source: trunk/include/samhain.h@ 115

Last change on this file since 115 was 115, checked in by rainer, 17 years ago

Fix the problem that new suid/sgid file found by the file system check already will not be quarantined in the suid check (ticket #71).

File size: 12.4 KB
RevLine 
[1]1/* SAMHAIN file system integrity testing */
2/* Copyright (C) 1999 Rainer Wichmann */
3/* */
4/* This program is free software; you can redistribute it */
5/* and/or modify */
6/* it under the terms of the GNU General Public License as */
7/* published by */
8/* the Free Software Foundation; either version 2 of the License, or */
9/* (at your option) any later version. */
10/* */
11/* This program is distributed in the hope that it will be useful, */
12/* but WITHOUT ANY WARRANTY; without even the implied warranty of */
13/* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the */
14/* GNU General Public License for more details. */
15/* */
16/* You should have received a copy of the GNU General Public License */
17/* along with this program; if not, write to the Free Software */
18/* Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. */
19
20#ifndef SAMHAIN_H
21#define SAMHAIN_H
22
23#include <sys/types.h>
24#include "slib.h"
25
26#ifdef SH_ENCRYPT
27#include "rijndael-api-fst.h"
28#endif
29
30/**************************************************
31 *
32 * STANDARD DEFINES
33 *
34 **************************************************/
35
36#define REPLACE_OLD
37
38/* Standard buffer sizes.
39 */
40#define SH_MINIBUF 64
41#define SH_BUFSIZE 1024
42#define SH_MAXBUF 4096
43#define SH_PATHBUF 256
44
45/* Sizes for arrays (user, group, timestamp).
46 */
[40]47#define SOCKPASS_MAX 14
[1]48#define USER_MAX 20
49#define GROUP_MAX 20
50#define TIM_MAX 32
51
[40]52
[1]53/* The number of bytes in a key,
54 * the number of chars in its hex repesentation,
55 * and the block size of the hash algorithm.
56 */
57#define KEY_BYT 24
58#define KEY_LEN 48
59#define KEY_BLOCK 24
60
61/* The length of the compiled-in password.
62 */
63#define PW_LEN 8
64
65#undef GOOD
66#define GOOD 1
67#undef BAD
68#define BAD 0
69#undef ON
70#define ON 1
71#undef OFF
72#define OFF 0
73#undef S_TRUE
74#define S_TRUE 1
75#undef S_FALSE
76#define S_FALSE 0
77
78/* An unsigned integer guaranteed to be 32 bit.
79 */
80#if defined(HAVE_INT_32)
81#define UINT32 unsigned int
82#define SINT32 int
83#elif defined(HAVE_LONG_32)
84#define UINT32 unsigned long
85#define SINT32 long
86#elif defined(HAVE_SHORT_32)
87#define UINT32 unsigned short
88#define SINT32 short
89#endif
90
91#ifdef HAVE_INTTYPES_H
92#include <inttypes.h>
93#else
94#ifdef HAVE_STDINT_H
95#include <stdint.h>
96#endif
97#endif
98
99#if !defined(HAVE_INTTYPES_H) && !defined(HAVE_STDINT_H)
100
101#ifdef HAVE_LONG_LONG_64
102#define UINT64 unsigned long long
103#else
104#ifdef HAVE_LONG_64
105#define UINT64 unsigned long
106#else
107#define UINT64_IS_32
108#define UINT64 unsigned long
109#endif
110#endif
111
112#else
113#define UINT64 uint64_t
114#endif
115
116
117
118#define UBYTE unsigned char
119
120
