source: trunk/include/samhain.h@ 288

Last change on this file since 288 was 283, checked in by katerina, 15 years ago

Patch for ticket #207 (server logs client reports to prelude).
File size: 13.5 KB
RevLine 
[1]1/* SAMHAIN file system integrity testing */
2/* Copyright (C) 1999 Rainer Wichmann */
3/* */
4/* This program is free software; you can redistribute it */
5/* and/or modify */
6/* it under the terms of the GNU General Public License as */
7/* published by */
8/* the Free Software Foundation; either version 2 of the License, or */
9/* (at your option) any later version. */
10/* */
11/* This program is distributed in the hope that it will be useful, */
12/* but WITHOUT ANY WARRANTY; without even the implied warranty of */
13/* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the */
14/* GNU General Public License for more details. */
15/* */
16/* You should have received a copy of the GNU General Public License */
17/* along with this program; if not, write to the Free Software */
18/* Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. */
19
20#ifndef SAMHAIN_H
21#define SAMHAIN_H
22
23#include <sys/types.h>
24#include "slib.h"
25
26#ifdef SH_ENCRYPT
27#include "rijndael-api-fst.h"
28#endif
29
30/**************************************************
31 *
32 * STANDARD DEFINES
33 *
34 **************************************************/
35
36#define REPLACE_OLD
37
[283]38/* Standard buffer sizes.
39 * IPv6 is 8 groups of 4 hex digits seperated by colons.
[1]40 */
[283]41#define SH_IP_BUF 40
[1]42#define SH_MINIBUF 64
43#define SH_BUFSIZE 1024
44#define SH_MAXBUF 4096
45#define SH_PATHBUF 256
[170]46#define SH_MSG_BUF 64512
[1]47
[132]48#define SH_ERRBUF_SIZE 64
[131]49
[170]50/* MAX_PATH_STORE must be >= KEY_LEN
51 */
52#define MAX_PATH_STORE 12287
53
[1]54/* Sizes for arrays (user, group, timestamp).
55 */
[40]56#define SOCKPASS_MAX 14
[149]57#define USER_MAX 20
58#define GROUP_MAX 20
59#define TIM_MAX 32
[1]60
[149]61#define CMODE_SIZE 11
[40]62
[149]63#define ATTRBUF_SIZE 16
64#define ATTRBUF_USED 12
65
[1]66/* The number of bytes in a key,
67 * the number of chars in its hex repesentation,
68 * and the block size of the hash algorithm.
69 */
70#define KEY_BYT 24
71#define KEY_LEN 48
72#define KEY_BLOCK 24
[133]73#define KEYBUF_SIZE (KEY_LEN+1)
[1]74
75/* The length of the compiled-in password.
76 */
77#define PW_LEN 8
78
79#undef GOOD
80#define GOOD 1
81#undef BAD
82#define BAD 0
83#undef ON
84#define ON 1
85#undef OFF
86#define OFF 0
87#undef S_TRUE
88#define S_TRUE 1
89#undef S_FALSE
90#define S_FALSE 0
91
92/* An unsigned integer guaranteed to be 32 bit.
93 */
94#if defined(HAVE_INT_32)
95#define UINT32 unsigned int
96#define SINT32 int
97#elif defined(HAVE_LONG_32)
98#define UINT32 unsigned long
99#define SINT32 long
100#elif defined(HAVE_SHORT_32)
101#define UINT32 unsigned short
102#define SINT32 short
103#endif
104
105#ifdef HAVE_INTTYPES_H
106#include <inttypes.h>
[156]107#endif
[1]108#ifdef HAVE_STDINT_H
109#include <stdint.h>
110#endif
111
[265]112#if !defined(HAVE_UINT16_T)
113#define UINT16 unsigned short
114#else
115#define UINT16 uint16_t
116#endif
117
[156]118#if !defined(HAVE_UINT64_T)
[1]119
120#ifdef HAVE_LONG_LONG_64
121#define UINT64 unsigned long long
122#else
123#ifdef HAVE_LONG_64
124#define UINT64 unsigned long
125#else
[156]126#error "no 64bit type found"
[1]127#endif
128#endif
129
