source: trunk/include/samhain.h@ 151

Last change on this file since 151 was 149, checked in by katerina, 17 years ago

Make sh_hash.c thread-safe, remove plenty of tiny allocations, improve sh_mem_dump, modify port check to run as thread, and fix unsetting of sh_thread_pause_flag (was too early).

File size: 13.2 KB
RevLine 
[1]1/* SAMHAIN file system integrity testing */
2/* Copyright (C) 1999 Rainer Wichmann */
3/* */
4/* This program is free software; you can redistribute it */
5/* and/or modify */
6/* it under the terms of the GNU General Public License as */
7/* published by */
8/* the Free Software Foundation; either version 2 of the License, or */
9/* (at your option) any later version. */
10/* */
11/* This program is distributed in the hope that it will be useful, */
12/* but WITHOUT ANY WARRANTY; without even the implied warranty of */
13/* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the */
14/* GNU General Public License for more details. */
15/* */
16/* You should have received a copy of the GNU General Public License */
17/* along with this program; if not, write to the Free Software */
18/* Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. */
19
20#ifndef SAMHAIN_H
21#define SAMHAIN_H
22
23#include <sys/types.h>
24#include "slib.h"
25
26#ifdef SH_ENCRYPT
27#include "rijndael-api-fst.h"
28#endif
29
30/**************************************************
31 *
32 * STANDARD DEFINES
33 *
34 **************************************************/
35
36#define REPLACE_OLD
37
38/* Standard buffer sizes.
39 */
40#define SH_MINIBUF 64
41#define SH_BUFSIZE 1024
42#define SH_MAXBUF 4096
43#define SH_PATHBUF 256
44
[132]45#define SH_ERRBUF_SIZE 64
[131]46
[1]47/* Sizes for arrays (user, group, timestamp).
48 */
[40]49#define SOCKPASS_MAX 14
[149]50#define USER_MAX 20
51#define GROUP_MAX 20
52#define TIM_MAX 32
[1]53
[149]54#define CMODE_SIZE 11
[40]55
[149]56#define ATTRBUF_SIZE 16
57#define ATTRBUF_USED 12
58
[1]59/* The number of bytes in a key,
60 * the number of chars in its hex repesentation,
61 * and the block size of the hash algorithm.
62 */
63#define KEY_BYT 24
64#define KEY_LEN 48
65#define KEY_BLOCK 24
[133]66#define KEYBUF_SIZE (KEY_LEN+1)
[1]67
68/* The length of the compiled-in password.
69 */
70#define PW_LEN 8
71
72#undef GOOD
73#define GOOD 1
74#undef BAD
75#define BAD 0
76#undef ON
77#define ON 1
78#undef OFF
79#define OFF 0
80#undef S_TRUE
81#define S_TRUE 1
82#undef S_FALSE
83#define S_FALSE 0
84
85/* An unsigned integer guaranteed to be 32 bit.
86 */
87#if defined(HAVE_INT_32)
88#define UINT32 unsigned int
89#define SINT32 int
90#elif defined(HAVE_LONG_32)
91#define UINT32 unsigned long
92#define SINT32 long
93#elif defined(HAVE_SHORT_32)
94#define UINT32 unsigned short
95#define SINT32 short
96#endif
97
98#ifdef HAVE_INTTYPES_H
99#include <inttypes.h>
100#else
101#ifdef HAVE_STDINT_H
102#include <stdint.h>
103#endif
104#endif
105
106#if !defined(HAVE_INTTYPES_H) && !defined(HAVE_STDINT_H)
107
108#ifdef HAVE_LONG_LONG_64
109#define UINT64 unsigned long long
110#else
111#ifdef HAVE_LONG_64
112#define UINT64 unsigned long
113#else
114#define UINT64_IS_32
115#define UINT64 unsigned long
116#endif
117#endif
118
119#else
120#define UINT64 uint64_t
121#endif
122
123
124
125#define UBYTE unsigned char
126
127
