixed bug in samhain_stealth (PGP signature not correctly retrieved from hidden configuration; report and patch by V. Tuska) * Added Perl script to concatenate file signature database files * Fix compile error with combination of --enable-nocl and --enable-stealth (reported by Zdenek Polach) * Fix bug in dsys/initscript with --enable-nocl * Fix declaration of sh_kern_timer() * Fix missing Mounts+Userfiles options in appendix of manual * Updated the README (bug report by H. Franzke) * Fix some compiler warnings 2.0.2a (09-11-2004): * Fixed OoM condition when client rc file not found (reported by Eilko) 2.0.2 (08-11-2004): * Fixed buffer overflow in sh_hash_compdata() (only in 'update' code) * Fixed uninitialized variable in sh_mail_msg() (problem reported by Michael Milvich) * Fixed potential NULL pointer dereference in sh_hash_compdata() 2.0.1 (01-11-2004): * Fixed compilation bug reported by jue (--with-kcheck broken). * Fixed start option (bug reported by sanek). Behaviour wrt. environment variables depended on the way the daemon was started. 2.0.0 (31-10-2004): * The deployment system has been rewritten from scratch in a cleaner and more modular and extensible way. Deployment of native packages is supported now. * The build system has been revised. Building outside the source directory is supported now. * Support for checksumming of prelinked executables / libraries has been added. * The configure script now checks for the SSP/ProPolice patch in GCC, and enables it if present. * The install-boot option in samhain-install.sh has been fixed (use absolute paths for sbin utilities). * A nagios plugin (scripts/check_samhain.pl) has been added. * The LSB (Linux Standard Base) init script has been fixed (the output was incorrect). * Fetching of built binary packages has been fixed ($(PACKAGE)->@install_name@). * For files in proc, the timeout has been reduced, and no error messages are issued upon timeout. * A function has been added to print out full details for missing files if encountered while in sh_files(). * The reporting for SuidCheck has been fixed (incorrect policy noticed by JiM). * On Linux, SuidCheck does not report on files marked as candidates for mandatory locking (group-id bit set, group-execute bit cleared). * Fix for oracle init script (by Matt Warner) 1.8.12b (11-10-2004): * fix bug in MSG_MSTAMP (%ld -> %lu) * fix bugs in sh_suidchk.c (%ld -> %lu), check fopen for NULL, mkdir mode for quarantine directory * fix the fix for modlist_lock search in System.map 1.8.12a (01-10-2004): * fix bug in samhain-install.sh.in (only occurs on Solaris), reported by J. Roland 1.8.12 (27-09-2004): * fix compile bug with --enable-static + --with-database=postgresql * fix search for modlist_lock in System.map * password auth for yule command socket (request by D. Kocic) * more info about pending/sent commands to clients 1.8.11 (30-08-2004): * fix static linking on Linux by use of replacement routines from uClib - however, this means, there is no NIS support anymore * new option AddOKChars=... to modify the set of characters for filenames considered 'obscure' * new option HardlinkOffset=... to specify an offset from the canonical hardlink count for a directory * fix some warning with HP 11.23 native compiler * fix minor OpenBSD portability problems (EIDRM, compiler warning) * samhainrc.5, samhain.8: updated the man pages * sh_unix.c, sh_files.c: ignore 'no user/group' and 'obscure name' for AllIgnore * sh_kern.c: fix 'update' to display modifications * sh_kern.c: fix bug with IDT check (spurious alerts b/o uninitialized fields) * stealth kernel modules: fix for linux 2.6, fix redefine of KERNEL_VERSION * warn about stealth kernel module problem with 2.6 in manual * sh_unix.c: remove some cruft * fix a typo in the manual (noticed by J. Rubin) * configure.ac: re-order output from libprelude-config (required for static linking - problem reported by E. Neber) * kern_head.h, kern_head.c: fixes for Linux 2.6 kernel 1.8.10b (13-07-2004): * fix incorrect usage of 'retry_msleep()' in sh_kern.c (reported by Pat Smith) 1.8.10a (13-07-2004): * depend-gen.c: fix for FreeBSD 'make' which does not understand the dependencies ... (problem reported by David Thiel) 1.8.10 (13-07-2004): * sh_unix.c/sh_unix.h: fix defaults for 'GrowingLogFiles' policy (bug report by VZoubkov) * fix some warnings (unreachable statement) with HP-UX native compiler * kern_check.c: silence warning about 'sendfile' for 4.10 (noticed by Ryan Beasley) * modify depend-gen.c to ignore sh_gpg_chksum.h * add a non-plaintext version of GPG_HASH (sh_gpg_chksum.h) * .. and for fingerprint * sh_suidchk.c: fix some compiler warnings on solaris * allow commas to separate multiple entries in a RedefXXX= directive * replace sleep/usleep with nanosleep wrapper function * replace alarm() for read timeout with select() in sl_read_timeout (should fix bug reported by Scott Kelley) * increase lstat/open timeout to 6 sec 1.8.9 (16-06-2004): * made 'no action specified' error message more informative (suggested by Stephen Gill) * fix memory leak in mysql sh_database_query() (bug report by Dejan) * remove some cruft from the code * sh_files.c: check MacOS X resource forks (idea from Osiris) * sh_files.c: no hardlink check for MacOS X * sh_util_ask_update: fix bug with no terminal in non-interactive mode (report and debug data by Kris Dom) * manual refactored * fix redundant messages when updating with suidcheck * allow interactive update for suid files * don't remove the TZ environment variable to guard against misconfigured hosts * also use gethostname if uname returns possibly truncated name * fix improper file descriptor handling in sh_mail.c (bug report by Alex Weiss) * cleanup MBLK cruft * use SH_ALLOC/SH_FREE in sh_prelude.c * update sstrip to Version 2.0 1.8.8 (25-05-2004): * fix compilation problem on AIX 5.2 (nameser_compat.h; report by Tim Evans and Ian McCulloch) * don't check for trusted paths on Cygwin * add Windows HOWTO written by Kris Dom * kern_check.h: extend FreeBSD syscall table for 5.x 1.8.7a (03-05-2004): * sh_mail.c: fix subject length * sh_mail.c: fix the sh.mailNum.alarm_last fix (report by Kris Dom) * sh_utils.c: sh_util_ask_update(): fix ISO C conformance bug (compile problem reported by Kris Dom) 1.8.7 (01-05-2004): * sh_mail.c: fix incorrect count of sh.mailNum.alarm_last, causing empty mails (introduced with segfault fix in 1.8.6, report by Kris Dom) * sh_utils.c: sh_util_ask_update(): check whether stdin is a terminal, try to reopen on controlling terminal if not * sh_utmp.c: fix order of options (problem report by Uri) * sh_files.c: sh_files_chk(): set tmp = NULL at end of loop (may cause segfault on null dereference for missing files) * sh_unix.c: patch by Marc Schütz (order of sh_unix_getinfo_type, sh_unix_getinfo_attr) * don't use dh_installmanpages in 'make deb' (samhain/yule conflict