130#else
131#define UINT64 uint64_t
132#endif
133
134
135
136#define UBYTE unsigned char
137
138
139enum {
140 SH_CHECK_NONE = 0,
141 SH_CHECK_INIT = 1,
142 SH_CHECK_CHECK = 2
143};
144
[143]145#define SH_MOD_THREAD 1
146#define SH_MOD_ACTIVE 0
147#define SH_MOD_FAILED -1
[207]148#define SH_MOD_OFFSET 10
[156]149
[114]150/* Flags for file status
151 */
152#define SH_FFLAG_ALLIGNORE (1<<0)
153#define SH_FFLAG_VISITED (1<<1)
154#define SH_FFLAG_CHECKED (1<<3)
155#define SH_FFLAG_REPORTED (1<<3)
[115]156#define SH_FFLAG_SUIDCHK (1<<4)
[93]157
[114]158#define SH_FFLAG_ALLIGNORE_SET(a) (((a) & SH_FFLAG_ALLIGNORE) != 0)
159#define SET_SH_FFLAG_ALLIGNORE(a) ((a) |= SH_FFLAG_ALLIGNORE)
160#define CLEAR_SH_FFLAG_ALLIGNORE(a) ((a) &= ~SH_FFLAG_ALLIGNORE)
161
162#define SH_FFLAG_VISITED_SET(a) (((a) & SH_FFLAG_VISITED) != 0)
163#define SET_SH_FFLAG_VISITED(a) ((a) |= SH_FFLAG_VISITED)
164#define CLEAR_SH_FFLAG_VISITED(a) ((a) &= ~SH_FFLAG_VISITED)
165
166#define SH_FFLAG_CHECKED_SET(a) (((a) & SH_FFLAG_VISITED) != 0)
167#define SET_SH_FFLAG_CHECKED(a) ((a) |= SH_FFLAG_VISITED)
168#define CLEAR_SH_FFLAG_CHECKED(a) ((a) &= ~SH_FFLAG_VISITED)
169
170#define SH_FFLAG_REPORTED_SET(a) (((a) & SH_FFLAG_REPORTED) != 0)
171#define SET_SH_FFLAG_REPORTED(a) ((a) |= SH_FFLAG_REPORTED)
172#define CLEAR_SH_FFLAG_REPORTED(a) ((a) &= ~SH_FFLAG_REPORTED)
173
[115]174#define SH_FFLAG_SUIDCHK_SET(a) (((a) & SH_FFLAG_SUIDCHK) != 0)
175#define SET_SH_FFLAG_SUIDCHK(a) ((a) |= SH_FFLAG_SUIDCHK)
176#define CLEAR_SH_FFLAG_SUIDCHK(a) ((a) &= ~SH_FFLAG_SUIDCHK)
[114]177
178
[1]179/**************************************************
180 *
181 * TYPEDEFS
182 *
183 **************************************************/
184
185enum {
186 SH_LEVEL_READONLY = 1,
187 SH_LEVEL_LOGFILES = 2,
188 SH_LEVEL_LOGGROW = 3,
189 SH_LEVEL_NOIGNORE = 4,
190 SH_LEVEL_ALLIGNORE = 5,
191 SH_LEVEL_ATTRIBUTES = 6,
192 SH_LEVEL_USER0 = 7,
193 SH_LEVEL_USER1 = 8,
[27]194 SH_LEVEL_USER2 = 9,
195 SH_LEVEL_USER3 = 10,
196 SH_LEVEL_USER4 = 11,
197 SH_LEVEL_PRELINK = 12
[1]198};
199
200typedef struct {
201 time_t alarm_interval;
202 time_t alarm_last;
203} sh_timer_t;
204
205typedef struct {
206 char path[SH_PATHBUF];
207 char hash[KEY_LEN+1];
208} sh_sh_df;
209
210typedef struct {
211 char user[USER_MAX];
212 char group[GROUP_MAX];
213 char home[SH_PATHBUF];
214 uid_t uid;
215 gid_t gid;
216} sh_sh_user;
217
218typedef struct {
219 char name[SH_PATHBUF]; /* local hostname */
220 char system[SH_MINIBUF]; /* system */
221 char release[SH_MINIBUF]; /* release */
222 char machine[SH_MINIBUF]; /* machine */
223} sh_sh_local;
224
225typedef struct {
226 char name[SH_PATHBUF];
227 char alt[SH_PATHBUF];
228} sh_sh_remote;
229
230typedef struct {
231 unsigned long bytes_hashed; /* bytes last check */
232 unsigned long bytes_speed; /* bytes/sec last check */
233 unsigned long mail_success; /* mails sent */
234 unsigned long mail_failed; /* mails not sent */
235 time_t time_start; /* start last check */
236 time_t time_check; /* time last check */
237 unsigned long dirs_checked; /* #dirs last check */
238 unsigned long files_checked; /* #files last check */
239} sh_sh_stat;
240
241typedef struct {
242 int exit; /* exit value */
243 int checkSum; /* whether to init/check checksums */
244 int update; /* update db */
245 int opts; /* reading cl options */
[256]246 int started; /* finished with startup stuff */
