source: trunk/include/samhain.h@ 371

Last change on this file since 371 was 367, checked in by katerina, 13 years ago

Modifications for ticket #265 (inotify support). Needs testing.

File size: 14.1 KB
RevLine 
[1]1/* SAMHAIN file system integrity testing */
2/* Copyright (C) 1999 Rainer Wichmann */
3/* */
4/* This program is free software; you can redistribute it */
5/* and/or modify */
6/* it under the terms of the GNU General Public License as */
7/* published by */
8/* the Free Software Foundation; either version 2 of the License, or */
9/* (at your option) any later version. */
10/* */
11/* This program is distributed in the hope that it will be useful, */
12/* but WITHOUT ANY WARRANTY; without even the implied warranty of */
13/* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the */
14/* GNU General Public License for more details. */
15/* */
16/* You should have received a copy of the GNU General Public License */
17/* along with this program; if not, write to the Free Software */
18/* Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. */
19
20#ifndef SAMHAIN_H
21#define SAMHAIN_H
22
23#include <sys/types.h>
24#include "slib.h"
25
26#ifdef SH_ENCRYPT
27#include "rijndael-api-fst.h"
28#endif
29
30/**************************************************
31 *
32 * STANDARD DEFINES
33 *
34 **************************************************/
35
[295]36/* IPv6 */
37#if defined(HAVE_GETNAMEINFO) && defined(HAVE_GETADDRINFO)
38
39#if defined(SH_COMPILE_STATIC) && defined(__linux__)
40#undef USE_IPVX
41#define SH_SOCKMAX 1
42#else
43
44#if defined(USE_IPV4)
45#undef USE_IPVX
46#else
47#define USE_IPVX 1
48#endif
49
50#define SH_SOCKMAX 8
51#endif
52
53#else
54#undef USE_IPVX
55#define SH_SOCKMAX 1
56#endif
57
58/* end IPv6 */
59
[1]60#define REPLACE_OLD
61
[283]62/* Standard buffer sizes.
63 * IPv6 is 8 groups of 4 hex digits seperated by colons.
[1]64 */
[295]65#define SH_IP_BUF 48
[1]66#define SH_MINIBUF 64
67#define SH_BUFSIZE 1024
68#define SH_MAXBUF 4096
69#define SH_PATHBUF 256
[170]70#define SH_MSG_BUF 64512
[1]71
[132]72#define SH_ERRBUF_SIZE 64
[131]73
[170]74/* MAX_PATH_STORE must be >= KEY_LEN
75 */
76#define MAX_PATH_STORE 12287
77
[1]78/* Sizes for arrays (user, group, timestamp).
79 */
[40]80#define SOCKPASS_MAX 14
[149]81#define USER_MAX 20
82#define GROUP_MAX 20
83#define TIM_MAX 32
[1]84
[149]85#define CMODE_SIZE 11
[40]86
[149]87#define ATTRBUF_SIZE 16
88#define ATTRBUF_USED 12
89
[1]90/* The number of bytes in a key,
91 * the number of chars in its hex repesentation,
92 * and the block size of the hash algorithm.
93 */
94#define KEY_BYT 24
95#define KEY_LEN 48
96#define KEY_BLOCK 24
[133]97#define KEYBUF_SIZE (KEY_LEN+1)
[1]98
99/* The length of the compiled-in password.
100 */
101#define PW_LEN 8
102
103#undef GOOD
104#define GOOD 1
105#undef BAD
106#define BAD 0
107#undef ON
108#define ON 1
109#undef OFF
110#define OFF 0
111#undef S_TRUE
112#define S_TRUE 1
113#undef S_FALSE
114#define S_FALSE 0
115
116/* An unsigned integer guaranteed to be 32 bit.