reported by xavier) * on HP-UX, define _XOPEN_SOURCE_EXTENDED in sh_mail.c and sh_tools.c (suggested by Kris) * include nameser_compat.h in sh_mail.c (for MacOS X, suggestion by jna) * sh_utmp.c: fix time for logout events (reported by Erich van der Velde) 1.8.6 (15-04-2004): * add CL option to set threshold for prelude and RDBMS * sh_mail.c: fix bug with MailSubject option (segfault on NULL pointer dereference; reported by Micha Silver) * fix compiling with --disable-encrypt (reported by Pat Smith) * fix minor problem in scheduler (don't return before all schedules are tested, to set last_exec correctly) 1.8.5 (05-04-2004): * fix bugs in sh_utmp.c (unlinking of list head); may fix an OpenBSD problem (endless loop; report and debugging aid by Joe MacDonald) * fix hardlink check (null dereference in error message, segfaults on solaris - noticed by Bob Bloom) * sh_suidcheck: don't truncate quarantined file if nlink > 1 * fix Install.sh (no --seperate-output with --radiolist); patch by Greg Kimberly 1.8.4 (17-03-2004): * add Prelude patch by Patrice Bourgin * add license statement to sh_mounts.c, sh_userfiles.c after receiving a clarifying e-mail from Cian Synnott * support UsePersistent = no for Oracle (problem spotted and fix tested by Michael Somers) * fix bug in samhainadmin.pl * sh_gpg.c: describe type of gpg error (if any) * fix persistent connections with postgresql (reported by Erwin Van de Velde) * prelude: local 'meaning' shadows global in sh_prelude_alert (spotted by David Maciejak) * uname: workaround for cases where nodename would be a possibly truncated FQDN (problem reported by Cian Synnott) * re-write parts of sh_kern.c, store kernel info in baseline database -> no need to recompile after kernel upgrade * modify timeouts in sh_unix_getinfo, add timeout warning * change handling of dangling symlinks (store in db) * fix typo with MSG_FI_OBSC2 (double slash) * remove redundant operation in sh_utils_safe_name * fix occasional random start bytes of long messages in sh_error_string (sl_strlcat -> sl_strlcpy) * provide details for missing files (as for added files) * remove duplicate message for no such group/user * add fixes for samhain.oracle.init (supplied by Michael Somers) * fix date insertion for Oracle (fix by Michael Somers) * manual: fix incorrect statement about RPM (noticed by Lars Kellogg-Stedman) 1.8.3 (02-02-2004): * add a HOWTO-client+server-troubleshooting document * fix another bug with SIGUSR2 (suspend mode) * new option SetBindAddress (--bind-address=...) to force interface for outgoing connections on multi-interface box * don't link against libgmp if not required (i.e. standalone) * test for ext2fs/ext2_fs.h or linux/ext2_fs.h * new make targets 'emerge' and 'tbz2' for gentoo * update rules.deb.in based on the Debian package by Javier Fernandez-Sanguino * updated config.guess, config.sub to version 2002-09-05 * external command: report failure only once * console: reset failure status after success * README.UPGRADE: explain 1.7.x <-> 1.8.x client/server compatibility * use persistent connection to database by default * option UsePersistent=no to switch off persistent connection 1.8.2 (19-01-2004): * sh_userfiles.c: new option UserfilesCheckUids (requested) * sh_error.c: server: don't log to logfile before dropping root * new script scripts/samhainadmin.pl (administrative tasks for signed config/database files) * add changes code to log_msg for reports on modified files * change default log threshold to 'mark', as 'none' tends to confuse new users * faster response time for SIGUSR2 * revised (mostly backward-compatible) message classes * fix missing check of mailTime in server select loop * add support for libprelude (version 0.8.10) * fix format for MSG_E_GRNULL (reported by Stefan Hudson) * fix Bourne shell incompatibility (export) in samhain-install.sh (first reported by David Thiel) * fix typo in spec file (first reported by Christian Vanguers) * remove some cruft (signal handler, memory handling) * return from sigterm handler, rather than exit directly (re-entrancy problem causes more problems than it's worth) 1.8.1 (03-12-2003): * fix gmp detection (problem pointed out by Nix) * fix/improve the error message if test compiling with mysql fails * new CL option --interactive for interactive db update * fix some compiler warnings from IRIX MIPS compiler * kern_head.h, kern_head.c: option to disable IDT check * kern_head.h, kern_head.c: update kernel syscall table (2.4.20,2.6) * sh_utmp.c: count number of logins (request by Erwin Van De Velde) * change username -> userid, remove (long) userid (bug noticed by Erwin Van De Velde) * emit ADDED message for new SUID/SGID files * add trailing slash to excluded directory if there is none 1.8.0a (04-11-2003): * sh_error.c: remove two debug printf's 1.8.0 (31-10-2003): * manual: make ps file fit on both a4 and letter paper * sh_socket.c, sh_socket.h, sh_forward.c: socket interface to send (quit/reload) commands to clients * sh_forward.c, configure.ac: enable build with libwrap (Wietse Venema's TCP Wrappers library) * sh_ignore.c, sh_ignore.h, sh_files.c, sh_hash.c, sh_readconf.c: new option to suppress messages for new and/or deleted files * samhainrc.aix5.2.0: contributed by Christoph Kiefer * samhain.c: fix compile warning on solaris (noticed by Ian Hunt) * sh_database.c: undef debug code for oracle * samhain.oracle.init: contributed by Joern Michael Krueger * configure.ac, sh_utils.ac, Makefile.in, sh_modules.c, sh_cat.c, sh_cat.h, sh_mounts.c/h, sh_userfiles.c/h: check-mounts and userfiles modules contributed by eircom.net * sh_utils.c: fix off-by-one bug in sh_util_compress() * sh_forward.c, sh_tools.c, configure.ac: version 2 client/server protocol * sh_mail.c: add %S to include severity in subject (user request) * sh_suidchk.c, 1093: fix warning about unused var 'flags' on FreeBSD * samhain.h, sh_unix.h, sh_unix.c: extern inline -> static inline for --enable-ptrace * samhain.c: lower priority for 'uninitialized module' message * sh_entropy.c: lower priority for message if /dev/random blocks and /dev/urandom is available * improved error messages in sh_readconf.c * print system error message for getpwuid, getgrgid * fix missing module init after SIGHUP (noticed by Cian Synnott) 1.7.12 (13-10-2003): * sh_mail.c: fix buffer overflow in mail handler (introduced in 1.7.10) thanks to bug reports by Jason Martin and Matthew P. Cox 1.7.11 (01-09-2003): * samhain.c, samhain.h, sh_unix.c, sh_forward.c, sh_html.h: - change SIG_USR1 to switch between dbg on/off - change SIG_USR2 to switch between suspend on/off - fix CLT_ILLEGAL to actually work - introduce new state CLT_SUSPEND - force reauthentication after suspend * slib.c: change MAXFD from FOPEN_MAX (16) -> 1024 * sh_suidchk.c: better AIX fs detection (Christoph) * sh_entropy.c: increase buffer size for unix entropy gatherer (problem reported by D. Danielson) * default config files: add lots of comments, list more options * sh_error.c: set default severities to 'crit' * sh_readconf.c, sh_cat.c, sh_cat.h: stricter check on config file syntax, issue warnings (triggered by C. Kiefer) * Makefile.in: handle depend-gen errors more gracefully * sh_err_console.c: fix bug in enable_msgq (reported by F. Behrens) * configure.ac: workaround for mysql_config weird output (reported by G. Faron) * sh_unix.c, sh_tiger0.c: check IO limit during read of large files * depend-gen.c: close streams before attempting to rename (Cygwin) * Makefile.in: fail gracefully if depend-gen fails * sh_database.c: sh_database_query(postgresql): fixed missing SL_ENTER 1.7.10 (27-07-2003): * FreeBSD init script: define $pidfile (reported by D. Thiel) * sh_unix.c, sh_unix.h: fix compile error on AIX 4.2 * sh_schedule.c: fix bad array size * samhain.c: fix pid_t <> int casts * sh_kern.c: fix repetitive messages * configure.ac: try to bootstrap if TIGER192 not supported by gpg, provide a detailed error message * configure.ac: try harder to locate mysql * docs/Changelog: retroactively add release dates, if known * sh_mail.c: fix potential message truncation in mailer * sh_unix.c, samhain.c, samhain.h: make --enable-ptrace more portable * sh_readconf.c: fix segfault (dereference of uninitialized pointer) if --with-gpg and --enable-stealth are used together (reported by Anthony Caetano) * sh_unix.c, samhain.c, sh_calls.c: fix problems with descriptive error messages (larger GLOB_LEN, stat fills aud_err_message) 1.7.9 (30-06-2003): * sh_err_log.c: fix segfault on SIGABRT (dereference of freed memory), problems with SIGABRT noticed by Brian and Alf B Lervåg * deploy.sh.in: fix some bugs (found by Alf B Lervåg) * scripts/chroot.sh: fix typo (found by Alf B Lervåg) * configure.ac (khide): search also for 'd sys_call_table' (noted by cuek_saja) * strip whitespace before checking gpg checksum (noted by D. Thiel) * manual (faq section): explain how to stop console output * Makefile.in: fix re-naming of yule with --enable-install-name * HOWTO-client+server.html: fix typo (noted by xavier renaut) * configure.ac: escape '-' in awk regex (required by GNU awk 3.1.1) 1.7.8 (28-05-2003): * sh_unix.c: new mlock implementation with reference count and page alignment (fix for solaris problem) * kern_head.c: search also for 'xxxxxxxx d sys_call_table' * sh_html.c: write status comment (for Beltane 2) * add CL option --delimited for comma-delimited signature database dump * sh_mail.c: check exit status of push_list to fix counting bug (bug reported by Alan Moore) * configure.ac: add error message to --with-libs * fix spelling of $DAEMON in init script (noted by C. Grigoriu) * fix missing initgroups() 1.7.7 (06-05-2003): * sh_forward.c: fix bug if compiled with --enable-udp, but disabled in config file (found by Andy OBrien) * sh_database.c: sh_database_entry(): size -> c_size (two places) to fix writing of '\0' to arbitrary places :( (problem pointed out by Stefan Giesen) * profiles/*/configopts: fix --with-base -> --enable-base 1.7.6 (24-04-2003): * sh_forward.c, entry.html, head.html: fix/additions by Stefan Giesen * fix samhain_hide for the O(1) scheduler used by RedHat: configure.ac, acconfig.h: check for next_task in struct task_struct samhain_hide.c: use find_task_by_pid if no next_task in task_struct * samhain_erase.c: add MODULE_LICENSE("GPL") to fix warning 1.7.5 (15-04-2003): * sh_cat.c, sh_forward.c, sh_hash.c: fix double 'msg' tag * manual: point out the bmaxdata problem on AIX in faq section * trustfile.c: don't check symlinks (permissions of directory count) * sh_schedule.c: fix problem with daylight saving switchover * sh_samhain.c: close all open fd's >2 before reading the conf file * sh_unix.c: fix dereferenced NULL pointer when exiting on non-existing user * sh_forward.c: fix dereferenced NULL pointer when exiting on udp error * sh_forward.c: place timestamp code before select() timeout handler * fix incorrect class of timestamp messages (conflict with manual) * sh_readconf.c, sh_forward.c: new config option SetStripDomain * configure.ac: add warning if /lib/modules/`uname -r`/build/include not found * samhain_hide.c: adapt for RedHat 2.4 kernel (fetch sys_call_table address from System.map) * sh_err_syslog.c: fix for Solaris * samhain.spec.in: strip REQ_FROM_SERVER from config file install path 1.7.4 (21-03-2003): * configure.ac: fix bug in defargs (--with-base > --enable-base) * aclocal.ac: detect unsupported options * kern_check: add syscalls, skip unused syscalls * fix Manual (--enable.../--with... inconsistency) * add two HOWTOs (signed files, server/client) * moved manual into new subdirectory docs/ * add admin scripts by S.Bailey/M.Redinger * option to have a version string in db file 1.7.3 (23-02-2003): * samhain-install.sh: use yule user key for signing on install * fix a bug in sh_err_console.c (attempted write to const char) * sh_gpg.c: if server, always use ~unprivileged_user/.gnupg * Makefile.in: make target 'trustfile' depend on config.h * configure.ac: don't use install_name before it is defined ... * sh_tiger0.c: fix bug in checksum computation introduced in 1.7.2 * samhain.c: make sure daemon cannot be forced into 'update' mode * sh_hash.c: remove AIX workaround (AIX has been fixed meanwhile) 1.7.2 (04-02-2003): * sh_kern.c: use sys_call_table address from System.map * fix for reserved SQL keyword 'group' * add AC_SYS_LARGEFILE to configure.ac * allow separate client-specific log files for server * sstrip.c: compile sstrip code only for i386 * sh_unix.c: closeall: don't close trace file * slib.c: don't trace sl_is_suid (leads to recursion in trace handler) * samhain-install.sh.in: fix detection of LSB compliant systems * sh_tools.c: get_client_*_file: lstat -> stat to allow symlinks * sh_forward.c: sh_forward_do_write: set O_NONBLOCK for fd (may block otherwise, for no good reason apparently ...) * samhain.spec.in: replace %configure with ./configure * sh_unix.c: re-write signal handling (use __malloc_hook et al. to check whether we are in the middle of a free/malloc/realloc/memalign) * sh_unix.c: use new safe_logger() function to log from signal handler * sh_err_log.c: fix xml * * fix Makefile.in to exit non-zero on compile failure * database init: create index on log_host, entry_status * sh_suidchk.c: fix path building * sh_tiger0.c: read larger blocks * sh_hash.c: cast inode to UINT32 * sh_tools.c: check that config/database files size fits in uint * sh_error.c: export flag_err_debug to avoid unnecessary calls * sh_unix.c: save the open() call in sh_unix_getinfo_attr() * profiles/redhat_i386/bootscript: add # description field * deploy.sh.in: set owner + permissions for files in yule_filedir * profiles/debianlinux_i386: fix bootscript * Makefile.in: fix deploy file lists and targets (include