[1]247 int isdaemon; /* daemon or not */
248 int loop; /* go in loop even if not daemon */
249 int nice; /* desired nicety */
250 int isserver; /* server or not */
251 int islocked; /* BAD if logfile not locked */
252 int smsg; /* GOOD if end message sent */
253 int log_start; /* TRUE if new audit trail */
254 int reportonce; /* TRUE if bad files only once rep.*/
255 int fulldetail; /* TRUE if full details requested */
256 int client_severity; /* TRUE if client severity used */
257 int client_class; /* TRUE if client class used */
258 int audit;
259 unsigned long aud_mask;
260 int hidefile; /* TRUE if file not reveled in log */
261} sh_sh_flag;
262
263typedef struct {
264
265 char prg_name[8];
[162]266
267 UINT64 pid;
[1]268
269 sh_sh_df exec;
270 sh_sh_df conf;
271 sh_sh_df data;
272
273 sh_sh_user real;
274 sh_sh_user effective;
275 sh_sh_user run;
276
277 sh_sh_local host;
278
279 sh_sh_remote srvtime;
280 sh_sh_remote srvmail;
281 sh_sh_remote srvexport;
282 sh_sh_remote srvcons;
283 sh_sh_remote srvlog;
284
285 sh_sh_stat statistics;
286 sh_sh_flag flag;
287
288#ifdef SH_STEALTH
289 unsigned long off_data;
290#endif
291
292 sh_timer_t mailNum;
293 sh_timer_t mailTime;
294 sh_timer_t fileCheck;
295
296 int looptime; /* timing for main loop */
297 /*@null@*//*@out@*/ char * timezone;
298} sh_struct;
299
300
301extern volatile int sig_raised;
302extern volatile int sig_urgent;
303extern volatile int sig_debug_switch; /* SIGUSR1 */
304extern volatile int sig_suspend_switch; /* SIGUSR2 */
[143]305extern volatile int sh_global_suspend_flag;
[1]306extern volatile int sig_fresh_trail; /* SIGIOT */
[143]307extern volatile int sh_thread_pause_flag;
[1]308extern volatile int sig_config_read_again; /* SIGHUP */
309extern volatile int sig_terminate; /* SIGQUIT */
310extern volatile int sig_termfast; /* SIGTERM */
311extern volatile int sig_force_check; /* SIGTTOU */
312
313extern long int eintr__result;
314
[20]315extern int sh_argc_store;
316extern char ** sh_argv_store;
317
[1]318#include "sh_calls.h"
319
320
321typedef struct {
[40]322 char sh_sockpass[2*SOCKPASS_MAX+2];
[1]323 char sigkey_old[KEY_LEN+1];
324 char sigkey_new[KEY_LEN+1];
325 char mailkey_old[KEY_LEN+1];
326 char mailkey_new[KEY_LEN+1];
327 char crypt[KEY_LEN+1];
328 char session[KEY_LEN+1];
329 char vernam[KEY_LEN+1];
330 int mlock_failed;
331
332 char pw[PW_LEN];
333
334 char poolv[KEY_BYT];
335 int poolc;
336
337 int rngI;
338 UINT32 rng0[3];
339 UINT32 rng1[3];
340 UINT32 rng2[3];
341
[156]342 UINT32 res_vec[6];
343
[1]344 UINT32 ErrFlag[2];
345
346#ifdef SH_ENCRYPT
347 /*@out@*/ keyInstance keyInstE;
348 /*@out@*/ keyInstance keyInstD;
349#endif
350} sh_key_t;
351
352extern sh_struct sh;
353/*@null@*/ extern sh_key_t *skey;
354
[22]355/**************************************************
356 *
357 * macros
358 *
359 **************************************************/
[1]360
[76]361#if defined(__GNUC__) && (__GNUC__ >= 4)
[149]362#define SH_GNUC_SENTINEL __attribute__((__sentinel__))
[76]363#else
[149]364#define SH_GNUC_SENTINEL
[76]365#endif
366
[149]367#if defined(__GNUC__) && (__GNUC__ >= 3)
368#undef SH_GNUC_PURE
369#define SH_GNUC_PURE __attribute__((pure))
370#undef SH_GNUC_CONST
371#define SH_GNUC_CONST __attribute__((const))
372#undef SH_GNUC_NORETURN
373#define SH_GNUC_NORETURN __attribute__((noreturn))
374#undef SH_GNUC_MALLOC