121enum {
122 SH_CHECK_NONE = 0,
123 SH_CHECK_INIT = 1,
124 SH_CHECK_CHECK = 2
125};
126
[114]127/* Flags for file status
128 */
129#define SH_FFLAG_ALLIGNORE (1<<0)
130#define SH_FFLAG_VISITED (1<<1)
131#define SH_FFLAG_CHECKED (1<<3)
132#define SH_FFLAG_REPORTED (1<<3)
[115]133#define SH_FFLAG_SUIDCHK (1<<4)
[93]134
[114]135#define SH_FFLAG_ALLIGNORE_SET(a) (((a) & SH_FFLAG_ALLIGNORE) != 0)
136#define SET_SH_FFLAG_ALLIGNORE(a) ((a) |= SH_FFLAG_ALLIGNORE)
137#define CLEAR_SH_FFLAG_ALLIGNORE(a) ((a) &= ~SH_FFLAG_ALLIGNORE)
138
139#define SH_FFLAG_VISITED_SET(a) (((a) & SH_FFLAG_VISITED) != 0)
140#define SET_SH_FFLAG_VISITED(a) ((a) |= SH_FFLAG_VISITED)
141#define CLEAR_SH_FFLAG_VISITED(a) ((a) &= ~SH_FFLAG_VISITED)
142
143#define SH_FFLAG_CHECKED_SET(a) (((a) & SH_FFLAG_VISITED) != 0)
144#define SET_SH_FFLAG_CHECKED(a) ((a) |= SH_FFLAG_VISITED)
145#define CLEAR_SH_FFLAG_CHECKED(a) ((a) &= ~SH_FFLAG_VISITED)
146
147#define SH_FFLAG_REPORTED_SET(a) (((a) & SH_FFLAG_REPORTED) != 0)
148#define SET_SH_FFLAG_REPORTED(a) ((a) |= SH_FFLAG_REPORTED)
149#define CLEAR_SH_FFLAG_REPORTED(a) ((a) &= ~SH_FFLAG_REPORTED)
150
[115]151#define SH_FFLAG_SUIDCHK_SET(a) (((a) & SH_FFLAG_SUIDCHK) != 0)
152#define SET_SH_FFLAG_SUIDCHK(a) ((a) |= SH_FFLAG_SUIDCHK)
153#define CLEAR_SH_FFLAG_SUIDCHK(a) ((a) &= ~SH_FFLAG_SUIDCHK)
[114]154
155
[115]156
[1]157/**************************************************
158 *
159 * TYPEDEFS
160 *
161 **************************************************/
162
163enum {
164 SH_LEVEL_READONLY = 1,
165 SH_LEVEL_LOGFILES = 2,
166 SH_LEVEL_LOGGROW = 3,
167 SH_LEVEL_NOIGNORE = 4,
168 SH_LEVEL_ALLIGNORE = 5,
169 SH_LEVEL_ATTRIBUTES = 6,
170 SH_LEVEL_USER0 = 7,
171 SH_LEVEL_USER1 = 8,
[27]172 SH_LEVEL_USER2 = 9,
173 SH_LEVEL_USER3 = 10,
174 SH_LEVEL_USER4 = 11,
175 SH_LEVEL_PRELINK = 12
[1]176};
177
178typedef struct {
179 time_t alarm_interval;
180 time_t alarm_last;
181} sh_timer_t;
182
183typedef struct {
184 char path[SH_PATHBUF];
185 char hash[KEY_LEN+1];
186} sh_sh_df;
187
188typedef struct {
189 char user[USER_MAX];
190 char group[GROUP_MAX];
191 char home[SH_PATHBUF];
192 uid_t uid;
193 gid_t gid;
194} sh_sh_user;
195
196typedef struct {
197 char name[SH_PATHBUF]; /* local hostname */
198 char system[SH_MINIBUF]; /* system */
199 char release[SH_MINIBUF]; /* release */
200 char machine[SH_MINIBUF]; /* machine */
201} sh_sh_local;
202
203typedef struct {
204 char name[SH_PATHBUF];
205 char alt[SH_PATHBUF];
206} sh_sh_remote;
207
208typedef struct {
209 unsigned long bytes_hashed; /* bytes last check */
210 unsigned long bytes_speed; /* bytes/sec last check */
211 unsigned long mail_success; /* mails sent */
212 unsigned long mail_failed; /* mails not sent */
213 time_t time_start; /* start last check */
214 time_t time_check; /* time last check */
215 unsigned long dirs_checked; /* #dirs last check */
216 unsigned long files_checked; /* #files last check */
217} sh_sh_stat;
218
219typedef struct {
220 int exit; /* exit value */
221 int checkSum; /* whether to init/check checksums */