init+scripts) * MLOCK GOOD/BAD -> SL_FALSE/SL_TRUE * sh_mail.c: GOOD/BAD -> SL_FALSE/SL_TRUE (AIX sys/param.h) * sh_err_syslog.c: split long messages rather than truncating * sh_error.c: allocate msg to fix truncation limit * sh_unix.c: closeall fd's >= 3 in non-daemon mode (inherited filedescriptors may exceed FOPEN_MAX, causing problems in sl_open_file) * sh_err_console.c: avoid stdio * trustfile: dirz: make swp[] static * slib.c: speed up sl_strlcat * clean up some bad heap allocation (PATH_MAX+(1|2) -> PATH_MAX) * remove some unused code * slib.c: support long long int in the snprintf replacement * configure.ac: new configure macro to check whether sa_sigaction works * Makefile.in: make sstrip, encode dependent on config.h 1.7.1a (08-01-2003): * fix a syntax error in samhain-install.sh.in 1.7.1 (07-01-2003): * search runlevel scripts in ./init or ./ * handle all distro-specific Linux runlevel script issues within a single script * support install-boot on Yellow Dog Linux and Slackware * samhain-install.sh: fix a bug for unknown Linux ('"' not closed, DVER not set) * samhain-install.sh: check for /etc/yellowdog-release * sh_database.c: fix missing entry for 'userid' in attr_tab[] * fix debian.rules.in (disable sstrip) * update make targets: 'srpm', 'srpm-dist', 'rpm' * check for zlib if mysql is used * workaround for NetBSD bug with libresolve * fixed problems with spec files 1.7.0 (22-12-2002): * improved spec files (Andre Oliveira da Costa ) * sh_unix.c: fix a dereferenced static pointer in tf_trust_check * runlevel scripts: remove pid file after stop * make the data directory read-only for the daemon * treat 'localhost' specially in MX resolver * sh_err_log.c: set sh.flag.log_start == TRUE after writing * deploy.sh.in: fix quoting (fix by Simon Bailey) * slib.c: make sl_get_euid et al. behave well if uids not stored * trustfile.c: use euid = uid(SH_IDENT) if server * sh_mail.c: include an MX resolver * Makefile.in: install-user routine for user installation * have yule drop root * sh_tools.c: open_temp use logdir if server * unified options for runlevel script * HP-UX, IRIX runlevel scripts * AIX inittab entry 1.6.6 (13-12-2002): * configure.ac: solaris cc -O2 -> -xO2 * sstrip.c: avoid alpha architecture * profiles/solaris/configopts: no --enable-static * sh_forward.c: sh_forward_req_file: copy argument to local array 1.6.5 (04-12-2002): * sh_utmp.c: set userlist = NULL in sh_utmp_end () * sh_unix.c: do not assume that environ is sane * exit handler: write * sh_log_file(NULL): test sh.flag.log_start != S_TRUE * FreeBSD rc script does not blindly accept content of pid file * configure.ac: allow 'localhost' for log server * sh_calls.c: retry_connect: ntohs (port) * testrun_2[abc].sh: --with-logserver=localhost for client 1.6.4 (12-11-2002): * sh_tools.c: fix error when escaping '=<' * fix the 'make srpm' target * deploy.sh.in: avoid that client is named 'yule' * define memset to sl_memset * fix type cast of uid_t, gid_t 1.6.3 (31-10-2002): * fix options for Sun/Solaris native compiler * sh_unix.c: MSG_FI_LIST (line 2333): cast theFile->size to fix error * test sstrip on freebsd * default config file for freebsd * make target to build .deb packages * sh_readconf.c: fix bug in error message * samhain.c, sh_suidchk.c: fix initialization of suidchk * samhain-install.sh.in: don't remove config file by default * samhain-install.sh.in: support complete de-installation * samhain-install.sh.in: add support for Gentoo, FreeBSD, and Solaris * samhain-install.sh.in: check more paths * sh_unix.c: fix sys_siglist declaration [NetBSD portability issue] * sh_calls.c: save error message in retry_lstat() 1.6.2 (04-10-2002): * make target to build rpms * update samhain.spec.in, samhain.startRedHat * support DESTDIR, as in 'make DESTDIR=/what/ever install' * explicitely set -fno-omit-frame-pointer b/o gcc bug * mv configure.in to configure.ac to benefit from autoconf wrapper * sh_modules.c, sh_modules.h: add mod_reconf() to run at SIGHUP * slib.c: fix debug messages (no msgs for dlogActive <= 1) * sh_schedule.c, samhain.c, sh_suidchk.c: scheduler may accept multiple schedules 1.6.1 (04-09-2002): * sh_schedule.c: bugfix (executes only after first day) * rm obsolete WITH_TRACE stuff * new dlog() function for debug logging * some more descriptive error messages 1.6.0 (27-08-2002): * omit the -fomit-frame-pointer option (bugs in some gcc versions ?) * sh_error.c: fix escape mode when logging to database * sh_forward.c: fix error (twice escape) in recv_syslog_socket * sh_tools.c: change escape mode for server-received data * sh_mem.c: change ulong -> size_t in sh_mem_malloc() * configure.in: fix localstatedir if --prefix=USR * sh_hash.c: snprintf() -> sl_snprintf() 1.5.5 (07-08-2002): * sh_err_log.c: fix incorrect xml syntax for client messages logged by server * sh_err_log.c: fix incorrect '' entries on client EXIT * sh_files.c: introduce file_class_next this fixes the problem that a policy for the directory inode erroneously becomes a policy for the directory itself. 1.5.4 (17-07-2002): * sh_hash.c: fix buffer overflow with (micro-)stealth * sh_database.c: set path[] 1024 -> 12288 * sh_database.c: set query[] 2048 -> 16383 * sh_database.c: set values[] 1024 -> 16383 * sh_forward.c: larger limit for message size (16 kB) * trustfile.c: set MAXFILENAME 2048 -> 4096 * fixed a bug in the handling of filenames with embedded newlines * sh_files.c: fix missing sh_util_safe_name() in debug output * --with-sender can specify a full address * fix xml log in a backwards compatible way 1.5.3 (03-07-2002): * fix combination of stealth and sql logging * fix some more places where invalid UIDs/GIDs trigger errors 1.5.2 (01-07-2002): * include solaris config file from (sean [at] boran d.o.t com) * test for files/dirz defined twice in the configuration file * option to disable reverse lookup on outbound connections * option to use socket peer as client name (with name resolving) * sh_html.c: fix an HTML bug (twice ) * sh_suidchk.c: fix warning on AIX b/o dirname() * allow logging server -> syslog if yule is NOT configured to receive syslog messages * define PRIi64 to "lld" if undefined * invalid UIDs: use gid/uid as name, error level SeverityNames * minor fixes for connect_port * sh_hash.c: flush output of db listing before _exit() * configure.in: fix incorrect default ${install_name} for server * configure.in: try harder to find mysql.h / libpq-fe.h * sh_files.c: sh_files_checkdir: closedir() early to not exhaust OPEN_MAX 1.5.1a (30-05-2002): * fix missing LSB init script 1.5.1 (27-05-2002): * fix '-t update' option 1.5.0a (23-05-2002): * fix configure.in 1.5.0 (22-05-2002): * include solaris nosuid patch from (nathoo [at] co d.o.t ru) * similar fix for bsd nosuid * speed up -t update * convert manual to DocBook, distribute html and ps * fix some more problems with configure.in, Makefile.in * fix testsuite, add tests for udp, mysql * MSG_TCP_MSG: host -> remote_host * convert to autoconf 2.53 * make c_bits.sh exit with status 0 * sh_database.c #include "mysql.h" --> , ditto libpq-fe.h to avoid dependency tracking problems * samhain.c remove *YULE* #ifdefs * acconfig.h remove *YULE* #undefs * samhain.c: procdirSamhain: lstat --> stat (allow symlink) * configure.in: add checks for correct user input * Makefile.in: add automatic dependency tracking * depend-gen: tool to figure out dependencies * chkconfig comments in redhat start scripts 1.4.8: * sh_database.c: fix missing attr_old, attr_new, (from)host columns * configure.in, Makefile.in: fix an error in the configfile definition with REQ_FROM_SERVER * sh_err_console, sh_err_log: avoid recurrent failure messages * timeout on read from files (/proc) * fix errrors with setjmp/longjmp/alarm * fix memory leak in server (~20 byte/file download in sh_tools, 930) * check gpg signature for files downloaded from server, add a regression test * fix chown in solaris bootscript * provide second scheduler for file check * provide scheduler for file check * provide scheduler for SUID check 1.4.7 (08-04-2002): * make daemon control LSB-compliant (arguments, exit status) * set log_ref = 0 for server messages * boolean option SetDBServerTstamp to disable entering server timestamps for received client messages into database * sh_suidcheck: check for "nosuid" mount option if getmntent is used * fix logrotate script in manual (reported by Scott Worthington) * don't strip numerical IP addresses * check item->status_now != CLT_TOOLONG in client_time_check() * set log_host to client in db client message 1.4.6a (20-03-2002): * define prefix in deploy.sh 1.4.6 (19-03-2002): * modify samhain_hide.c to hide processes on new Linux kernels * better error diagnostics in kern_head.c * fix compile error in all_items () * check length of install-name in enable-khide (max is 15) * define exec_prefix in deploy.sh.in * make configure a bit more cross-compiler friendly 1.4.5 (07-03-2002): * Make sure missing file is reported even if ptr->reported == S_TRUE because the file has been added. * propagate 'reported' flag from sh_files_checkdir() into file list * close checkfd in sh_gpg_check_file_sign() * sh_derr(): kill(parent, SIGCONT) after ptrace(PT_DETACH,...) * use sh.srvcons.name in dbg() to get debugging info from daemon * option to log file timestamps with localtime instead of GMT * comment out MSG_FI_ADD in sh_dirs_chk () - obsoleted by mandatory sh_files_filecheck(directory) that triggers MSG_FI_ADD in sh_hash.c * set ptr->reported = S_FALSE; for reappeared files in sh_files_chk() to make sure re-disappearing will get reported * new function sh_hash_set_missing() to remove file record without (duplicate) 'missing' message * make sure all items are reported for added files * fix stealth mode with sh_kern (encode sh_ks.h -> sh_ks_xor.h) * clarify in the documentation which gpg options to use for signing 1.4.4 (11-02-2002): * check that parent process has exited before writing PID file * promote MGG_W_CHDIR to SH_ERR_ERR * add error message to sh_unix_testlock * fix missing _() macro in sh_aud_set_functions 1.4.3 (05-02-2002): * don't check attributes for symlinks (may cause device access) * add USE mysql; USE samhain; to samhain.mysql.init * point out the MessageHeader/mysql problem in manual * add -lz to LIBS for mysql * strip after install, avoid double strip 1.4.2 (27-01-2002): * support for EGD * fix some more problems with install-deploy / deploy.sh * fix a bug in profiles/suselinux_i386/bootscript (INSTALL_NAME_) * fixed the 'external logging' test (init rather than none in rc file) 1.4.1: * SuSE: include run level 4+5 * install location of hiding kernel modules changed - some insmod variants do not test for /lib/modules/$(uname -r)/module_name.o * new make targets 'install-deploy', 'uninstall-deploy' * fixed make targets 'deploydir', 'deploydirfast' * bail on unsupported CL option in deploy.sh * fix various bugs in deploy.sh 1.4.0 (16-01-2002): * fixed missing 'dirname' on Mac OS X * fixed && tested for/with postgres * 'user=' -> 'userid=' (reserved word in sql) * fix the endianess + size of file database; this changes db format for any non-Linux OS * --enable-old-format for old (V1.3) database format * getopt, samhain.c, samhain.h: option -f to loop if not daemon * sh_hash: list numeric + char data to allow file db update on server side * sh_database: modify handling of integer (long) data * sh_database: datetime in database * sh_database: hash field in database * sh_database: rewrite database insert string construction [use INSERT INTO log (fields) VALUES (values);] * makefile suse 7.x runlevel entries 1.3.7 (06-01-2002): * fix incorrect escape in sh_tools_safe_name * fix sh_error_handle (4. argument) in sh_extern.c 1.3.6c: * fix segfault in sh_database (mysql logging) on solaris 1.3.6b (03-01-2002): * fix syntax error ('==') in Makefile.in * fix configure.in (path for /lib/modules/$(uname -r)/build/include) * fix sh_kern.c (redeclaration of 'j') 1.3.6 (03-01-2002): * sh_kern.c: check integrity of int 80h vector (SucKIT rootkit - Phrack 58) * make sure childs in sh_kern are wait()'ed for * provide start/stop/restart/reload/status interface * fix a potential segfault (dereferenced NULL pointer) in the server * use sh_util_flagval for sh_unix_setdaemon * documentation for logging to SQL database * configure.in: check for -I/lib/modules/$(uname -r)/build/include * fix trustfile.c to ignore invalid users * separate 'make install-samhain' and 'make install-yule' * separate default log/pid/config files for server/client - less problems running server and client on same host * rewrite deploy.sh(.in): - don't use (make|install) if deploying - use command line options - better integrate into server environment - write install db * always write a pidfile if daemon * don't use server's config file as fallback for downloading client * don't overwrite config file when doing 'make install' 1.3.5 (28-12-2001): * fix --enable-message-queue for newer glibc versions * log to SQL database: implemented, but undocumented yet, needs to be tested further * xml: escape received syslog messages * xml: rename 'time' to 'tstamp' * make targets: make [un]install-[boot-]yule (for server-only installation) * fix samhain_hide.c for 2.4 kernel * fix sh_kern for updated samhain_hide.c * new option -j to just list the logfile * sh_getopt.c: recognize -Dt check for -D -t check * sh_tiger0.c: fix compiler warning (memmove) on Solaris 1.3.4 (12-12-2001): * sh_suidchk.c: option to limit files per second * sh_unix.c: option to limit (kilo)bytes per second * sh_hash.c: fix potential problem with '\n' in filename (not backward compatible if there are filenames with '=') 1.3.3 (03-12-2001): * sh_readconf.c, samhain.h, samhain.c, sh_suidchk.c: option SetNiceLevel to set scheduling priority * sh_hash.c: bugfix for database listing on Solaris * taus_seed: bugfix for emergency backup rng seed * sh_util_safe_name: fix for XML * sh_utmp_set_login_activate: use sh_util_flagval * sh_utils.c: sh_util_obscurename: rm 'space' from list * more backtrace macros * sh_util_flagval: fix bug to recognize 1/0 * fix test scripts testtimesrv.sh, testext.sh (test.sh 6/5) * rm stray debug fprintf in sh_srp.c 1.3.2 (27-11-2001): * sh_hash.c: fix an error introduced in 1.3.1 * set RLIMIT_CORE to RLIM_INFINITY if --enable-debug 1.3.1 (25-11-2001): * slib.c: get backtrace with --enable-debug * sh_unix.c: allow core dumps when --enable-debug * configure.in: fix default message queue permissions * sh_suidchk.c: automatically include suid/sgid files in database * sh_suidchk.c: check all suid/sgid files * sh_hash.c: don't insert duplicates when reading the database * sh_utmp, sh_kern, samhain: fix 1sec offset in timer * sh_unix.c: don't require /dev/random to be non-world-writeable * server: fix segfault in zAVLTree.c if avltree == NULL (no clients) * client: fix segfault on Solaris if path_conf == NULL * testrun_1b.sh: \(^/.*\) -> \(/.*\) for Solaris sed 1.3.0 (31-10-2001): * support compiling with GNU gmp library * set 3 sec timer on client_time_check to avoid excessive (and unnecessary) calls under heavy load * replace sl_strlen with a macro * store client_t structure in AVL tree * database format incompatible with previous format, up the magic# * sh_html.c: cache entry template for speedup * slib.c: reset islong(double) in sl_printf_count * sh_hash.c: report on rdev change * sh_hash.c: print size in 64 bit * sh_hash.c: save in absolute size types * sh_unix.c: get values as appropriate type (time_t, dev_t, ...) 1.2.10: * update MANUAL * sh_unix.c: tiger_hash -> tiger_generic_hash * sh_readcon.c: DigestAlgo option * sh_tiger0.c: add MD5 and SHA1 * sh_unix.c: fix minor problem with win2k/cygwin 1.2.9 (17-10-2001): * fix problem with entry template/empty hostname * fix MASK_USER_ (MTM -> ATM) * typo fixed in configure.in (${install_name} -> {install_name}) * bugfix group_old -> size_old in XML code * skip armor header in signed files 1.2.8 (29-09-2001): * Mac OS X: in sh_getopt.c, rename table[] to op_table[] to avoid obscure compiler warning * Mac OS X: fix test scripts * Mac OS X: import newest config.guess, config.sub from ftp.gnu.org * implement deadtime in syslog recv code to protect against flooding * sh_err_log: sl_close(fd) if lock|forward fails * compliance with Filesystem Hierarchy Standard -- Version 2.2 final * add policies User0, User1 * fix compile problem (FreeBSD) in sh_suidchk.c * macro to check for debugger breakpoints (linux/i386) * check for solaris (does not work) in sh_derr (--enable-ptrace) * option to listen on 514/udp for syslog, drop root irrevocably if compiled thus * use (check_mask & MODI_ATM) to decide whether to reset utime * reset the policy masks on sighup * option to write XML log messages * cleanup of message catalog * modified error messages for BADCONN * error messages for Rijndael * block recursive error messages within sh_error_handler() - would hang the machine ... - 1.2.7: * sh_files, sh_utils: check top level directory * sh_kern, sh_cat, kern_head: check syscall code, fork subprocess for reading from /dev/kmem * include /boot in default samhainrc * change source distribution signing/packaging system * Makefile, README, MANUAL: adhere to file system standard, document new locations * fix a bug in samhain_hide.c 1.2.6: * reset list of trusted users before config file re-read * TrustedUser=... can be a list * fix severity for files missing from IgnoreAll 1.2.5: * include example_pager.pl, example_sms.pl scripts * explain paging/sms setup in docs * allow manual exclusion of a directory in suidcheck * automatically track all file changes * remove missing files from in-memory database * add $(KERN) to DEPLOYFILES 1.2.4: * log IP address for login/logout events, if supported by the OS * release block in globerr (callback) ------------- 1.2.3: * fix problem with reading stealth configuration * fix a few formats in sh_cat.c * always use strncmp for file system type check in sh_suidchk.c (trailing 'fs' may be system specific for some types) * no bare LF in messages (RFC 2822) * no lines longer than 998 chars (RFC 2822) * fix error in testrc_1 1.2.2: * make tmp file directory a compile time option * fix minor bugs in tmp file allocator (potential memory leak, double slash if root directory) * obsolete testpipe script removed 1.2.1: * fix memory alignment in rijndael-api-fst.c: blockEncrypt() * fix byte order in HMAC code (compatibility fix for Linux/HP-UX) * removed a debug fprintf() 1.2.0: * fix a bug in the HMAC implementation (thanks to Cesar Tascon for help in tracking down this one) * module to check the file system for SUID/SGID files 1.1.16 (never released): * fix the recursion depth -1 option as described in the manual * optional database reload on SIGHUP * fix a race condition when checking that /dev/random is a charakter device * redirect stderr to /dev/null for c_random (AIX may segfault in netstat...) * check whether /dev/random is a charakter device in c_random.sh (we know at least one sysadmin who has set up a fake /dev/random ...) * don't give NULL as 2. and 3. arg to execve if not Linux - some Unices (notably Solaris) don't like it * init ptr = NULL in my_malloc (compiler warning) * make the bitmask for tests configureable (suggestion by A. Dunkel) * make the bitmask for tests a static variable * make (database/logfile/lockfile) path configurable (to run multiple instances of samhain from an NFS share - on the wishlist of J. Patton) 1.1.15 (never released): * fix minor error in testcompile.sh (rm test_log only at start) * return from subroutines on sig_terminate == 1 (faster exit on SIGTERM) * fix re-configuration of addresses * use sh_util_flagval() in sh_mail_setFlag and sh_kern_set_activate * SysV message queue as compile option * config file option to set console device * removed the pre 1.1.9 code bloat * don't print the LOGKEY to the console 1.1.14: * fix an error in the setup consistency check * make target to uninstall runtime files * trustfile.c: check return code of readlink(), fix off-by-one error * sh_files.c: fix placement of terminator after readlink() call * sh_files.c: fix a missing set_suid()/unset_suid() - suid should work, but is not recommended - * more debug statements in c/s code * avoid re-entry in sh_unix_sigexit * put a block around free() and malloc() in wrapper functions * ditto for glob()/globfree(), regcomp()/regfree(), fdopen()/fclose() - i.e. avoid corrupting the heap from a signal handler - 1.1.13: * optimized the size of the configure script somewhat * modify the compile and hash test scripts * read '\0's in sh_unix_getline * exponential