128enum {
129 SH_CHECK_NONE = 0,
130 SH_CHECK_INIT = 1,
131 SH_CHECK_CHECK = 2
132};
133
[143]134#define SH_MOD_THREAD 1
135#define SH_MOD_ACTIVE 0
136#define SH_MOD_FAILED -1
137
[114]138/* Flags for file status
139 */
140#define SH_FFLAG_ALLIGNORE (1<<0)
141#define SH_FFLAG_VISITED (1<<1)
142#define SH_FFLAG_CHECKED (1<<3)
143#define SH_FFLAG_REPORTED (1<<3)
[115]144#define SH_FFLAG_SUIDCHK (1<<4)
[93]145
[114]146#define SH_FFLAG_ALLIGNORE_SET(a) (((a) & SH_FFLAG_ALLIGNORE) != 0)
147#define SET_SH_FFLAG_ALLIGNORE(a) ((a) |= SH_FFLAG_ALLIGNORE)
148#define CLEAR_SH_FFLAG_ALLIGNORE(a) ((a) &= ~SH_FFLAG_ALLIGNORE)
149
150#define SH_FFLAG_VISITED_SET(a) (((a) & SH_FFLAG_VISITED) != 0)
151#define SET_SH_FFLAG_VISITED(a) ((a) |= SH_FFLAG_VISITED)
152#define CLEAR_SH_FFLAG_VISITED(a) ((a) &= ~SH_FFLAG_VISITED)
153
154#define SH_FFLAG_CHECKED_SET(a) (((a) & SH_FFLAG_VISITED) != 0)
155#define SET_SH_FFLAG_CHECKED(a) ((a) |= SH_FFLAG_VISITED)
156#define CLEAR_SH_FFLAG_CHECKED(a) ((a) &= ~SH_FFLAG_VISITED)
157
158#define SH_FFLAG_REPORTED_SET(a) (((a) & SH_FFLAG_REPORTED) != 0)
159#define SET_SH_FFLAG_REPORTED(a) ((a) |= SH_FFLAG_REPORTED)
160#define CLEAR_SH_FFLAG_REPORTED(a) ((a) &= ~SH_FFLAG_REPORTED)
161
[115]162#define SH_FFLAG_SUIDCHK_SET(a) (((a) & SH_FFLAG_SUIDCHK) != 0)
163#define SET_SH_FFLAG_SUIDCHK(a) ((a) |= SH_FFLAG_SUIDCHK)
164#define CLEAR_SH_FFLAG_SUIDCHK(a) ((a) &= ~SH_FFLAG_SUIDCHK)
[114]165
166
[1]167/**************************************************
168 *
169 * TYPEDEFS
170 *
171 **************************************************/
172
173enum {
174 SH_LEVEL_READONLY = 1,
175 SH_LEVEL_LOGFILES = 2,
176 SH_LEVEL_LOGGROW = 3,
177 SH_LEVEL_NOIGNORE = 4,
178 SH_LEVEL_ALLIGNORE = 5,
179 SH_LEVEL_ATTRIBUTES = 6,
180 SH_LEVEL_USER0 = 7,
181 SH_LEVEL_USER1 = 8,
[27]182 SH_LEVEL_USER2 = 9,
183 SH_LEVEL_USER3 = 10,
184 SH_LEVEL_USER4 = 11,
185 SH_LEVEL_PRELINK = 12
[1]186};
187
188typedef struct {
189 time_t alarm_interval;
190 time_t alarm_last;
191} sh_timer_t;
192
193typedef struct {
194 char path[SH_PATHBUF];
195 char hash[KEY_LEN+1];
196} sh_sh_df;
197
198typedef struct {
199 char user[USER_MAX];
200 char group[GROUP_MAX];
201 char home[SH_PATHBUF];
202 uid_t uid;
203 gid_t gid;
204} sh_sh_user;
205
206typedef struct {
207 char name[SH_PATHBUF]; /* local hostname */
208 char system[SH_MINIBUF]; /* system */
209 char release[SH_MINIBUF]; /* release */
210 char machine[SH_MINIBUF]; /* machine */
211} sh_sh_local;
212
213typedef struct {
214 char name[SH_PATHBUF];
215 char alt[SH_PATHBUF];
216} sh_sh_remote;
217
218typedef struct {
219 unsigned long bytes_hashed; /* bytes last check */
220 unsigned long bytes_speed; /* bytes/sec last check */
221 unsigned long mail_success; /* mails sent */
222 unsigned long mail_failed; /* mails not sent */
223 time_t time_start; /* start last check */
224 time_t time_check; /* time last check */
225 unsigned long dirs_checked; /* #dirs last check */
226 unsigned long files_checked; /* #files last check */
227} sh_sh_stat;
228
229typedef struct {
230 int exit; /* exit value */
231 int checkSum; /* whether to init/check checksums */
232 int update; /* update db */
233 int opts; /* reading cl options */
234 int isdaemon; /* daemon or not */
235 int loop; /* go in loop even if not daemon */