117 */
118#if defined(HAVE_INT_32)
119#define UINT32 unsigned int
120#define SINT32 int
121#elif defined(HAVE_LONG_32)
122#define UINT32 unsigned long
123#define SINT32 long
124#elif defined(HAVE_SHORT_32)
125#define UINT32 unsigned short
126#define SINT32 short
127#endif
128
129#ifdef HAVE_INTTYPES_H
130#include <inttypes.h>
[156]131#endif
[1]132#ifdef HAVE_STDINT_H
133#include <stdint.h>
134#endif
135
[265]136#if !defined(HAVE_UINT16_T)
137#define UINT16 unsigned short
138#else
139#define UINT16 uint16_t
140#endif
141
[156]142#if !defined(HAVE_UINT64_T)
[1]143
144#ifdef HAVE_LONG_LONG_64
145#define UINT64 unsigned long long
146#else
147#ifdef HAVE_LONG_64
148#define UINT64 unsigned long
149#else
[156]150#error "no 64bit type found"
[1]151#endif
152#endif
153
154#else
155#define UINT64 uint64_t
156#endif
157
158
159
160#define UBYTE unsigned char
161
162
163enum {
164 SH_CHECK_NONE = 0,
165 SH_CHECK_INIT = 1,
166 SH_CHECK_CHECK = 2
167};
168
[143]169#define SH_MOD_THREAD 1
170#define SH_MOD_ACTIVE 0
171#define SH_MOD_FAILED -1
[207]172#define SH_MOD_OFFSET 10
[156]173
[114]174/* Flags for file status
175 */
176#define SH_FFLAG_ALLIGNORE (1<<0)
177#define SH_FFLAG_VISITED (1<<1)
178#define SH_FFLAG_CHECKED (1<<3)
179#define SH_FFLAG_REPORTED (1<<3)
[115]180#define SH_FFLAG_SUIDCHK (1<<4)
[93]181
[114]182#define SH_FFLAG_ALLIGNORE_SET(a) (((a) & SH_FFLAG_ALLIGNORE) != 0)
183#define SET_SH_FFLAG_ALLIGNORE(a) ((a) |= SH_FFLAG_ALLIGNORE)
184#define CLEAR_SH_FFLAG_ALLIGNORE(a) ((a) &= ~SH_FFLAG_ALLIGNORE)
185
186#define SH_FFLAG_VISITED_SET(a) (((a) & SH_FFLAG_VISITED) != 0)
187#define SET_SH_FFLAG_VISITED(a) ((a) |= SH_FFLAG_VISITED)
188#define CLEAR_SH_FFLAG_VISITED(a) ((a) &= ~SH_FFLAG_VISITED)
189
190#define SH_FFLAG_CHECKED_SET(a) (((a) & SH_FFLAG_VISITED) != 0)
191#define SET_SH_FFLAG_CHECKED(a) ((a) |= SH_FFLAG_VISITED)
192#define CLEAR_SH_FFLAG_CHECKED(a) ((a) &= ~SH_FFLAG_VISITED)
193
194#define SH_FFLAG_REPORTED_SET(a) (((a) & SH_FFLAG_REPORTED) != 0)
195#define SET_SH_FFLAG_REPORTED(a) ((a) |= SH_FFLAG_REPORTED)
196#define CLEAR_SH_FFLAG_REPORTED(a) ((a) &= ~SH_FFLAG_REPORTED)
197
[115]198#define SH_FFLAG_SUIDCHK_SET(a) (((a) & SH_FFLAG_SUIDCHK) != 0)
199#define SET_SH_FFLAG_SUIDCHK(a) ((a) |= SH_FFLAG_SUIDCHK)
200#define CLEAR_SH_FFLAG_SUIDCHK(a) ((a) &= ~SH_FFLAG_SUIDCHK)
[114]201
[367]202/* Flags for inotify
203 */
204#define SH_INOTIFY_USE (1<<0)
205#define SH_INOTIFY_DOSCAN (1<<1)
206#define SH_INOTIFY_NEEDINIT (1<<2)
[114]207
[367]208
[1]209/**************************************************
210 *
211 * TYPEDEFS
212 *
213 **************************************************/
214
215enum {
216 SH_LEVEL_READONLY = 1,
217 SH_LEVEL_LOGFILES = 2,
218 SH_LEVEL_LOGGROW = 3,
219 SH_LEVEL_NOIGNORE = 4,
220 SH_LEVEL_ALLIGNORE = 5,
221 SH_LEVEL_ATTRIBUTES = 6,
222 SH_LEVEL_USER0 = 7,
223 SH_LEVEL_USER1 = 8,
[27]224 SH_LEVEL_USER2 = 9,
225 SH_LEVEL_USER3 = 10,
226 SH_LEVEL_USER4 = 11,
227 SH_LEVEL_PRELINK = 12
[1]228};
229
230typedef struct {
231 time_t alarm_interval;
232 time_t alarm_last;
233} sh_timer_t;
234
235typedef struct {
236 char path[SH_PATHBUF];
237 char hash[KEY_LEN+1];
238} sh_sh_df;
239
240typedef struct {
241 char user[USER_MAX];
242 char group[GROUP_MAX];
243 char home[SH_PATHBUF];
244 uid_t uid;
245 gid_t gid;
246} sh_sh_user;
247
248typedef struct {
249 char name[SH_PATHBUF]; /* local hostname */
250 char system[SH_MINIBUF]; /* system */
251 char release[SH_MINIBUF]; /* release */
252 char machine[SH_MINIBUF]; /* machine */
253} sh_sh_local;
254
255typedef struct {
256 char name[SH_PATHBUF];
257 char alt[SH_PATHBUF];
258} sh_sh_remote;
259
260typedef struct {