375#define SH_GNUC_MALLOC __attribute__((malloc))
376#else
377#undef SH_GNUC_PURE
378#define SH_GNUC_PURE
379#undef SH_GNUC_CONST
380#define SH_GNUC_CONST
381#undef SH_GNUC_NORETURN
382#define SH_GNUC_NORETURN
383#undef SH_GNUC_MALLOC
384#define SH_GNUC_MALLOC
385#endif
386
387
[76]388/* The semantics of the built-in are that it is expected that expr == const
389 * for __builtin_expect ((expr), const)
390 */
391#if defined(__GNUC__) && (__GNUC__ > 2) && defined(__OPTIMIZE__)
392#define SH_LIKELY(expr) (__builtin_expect((expr), 1))
393#define SH_UNLIKELY(expr) (__builtin_expect((expr), 0))
394#else
395#define SH_LIKELY(expr) (expr)
396#define SH_UNLIKELY(expr) (expr)
397#endif
398
[22]399/* signal-safe log function
400 */
[170]401int safe_logger (int thesignal, int method, char * details);
402void safe_fatal (const char * details, const char *f, int l);
[22]403
[25]404#define SH_VALIDATE_EQ(a,b) \
[22]405 do { \
[34]406 if ((a) != (b)) safe_fatal(#a " != " #b, FIL__, __LINE__);\
[22]407 } while (0)
408
[25]409#define SH_VALIDATE_NE(a,b) \
410 do { \
[34]411 if ((a) == (b)) safe_fatal(#a " == " #b, FIL__, __LINE__);\
[25]412 } while (0)
[22]413
[68]414#define SH_VALIDATE_GE(a,b) \
415 do { \
416 if ((a) < (b)) safe_fatal(#a " < " #b, FIL__, __LINE__);\
417 } while (0)
418
[1]419#if defined(HAVE_MLOCK) && !defined(HAVE_BROKEN_MLOCK)
420#define MLOCK(a, b) \
421 if ((skey != NULL) && skey->mlock_failed == SL_FALSE){ \
422 (void) sl_set_suid(); \
[19]423 if (sh_unix_mlock(FIL__, __LINE__, a, b) < 0) skey->mlock_failed = SL_TRUE; \
[1]424 (void) sl_unset_suid(); }
425#else
426#define MLOCK(a, b) \
427 ;
428#endif
429
430#if defined(HAVE_MLOCK) && !defined(HAVE_BROKEN_MLOCK)
431#define MUNLOCK(a, b) \
432 if ((skey != NULL) && skey->mlock_failed == SL_FALSE){ \
433 (void) sl_set_suid(); \
434 (void) sh_unix_munlock( a, b );\
435 (void) sl_unset_suid(); }
436#else
437#define MUNLOCK(a, b) \
438 ;
439#endif
440
441#ifdef SH_STEALTH
442void sh_do_encode (char * str, int len);
443#define sh_do_decode sh_do_encode
444#endif
445
446/* #if defined(SCREW_IT_UP)
447 * extern volatile int sh_not_traced;
448 * inline int sh_sigtrap_prepare();
449 * inline int sh_derr();
450 * #endif
451 */
452
453#if defined(SCREW_IT_UP) && (defined(__FreeBSD__) || defined(__linux__)) && defined(__i386__)
454#define BREAKEXIT(expr) \
455 do { \
456 int ixi; \
457 for (ixi = 0; ixi < 8; ++ixi) { \
458 if ((*(volatile unsigned *)((unsigned) expr + ixi) & 0xff) == 0xcc) \
459 _exit(EXIT_FAILURE); \
460 } \
461 } \
462 while (1 == 0)
463#else
464#define BREAKEXIT(expr)
465#endif
466
467
468
469#include "sh_cat.h"
470#include "sh_trace.h"
471#include "sh_mem.h"
472
473#endif
474
475/* CRIT: */
476/* NEW_CLIENT <client> */
477/* BAD_CLIENT <client> -- <details> */
478/* ERR_CLIENT <client> -- <details> */
479
480/* ALERT: */
481/* LOG_KEY samhain|yule <key> */
482/* STARTUP samhain|yule -- user <username> */
483/* EXIT samhain|yule */
484/* GOODSIG <file> <user> */
485/* FP_KEY <fingerprint> */
486/* GOODSIG_DAT <file> <user> */
487/* FP_KEY_DAT <fingerprint> */
488/* TIGER_CFG <file> <checksum> */
489/* TIGER_DAT <file> <checksum> */
490
491/* PANIC -- <details> */
492/* ERROR -- <details> */
493
494/* Policy */
495/* POLICY <code> <file> */
496/* <code> = MISSING || ADDED || NOT_A_DIRECTORY || <policy> */
497
498
499
Note: See TracBrowser for help on using the repository browser.