schedule for connection attempts * make stealth working properly with signed files - config file should be signed now before embedding in picture - * fix a race in using signed files * updated err messages for PWNULL, GRNULL * add missing shell script for test 11 * add mandatory source file/line info with -p debug * add mandatory source line info with BADCONN * fix a latex error in the manual 1.1.12: * debug output to console if compiled with --enable-debug and running as daemon * make reportonlyonce=true the default * make sure state changes of a file are always reported, even with reportonlyonce=true * Linux kernel modules (samhain_hide, samhain_erase) * fixed incorrect return value of sh_util_flagval * fixed an error in sh_files.c: happens with -t init and first file that is checked does not exist * revised install/uninstall targets in the Makefile * module to check for clobbered kernel syscalls (tested on Linux 2.2) * more diagnostic error messages in sh_gpg.c * more diagnostic error messages in sh_mail.c * error in mail.c fixed (address -> address_list[i] for multiple recipients) * docs updated, better(?) explanation of signed files * skip over path in gpg checksum output * check client name against IP address and FQDN * fix for --disable-* in config file * fixed a server crash (MSG_TCP_OKMSG without arg) if the server is run with debug level output threshold * catch EAGAIN in sh_gpg.c pipe reader * fix the 'external logging' test to make it work on BSD * error message if no local path to init DB * check for i86/Solaris in configure (vsnprintf prototype) * make SRP the default 1.1.11: * make log file verification more convenient * fix problem with message classes in stealth mode * linux: do not try to read file attributes for devices * handle the root directory correctly (avoid "//" in listing) * fix problems with blockin on FIFOs/char dev pointed out by I. Rogalsky (rog@iis.fhg.de) - open in nonblocking mode for read, then set to blocking - open file only if regular * fix alignment in memory profiler 1.1.10: * minor code cleanup * fix an error in trustfile.c (handling of empty/incomplete group entries in /etc/group, bug report by A. Capriotti ) 1.1.9: * compatibility option for old behaviour (plain hash instead of HMAC, ECB instead of CBC mode) * use CBC rather than ECB mode for encryption * use HMAC-TIGER for message authentication codes * handle NULL data in sh_tiger_hash * option to set syslog facility (default is LOG_AUTHPRIV) * longer timeout (300 sec) on /dev/random if no /dev/urandom * fix minor output error with stealth option * option not to log names of config/database files on startup 1.1.8: * fix error in syslog routine * fix missing 'test' in configure.in * fix error in replace_tab() in sh_html.c * fix minor memory leak in sh_util_regcmp() 1.1.7: * timeout on read_mbytes (from /dev/random; fallback to /dev/urandom) * fix for FreeBSD: ut_user -> ut_name in sh_utmp.c * fix for Alpha: consider $ac_cv_sizeof_unsigned_int_ in configure.in * fix for Alpha: format string in sh_tiger0.sh * on Linux, now compiles cleanly with -Wall -W -Wstrict-prototypes -Wcast-align * fix problem with recursion depth (pointed out by Vic ) * #include "sh_tools.h" in sh_unix.c and fix the --with-timeserver option (reported by Vic ) * place read_port(), MSG_TCP_NETRP outside ifdefs * close fd/zero skey before execve * verify client name against socket peer * ... with configureable error priority * use strcmp() rather than strncmp() in search_register() * fix race between lstat() and open() for checksum (reported by dynamo , JJohnson ) * enable globbing for filenames * fix Solaris problem: siginfo_t may be NULL * fix missing SL_EBADGID in tf_trust_check * test case for external scripts, fix flushing pipe * fix a typo in sh_ext_type * do an fdexec w/checksum on Linux if calling external program * even safer tmp file creation * allow db update * fix compile options for --enable-debug * fixed a spelling error in the output * test program for full CS support (config/database download) * tell which file is searched for cs download 1.1.6: * fix bug in sh_readconf_line (segfault on erroneous config lines) 1.1.5: * sh_unix.c: sh_unix_getinfo_attr: f -> flags * use gettimeofday as last resort 1.1.4: * fix AIX compiler warning in sh_forward (cast arg1 of sh_tiger_hash to (char *) * configure: add static link flags for some more os (from tar) * don't strip twice (some stupid systems abort) * fix for reading from /dev/random on non-Linux systems (untested) * sh_mail.c: end all message lines with \r\n * stealth: ignore \r, \" * take out tracing from --enable-debug (presently useless anyway) * fix some remaining cleartext with debug && stealth combined * fixed a small memory leak in sh_err_log.c 1.1.3: * fixed circular logic in taus_seed() (fallback method only) * fix for missing _SC_OPEN_MAX (runaway close()) 1.1.2: * implement message classes * let server recognize client message severity and class * secondary log server * keep database in memory (allows to close file if retrieved from server) * encrypt client/server communication 1.1.1: * Compilation problems with native Solaris compiler fixed * fill in euid/ruid variable * manual.pdf --> MANUAL.pdf * debug sh_util_formatted() * http refresh 120sec for server stat page * trace/debug options * fixed problem with utmp.c options * fixed problem with sh_mail_setaddress * option for custom message header * fixed problem in compdata * fixed problem in mail verification * remove eventual trailing '/' in file names * fixed problem with report string for modified files * option to report in full detail 1.1.0: * Move error messages to catalog * Make error message format more uniform * Wrap sytem calls that could be interrupted by signals * Warn on append to database * Option for full details on mod. files * Option to report only once on mod. files * Generally speaking, major modifications with potential new bugs 0.9.5: * sh_hash.c: fixed erroneous checksum for config file * sh_html.c: fixed erroneous timestamp (last) * sh_tools.c: fixed connect_port (set port for cached address) * sh_srp.c: fix for '00' (='\0') in pw (last two fixes by Andreas Piesk) 0.9.4: * samhain.c: fcntl(1, ..) -> fcntl(2, ..) * sh_hash.c: copy 12 instead of 10 byte for c_attributes * 'empty directory' WARN -> INFO 0.9.3: * FreeBSD fixes: - c_random.sh: make sure /dev/random provides something rather than nothing - check for and include it - include early - sh_utmp.c: fixed an occurence of ut_user - sh_utmp.c: #ifdef HAVE_UTTYPE static char terminated_line #endif - sh_forward.c: EBADMSG -> ENOMSG * sh_unix.c: check return value of gethostbyname * sh_entropy.c: fallback on /dev/urandom if /dev/random blocks for more than 30 sec * ... and fix the timestamp format ... 