261 unsigned long bytes_hashed; /* bytes last check */
262 unsigned long bytes_speed; /* bytes/sec last check */
263 unsigned long mail_success; /* mails sent */
264 unsigned long mail_failed; /* mails not sent */
265 time_t time_start; /* start last check */
266 time_t time_check; /* time last check */
267 unsigned long dirs_checked; /* #dirs last check */
268 unsigned long files_checked; /* #files last check */
269} sh_sh_stat;
270
271typedef struct {
272 int exit; /* exit value */
273 int checkSum; /* whether to init/check checksums */
274 int update; /* update db */
275 int opts; /* reading cl options */
[256]276 int started; /* finished with startup stuff */
[1]277 int isdaemon; /* daemon or not */
278 int loop; /* go in loop even if not daemon */
279 int nice; /* desired nicety */
280 int isserver; /* server or not */
281 int islocked; /* BAD if logfile not locked */
282 int smsg; /* GOOD if end message sent */
283 int log_start; /* TRUE if new audit trail */
284 int reportonce; /* TRUE if bad files only once rep.*/
285 int fulldetail; /* TRUE if full details requested */
286 int client_severity; /* TRUE if client severity used */
287 int client_class; /* TRUE if client class used */
288 int audit;
289 unsigned long aud_mask;
[367]290 int hidefile; /* TRUE if file not shown in log */
291 int inotify; /* Flags for inotify */
[1]292} sh_sh_flag;
293
294typedef struct {
295
296 char prg_name[8];
[162]297
298 UINT64 pid;
[1]299
300 sh_sh_df exec;
301 sh_sh_df conf;
302 sh_sh_df data;
303
304 sh_sh_user real;
305 sh_sh_user effective;
306 sh_sh_user run;
307
308 sh_sh_local host;
309
310 sh_sh_remote srvtime;
311 sh_sh_remote srvmail;
312 sh_sh_remote srvexport;
313 sh_sh_remote srvcons;
314 sh_sh_remote srvlog;
315
316 sh_sh_stat statistics;
317 sh_sh_flag flag;
318
319#ifdef SH_STEALTH
320 unsigned long off_data;
321#endif
322
323 sh_timer_t mailNum;
324 sh_timer_t mailTime;
325 sh_timer_t fileCheck;
326
327 int looptime; /* timing for main loop */
328 /*@null@*//*@out@*/ char * timezone;
329} sh_struct;
330
331
332extern volatile int sig_raised;
333extern volatile int sig_urgent;
334extern volatile int sig_debug_switch; /* SIGUSR1 */
335extern volatile int sig_suspend_switch; /* SIGUSR2 */
[143]336extern volatile int sh_global_suspend_flag;
[1]337extern volatile int sig_fresh_trail; /* SIGIOT */
[143]338extern volatile int sh_thread_pause_flag;
[1]339extern volatile int sig_config_read_again; /* SIGHUP */
340extern volatile int sig_terminate; /* SIGQUIT */
341extern volatile int sig_termfast; /* SIGTERM */
342extern volatile int sig_force_check; /* SIGTTOU */
343
344extern long int eintr__result;
345
[20]346extern int sh_argc_store;
347extern char ** sh_argv_store;
348
[1]349#include "sh_calls.h"
350
351
352typedef struct {
[40]353 char sh_sockpass[2*SOCKPASS_MAX+2];
[1]354 char sigkey_old[KEY_LEN+1];
355 char sigkey_new[KEY_LEN+1];
356 char mailkey_old[KEY_LEN+1];
357 char mailkey_new[KEY_LEN+1];
358 char crypt[KEY_LEN+1];
359 char session[KEY_LEN+1];
360 char vernam[KEY_LEN+1];
361 int mlock_failed;
362
363 char pw[PW_LEN];
364
365 char poolv[KEY_BYT];
366 int poolc;
367
368 int rngI;
369 UINT32 rng0[3];
370 UINT32 rng1[3];
371 UINT32 rng2[3];
372
[156]373 UINT32 res_vec[6];
374
[1]375 UINT32 ErrFlag[2];
376
377#ifdef SH_ENCRYPT
378 /*@out@*/ keyInstance keyInstE;
379 /*@out@*/ keyInstance keyInstD;
380#endif
381} sh_key_t;
382
383extern sh_struct sh;
384/*@null@*/ extern sh_key_t *skey;
385
[22]386/**************************************************
387 *
388 * macros
389 *
390 **************************************************/
[1]391
[76]392#if defined(__GNUC__) && (__GNUC__ >= 4)