222 int update; /* update db */
223 int opts; /* reading cl options */
224 int isdaemon; /* daemon or not */
225 int loop; /* go in loop even if not daemon */
226 int nice; /* desired nicety */
227 int isserver; /* server or not */
228 int islocked; /* BAD if logfile not locked */
229 int smsg; /* GOOD if end message sent */
230 int log_start; /* TRUE if new audit trail */
231 int reportonce; /* TRUE if bad files only once rep.*/
232 int fulldetail; /* TRUE if full details requested */
233 int client_severity; /* TRUE if client severity used */
234 int client_class; /* TRUE if client class used */
235 int audit;
236 unsigned long aud_mask;
237 int hidefile; /* TRUE if file not reveled in log */
238} sh_sh_flag;
239
240typedef struct {
241
242 char prg_name[8];
243
244 sh_sh_df exec;
245 sh_sh_df conf;
246 sh_sh_df data;
247
248 sh_sh_user real;
249 sh_sh_user effective;
250 sh_sh_user run;
251
252 sh_sh_local host;
253
254 sh_sh_remote srvtime;
255 sh_sh_remote srvmail;
256 sh_sh_remote srvexport;
257 sh_sh_remote srvcons;
258 sh_sh_remote srvlog;
259
260 sh_sh_stat statistics;
261 sh_sh_flag flag;
262
263#ifdef SH_STEALTH
264 unsigned long off_data;
265#endif
266
267 sh_timer_t mailNum;
268 sh_timer_t mailTime;
269 sh_timer_t fileCheck;
270
271 int looptime; /* timing for main loop */
272 /*@null@*//*@out@*/ char * timezone;
273} sh_struct;
274
275
276extern volatile int sig_raised;
277extern volatile int sig_urgent;
278extern volatile int sig_debug_switch; /* SIGUSR1 */
279extern volatile int sig_suspend_switch; /* SIGUSR2 */
280extern volatile int sh_global_suspend_flag; /* SIGUSR2 */
281extern volatile int sig_fresh_trail; /* SIGIOT */
282extern volatile int sig_config_read_again; /* SIGHUP */
283extern volatile int sig_terminate; /* SIGQUIT */
284extern volatile int sig_termfast; /* SIGTERM */
285extern volatile int sig_force_check; /* SIGTTOU */
286
287extern long int eintr__result;
288
[20]289extern int sh_argc_store;
290extern char ** sh_argv_store;
291
[1]292#include "sh_calls.h"
293
294
295typedef struct {
[40]296 char sh_sockpass[2*SOCKPASS_MAX+2];
[1]297 char sigkey_old[KEY_LEN+1];
298 char sigkey_new[KEY_LEN+1];
299 char mailkey_old[KEY_LEN+1];
300 char mailkey_new[KEY_LEN+1];
301 char crypt[KEY_LEN+1];
302 char session[KEY_LEN+1];
303 char vernam[KEY_LEN+1];
304 int mlock_failed;
305
306 char pw[PW_LEN];
307
308 char poolv[KEY_BYT];
309 int poolc;
310
311 int rngI;
312 UINT32 rng0[3];
313 UINT32 rng1[3];
314 UINT32 rng2[3];
315
316 UINT32 ErrFlag[2];
317
318#ifdef SH_ENCRYPT
319 /*@out@*/ keyInstance keyInstE;
320 /*@out@*/ keyInstance keyInstD;
321#endif
322} sh_key_t;
323
324extern sh_struct sh;
325/*@null@*/ extern sh_key_t *skey;
326
[22]327/**************************************************
328 *
329 * macros
330 *
331 **************************************************/
[1]332
[76]333#if defined(__GNUC__) && (__GNUC__ >= 4)
334#define SH_GNUC_NULL_TERMINATED __attribute__((__sentinel__))
335#else
336#define SH_GNUC_NULL_TERMINATED
337#endif
338
339/* The semantics of the built-in are that it is expected that expr == const