236 int nice; /* desired nicety */
237 int isserver; /* server or not */
238 int islocked; /* BAD if logfile not locked */
239 int smsg; /* GOOD if end message sent */
240 int log_start; /* TRUE if new audit trail */
241 int reportonce; /* TRUE if bad files only once rep.*/
242 int fulldetail; /* TRUE if full details requested */
243 int client_severity; /* TRUE if client severity used */
244 int client_class; /* TRUE if client class used */
245 int audit;
246 unsigned long aud_mask;
247 int hidefile; /* TRUE if file not reveled in log */
248} sh_sh_flag;
249
250typedef struct {
251
252 char prg_name[8];
253
254 sh_sh_df exec;
255 sh_sh_df conf;
256 sh_sh_df data;
257
258 sh_sh_user real;
259 sh_sh_user effective;
260 sh_sh_user run;
261
262 sh_sh_local host;
263
264 sh_sh_remote srvtime;
265 sh_sh_remote srvmail;
266 sh_sh_remote srvexport;
267 sh_sh_remote srvcons;
268 sh_sh_remote srvlog;
269
270 sh_sh_stat statistics;
271 sh_sh_flag flag;
272
273#ifdef SH_STEALTH
274 unsigned long off_data;
275#endif
276
277 sh_timer_t mailNum;
278 sh_timer_t mailTime;
279 sh_timer_t fileCheck;
280
281 int looptime; /* timing for main loop */
282 /*@null@*//*@out@*/ char * timezone;
283} sh_struct;
284
285
286extern volatile int sig_raised;
287extern volatile int sig_urgent;
288extern volatile int sig_debug_switch; /* SIGUSR1 */
289extern volatile int sig_suspend_switch; /* SIGUSR2 */
[143]290extern volatile int sh_global_suspend_flag;
[1]291extern volatile int sig_fresh_trail; /* SIGIOT */
[143]292extern volatile int sh_thread_pause_flag;
[1]293extern volatile int sig_config_read_again; /* SIGHUP */
294extern volatile int sig_terminate; /* SIGQUIT */
295extern volatile int sig_termfast; /* SIGTERM */
296extern volatile int sig_force_check; /* SIGTTOU */
297
298extern long int eintr__result;
299
[20]300extern int sh_argc_store;
301extern char ** sh_argv_store;
302
[1]303#include "sh_calls.h"
304
305
306typedef struct {
[40]307 char sh_sockpass[2*SOCKPASS_MAX+2];
[1]308 char sigkey_old[KEY_LEN+1];
309 char sigkey_new[KEY_LEN+1];
310 char mailkey_old[KEY_LEN+1];
311 char mailkey_new[KEY_LEN+1];
312 char crypt[KEY_LEN+1];
313 char session[KEY_LEN+1];
314 char vernam[KEY_LEN+1];
315 int mlock_failed;
316
317 char pw[PW_LEN];
318
319 char poolv[KEY_BYT];
320 int poolc;
321
322 int rngI;
323 UINT32 rng0[3];
324 UINT32 rng1[3];
325 UINT32 rng2[3];
326
327 UINT32 ErrFlag[2];
328
329#ifdef SH_ENCRYPT
330 /*@out@*/ keyInstance keyInstE;
331 /*@out@*/ keyInstance keyInstD;
332#endif
333} sh_key_t;
334
335extern sh_struct sh;
336/*@null@*/ extern sh_key_t *skey;
337
[22]338/**************************************************
339 *
340 * macros
341 *
342 **************************************************/
[1]343
[76]344#if defined(__GNUC__) && (__GNUC__ >= 4)
[149]345#define SH_GNUC_SENTINEL __attribute__((__sentinel__))
[76]346#else
[149]347#define SH_GNUC_SENTINEL
[76]348#endif
349
[149]350#if defined(__GNUC__) && (__GNUC__ >= 3)
351#undef SH_GNUC_PURE
352#define SH_GNUC_PURE __attribute__((pure))
353#undef SH_GNUC_CONST
354#define SH_GNUC_CONST __attribute__((const))
355#undef SH_GNUC_NORETURN
356#define SH_GNUC_NORETURN __attribute__((noreturn))
357#undef SH_GNUC_MALLOC
358#define SH_GNUC_MALLOC __attribute__((malloc))
359#else
360#undef SH_GNUC_PURE
361#define SH_GNUC_PURE