0.9.2: * ISO 8601 timestamps * Bugfix in sh_utmp (timestring overwrite) * don't use siginfo_t on Linux (garbage as of 2.2.14) * check for Linux capabilities bug when dropping root * include README for gcc compiler bug (pointed out by A. Piesk) * explicitely set -fno-strength-reduce with gcc * fixed ignoring missing files with the IgnoreAll policy 0.9.1: * more ext2flags (breaks backward database compatibility on Linux) * IgnoreAll policy modified - missing/added files reported with SeverityIgnoreAll (to handle files that may or may not be present) * Check all files, not only regular ones (bug in sh_files, originally introduced because checksum of regular files only is computed) 0.9: * use O_NOATIME if supported * --with-nocl takes argument (PW to re-enable CL parsing) * no daemon mode if initializing database * fixed segfault in yule with 'unknown file type' request * enlarged MAX_GLOBS 24 -> 32 and made the array linear * server uses last registry entry for any given client now * deploy.sh script to deploy clients to remote hosts * enhanced signal handling: SIGUSR1/SIGUSR2/SIGABRT/SIGQUIT/SIGHUP * allow y/Y/n/N for login monitoring (in addition to 0/1) * external logging scripts/programs * trustfile.c: define STICKY on Linux * reset signal mask when initializing * EINTR_RETRY wrapper * slib: sl_read, sl_write EINTR update * use sstrip when installing * more compact database format (breaks backward database compatibility) * larger download packets * TcpFlags unsigned char * cast to (char *) head in write_port * m(un)lock cast to (char *) * (1 << 31) --> (1UL << 31) * support e2fs attributes on Linux * fixes for AIX and Solaris native compilers * fixed Makefile for non-GNU make (pattern rule --> suffix rule) 0.8.1: * fixed 'is_numeric()' return value 0.8: * added option for static compilation * added option for stealth with non-hidden config file * added option for disabling command line parsing * all options can be set in the configuration file now * stealth: xor strings in database file * fixed bug in mailer code ([] in HELO) * print timestamp when asking for key * 'micro' stealth mode (no hidden configuration file) * simplified slib * int->long for uids/gids in trustfile * moved mailkey from data to code * shell script for entropy (stronger default key) * general code cleanup * better error checking in client/server code * detect out-of-sync messages * check state across protocol passes in server * make sure authentication is mutual * file download to client * reserve six file descriptors in server * mlock queue buffer if LOG_KEY * improved robustness in bignum (don't fail on free()) * per-directory recursion depths * RFC821 compliance: empty line at end of header, To field, Date field * RFC821 compliance: make e-mail transfer relieable * fix detection of hardlink changes * checksum verification for calling gpg/pgp * CL option '-S' not required for server-only binary * eliminate CL options that may leak privileged information if the program is SUID * skip leading white space in configuration file * allow nested conditionals in configuration file * allow whitespace before and after '=' in configuration file * don't leak file descriptors to child processes * make message transfer relieable * always report error on abnormal termination of connection 0.7: * support for alpha machines * stop TCP logging after exit message * limit connections in server (DoS attacks) * move string handling to slib * move file handling to slib * timestring without space * changed report format * SUID bugfix - use euid when checking logfile ownership * SUID bugfix - get root for lstat() * SUID bugfix - get root for opendir() * store number of hardlinks * send no message if polling empty queue * include tiger 64-bit implementation (portability) * codes for error conditions * mail check: handle multiple, overlapping audit trails * security fix: no append to database if SUID * fix sh_entropy.c (BUFSIZ -> BUF_ENT) * read command line before config file * PGP signing of config/database files * checksum of config file reported * checking for attributes only 0.6: * more syslogish priority specification * fixed segfault in sh_mem_check, apparently this was also the reason for the segfault in atexit() * allow for compilation with SRP authentication * fixed tiger checksum computation * fixed broken logfile verification for second and further audit trails * test program added * documentation improved * sh_forward_make_client: bug fixed in[8]->in[i] * sh_error.h: fixed missing #include * configure.in: fixed missing strerror() test * sh_utmp.c: check logins/logouts * check for missing files * only reset access time if necessary * O_EXCL in open() * limit environment to TZ in execve (sh_entropy.c, not used on Linux) * use trustfile() to determine whether logfile dir is trustworthy * strip head instead of tail for numerical address * store messages in fifo during log server outage * re-init session key after server outage 0.5 (21-12-1999): * added option for mail relay server * own popen() implementation in sh_entropy() (portability) * fixed error in sh_util_basename() (returned NULL for base == "/") * fixed segfault in strlcpy/strlcat (check for src == NULL) * FILENAME_MAX -> PATH_MAX (HP-UX 10.20) * use TIGER for 32-byte compilers (portability) * fixed hash function (do not include stdlib.h) * flush buffer before write in mailer code (IBM AIX 4.1) * make mailer code non-forking * cast argument of is...() to int (portability) * return() after _exit() for braindead compilers (portability) * optionally use inet_addr (portability) * check for broken mlock() (HP-UX 10.20) * minor code cleanups * fixed incorrect size of munlock()'ed memory in sh_error_string() * fixed a buffer overflow in the error printing routine * fixed a buffer overflow in sh_util_safe_name () * implement SRP session key exchange * implement client/server facility * implement @host/@end construct in configuration file * preferably use uname(), and do gethostbyname() for FQDN * make vernam cipher base numeric * make OnlyStderr private in sh_error * test -e "/dev/random" --> test -r "/dev/random" (portability) * check for libsocket (portability) * add #defines for IPPORT_SMTP, IPPORT_TIMESERVER (portability) * eliminate superfluous /proc test * some unreachable code removed * cast to (byte*) replaced by cast to (word64*) in sh_tiger_hash() * check for setresuid() if no seteuid() (HP-UX 10.20) 0.4 (09-11-1999): * make sure output from /dev/random has no NULL's * one-time pad encryption for emailed keys (better than nothing ...) 0.3 (04-11-1999): * logfile readable for group * verify signatures for any file * signature block in tarball * use select() in time server routine * better protection for session keys (mlock) 0.2: * fixed incorrect man page * fixed incorrect example rc file * recursive error logging should work now 0.1: * initial release -- on Samhain 1999, of course development start: * probably 29-06-1999