340 * for __builtin_expect ((expr), const)
341 */
342#if defined(__GNUC__) && (__GNUC__ > 2) && defined(__OPTIMIZE__)
343#define SH_LIKELY(expr) (__builtin_expect((expr), 1))
344#define SH_UNLIKELY(expr) (__builtin_expect((expr), 0))
345#else
346#define SH_LIKELY(expr) (expr)
347#define SH_UNLIKELY(expr) (expr)
348#endif
349
[22]350/* signal-safe log function
351 */
[30]352int safe_logger (int signal, int method, char * details);
[34]353void safe_fatal (char * details, char *f, int l);
[22]354
[25]355#define SH_VALIDATE_EQ(a,b) \
[22]356 do { \
[34]357 if ((a) != (b)) safe_fatal(#a " != " #b, FIL__, __LINE__);\
[22]358 } while (0)
359
[25]360#define SH_VALIDATE_NE(a,b) \
361 do { \
[34]362 if ((a) == (b)) safe_fatal(#a " == " #b, FIL__, __LINE__);\
[25]363 } while (0)
[22]364
[68]365#define SH_VALIDATE_GE(a,b) \
366 do { \
367 if ((a) < (b)) safe_fatal(#a " < " #b, FIL__, __LINE__);\
368 } while (0)
369
[1]370#if defined(HAVE_MLOCK) && !defined(HAVE_BROKEN_MLOCK)
371#define MLOCK(a, b) \
372 if ((skey != NULL) && skey->mlock_failed == SL_FALSE){ \
373 (void) sl_set_suid(); \
[19]374 if (sh_unix_mlock(FIL__, __LINE__, a, b) < 0) skey->mlock_failed = SL_TRUE; \
[1]375 (void) sl_unset_suid(); }
376#else
377#define MLOCK(a, b) \
378 ;
379#endif
380
381#if defined(HAVE_MLOCK) && !defined(HAVE_BROKEN_MLOCK)
382#define MUNLOCK(a, b) \
383 if ((skey != NULL) && skey->mlock_failed == SL_FALSE){ \
384 (void) sl_set_suid(); \
385 (void) sh_unix_munlock( a, b );\
386 (void) sl_unset_suid(); }
387#else
388#define MUNLOCK(a, b) \
389 ;
390#endif
391
392#ifdef SH_STEALTH
393void sh_do_encode (char * str, int len);
394#define sh_do_decode sh_do_encode
395#endif
396
397/* #if defined(SCREW_IT_UP)
398 * extern volatile int sh_not_traced;
399 * inline int sh_sigtrap_prepare();
400 * inline int sh_derr();
401 * #endif
402 */
403
404#if defined(SCREW_IT_UP) && (defined(__FreeBSD__) || defined(__linux__)) && defined(__i386__)
405#define BREAKEXIT(expr) \
406 do { \
407 int ixi; \
408 for (ixi = 0; ixi < 8; ++ixi) { \
409 if ((*(volatile unsigned *)((unsigned) expr + ixi) & 0xff) == 0xcc) \
410 _exit(EXIT_FAILURE); \
411 } \
412 } \
413 while (1 == 0)
414#else
415#define BREAKEXIT(expr)
416#endif
417
418
419
420#include "sh_cat.h"
421#include "sh_trace.h"
422#include "sh_mem.h"
423
424#endif
425
426/* CRIT: */
427/* NEW_CLIENT <client> */
428/* BAD_CLIENT <client> -- <details> */
429/* ERR_CLIENT <client> -- <details> */
430
431/* ALERT: */
432/* LOG_KEY samhain|yule <key> */
433/* STARTUP samhain|yule -- user <username> */
434/* EXIT samhain|yule */
435/* GOODSIG <file> <user> */
436/* FP_KEY <fingerprint> */
437/* GOODSIG_DAT <file> <user> */
438/* FP_KEY_DAT <fingerprint> */
439/* TIGER_CFG <file> <checksum> */
440/* TIGER_DAT <file> <checksum> */
441
442/* PANIC -- <details> */
443/* ERROR -- <details> */
444
445/* Policy */
446/* POLICY <code> <file> */
447/* <code> = MISSING || ADDED || NOT_A_DIRECTORY || <policy> */
448
449
450
Note: See TracBrowser for help on using the repository browser.