362#undef SH_GNUC_CONST
363#define SH_GNUC_CONST
364#undef SH_GNUC_NORETURN
365#define SH_GNUC_NORETURN
366#undef SH_GNUC_MALLOC
367#define SH_GNUC_MALLOC
368#endif
369
370
[76]371/* The semantics of the built-in are that it is expected that expr == const
372 * for __builtin_expect ((expr), const)
373 */
374#if defined(__GNUC__) && (__GNUC__ > 2) && defined(__OPTIMIZE__)
375#define SH_LIKELY(expr) (__builtin_expect((expr), 1))
376#define SH_UNLIKELY(expr) (__builtin_expect((expr), 0))
377#else
378#define SH_LIKELY(expr) (expr)
379#define SH_UNLIKELY(expr) (expr)
380#endif
381
[22]382/* signal-safe log function
383 */
[30]384int safe_logger (int signal, int method, char * details);
[34]385void safe_fatal (char * details, char *f, int l);
[22]386
[25]387#define SH_VALIDATE_EQ(a,b) \
[22]388 do { \
[34]389 if ((a) != (b)) safe_fatal(#a " != " #b, FIL__, __LINE__);\
[22]390 } while (0)
391
[25]392#define SH_VALIDATE_NE(a,b) \
393 do { \
[34]394 if ((a) == (b)) safe_fatal(#a " == " #b, FIL__, __LINE__);\
[25]395 } while (0)
[22]396
[68]397#define SH_VALIDATE_GE(a,b) \
398 do { \
399 if ((a) < (b)) safe_fatal(#a " < " #b, FIL__, __LINE__);\
400 } while (0)
401
[1]402#if defined(HAVE_MLOCK) && !defined(HAVE_BROKEN_MLOCK)
403#define MLOCK(a, b) \
404 if ((skey != NULL) && skey->mlock_failed == SL_FALSE){ \
405 (void) sl_set_suid(); \
[19]406 if (sh_unix_mlock(FIL__, __LINE__, a, b) < 0) skey->mlock_failed = SL_TRUE; \
[1]407 (void) sl_unset_suid(); }
408#else
409#define MLOCK(a, b) \
410 ;
411#endif
412
413#if defined(HAVE_MLOCK) && !defined(HAVE_BROKEN_MLOCK)
414#define MUNLOCK(a, b) \
415 if ((skey != NULL) && skey->mlock_failed == SL_FALSE){ \
416 (void) sl_set_suid(); \
417 (void) sh_unix_munlock( a, b );\
418 (void) sl_unset_suid(); }
419#else
420#define MUNLOCK(a, b) \
421 ;
422#endif
423
424#ifdef SH_STEALTH
425void sh_do_encode (char * str, int len);
426#define sh_do_decode sh_do_encode
427#endif
428
429/* #if defined(SCREW_IT_UP)
430 * extern volatile int sh_not_traced;
431 * inline int sh_sigtrap_prepare();
432 * inline int sh_derr();
433 * #endif
434 */
435
436#if defined(SCREW_IT_UP) && (defined(__FreeBSD__) || defined(__linux__)) && defined(__i386__)
437#define BREAKEXIT(expr) \
438 do { \
439 int ixi; \
440 for (ixi = 0; ixi < 8; ++ixi) { \
441 if ((*(volatile unsigned *)((unsigned) expr + ixi) & 0xff) == 0xcc) \
442 _exit(EXIT_FAILURE); \
443 } \
444 } \
445 while (1 == 0)
446#else
447#define BREAKEXIT(expr)
448#endif
449
450
451
452#include "sh_cat.h"
453#include "sh_trace.h"
454#include "sh_mem.h"
455
456#endif
457
458/* CRIT: */
459/* NEW_CLIENT <client> */
460/* BAD_CLIENT <client> -- <details> */
461/* ERR_CLIENT <client> -- <details> */
462
463/* ALERT: */
464/* LOG_KEY samhain|yule <key> */
465/* STARTUP samhain|yule -- user <username> */
466/* EXIT samhain|yule */
467/* GOODSIG <file> <user> */
468/* FP_KEY <fingerprint> */
469/* GOODSIG_DAT <file> <user> */
470/* FP_KEY_DAT <fingerprint> */
471/* TIGER_CFG <file> <checksum> */
472/* TIGER_DAT <file> <checksum> */
473
474/* PANIC -- <details> */
475/* ERROR -- <details> */
476
477/* Policy */
478/* POLICY <code> <file> */
479/* <code> = MISSING || ADDED || NOT_A_DIRECTORY || <policy> */
480
481
482
Note: See TracBrowser for help on using the repository browser.