[149]393#define SH_GNUC_SENTINEL __attribute__((__sentinel__))
[76]394#else
[149]395#define SH_GNUC_SENTINEL
[76]396#endif
397
[149]398#if defined(__GNUC__) && (__GNUC__ >= 3)
399#undef SH_GNUC_PURE
400#define SH_GNUC_PURE __attribute__((pure))
401#undef SH_GNUC_CONST
402#define SH_GNUC_CONST __attribute__((const))
403#undef SH_GNUC_NORETURN
404#define SH_GNUC_NORETURN __attribute__((noreturn))
405#undef SH_GNUC_MALLOC
406#define SH_GNUC_MALLOC __attribute__((malloc))
407#else
408#undef SH_GNUC_PURE
409#define SH_GNUC_PURE
410#undef SH_GNUC_CONST
411#define SH_GNUC_CONST
412#undef SH_GNUC_NORETURN
413#define SH_GNUC_NORETURN
414#undef SH_GNUC_MALLOC
415#define SH_GNUC_MALLOC
416#endif
417
418
[76]419/* The semantics of the built-in are that it is expected that expr == const
420 * for __builtin_expect ((expr), const)
421 */
422#if defined(__GNUC__) && (__GNUC__ > 2) && defined(__OPTIMIZE__)
423#define SH_LIKELY(expr) (__builtin_expect((expr), 1))
424#define SH_UNLIKELY(expr) (__builtin_expect((expr), 0))
425#else
426#define SH_LIKELY(expr) (expr)
427#define SH_UNLIKELY(expr) (expr)
428#endif
429
[22]430/* signal-safe log function
431 */
[170]432int safe_logger (int thesignal, int method, char * details);
433void safe_fatal (const char * details, const char *f, int l);
[22]434
[25]435#define SH_VALIDATE_EQ(a,b) \
[22]436 do { \
[34]437 if ((a) != (b)) safe_fatal(#a " != " #b, FIL__, __LINE__);\
[22]438 } while (0)
439
[25]440#define SH_VALIDATE_NE(a,b) \
441 do { \
[34]442 if ((a) == (b)) safe_fatal(#a " == " #b, FIL__, __LINE__);\
[25]443 } while (0)
[22]444
[68]445#define SH_VALIDATE_GE(a,b) \
446 do { \
447 if ((a) < (b)) safe_fatal(#a " < " #b, FIL__, __LINE__);\
448 } while (0)
449
[1]450#if defined(HAVE_MLOCK) && !defined(HAVE_BROKEN_MLOCK)
451#define MLOCK(a, b) \
452 if ((skey != NULL) && skey->mlock_failed == SL_FALSE){ \
453 (void) sl_set_suid(); \
[19]454 if (sh_unix_mlock(FIL__, __LINE__, a, b) < 0) skey->mlock_failed = SL_TRUE; \
[1]455 (void) sl_unset_suid(); }
456#else
457#define MLOCK(a, b) \
458 ;
459#endif
460
461#if defined(HAVE_MLOCK) && !defined(HAVE_BROKEN_MLOCK)
462#define MUNLOCK(a, b) \
463 if ((skey != NULL) && skey->mlock_failed == SL_FALSE){ \
464 (void) sl_set_suid(); \
465 (void) sh_unix_munlock( a, b );\
466 (void) sl_unset_suid(); }
467#else
468#define MUNLOCK(a, b) \
469 ;
470#endif
471
472#ifdef SH_STEALTH
473void sh_do_encode (char * str, int len);
474#define sh_do_decode sh_do_encode
475#endif
476
477/* #if defined(SCREW_IT_UP)
478 * extern volatile int sh_not_traced;
479 * inline int sh_sigtrap_prepare();
480 * inline int sh_derr();
481 * #endif
482 */
483
484#if defined(SCREW_IT_UP) && (defined(__FreeBSD__) || defined(__linux__)) && defined(__i386__)
485#define BREAKEXIT(expr) \
486 do { \
487 int ixi; \
488 for (ixi = 0; ixi < 8; ++ixi) { \
489 if ((*(volatile unsigned *)((unsigned) expr + ixi) & 0xff) == 0xcc) \
490 _exit(EXIT_FAILURE); \
491 } \
492 } \
493 while (1 == 0)
494#else
495#define BREAKEXIT(expr)
496#endif
497
498
499
500#include "sh_cat.h"
501#include "sh_trace.h"
502#include "sh_mem.h"
503
504#endif
505
506/* CRIT: */
507/* NEW_CLIENT <client> */
508/* BAD_CLIENT <client> -- <details> */
509/* ERR_CLIENT <client> -- <details> */
510
511/* ALERT: */
512/* LOG_KEY samhain|yule <key> */
513/* STARTUP samhain|yule -- user <username> */
514/* EXIT samhain|yule */
515/* GOODSIG <file> <user> */
516/* FP_KEY <fingerprint> */
517/* GOODSIG_DAT <file> <user> */
518/* FP_KEY_DAT <fingerprint> */
519/* TIGER_CFG <file> <checksum> */
520/* TIGER_DAT <file> <checksum> */
521
522/* PANIC -- <details> */
523/* ERROR -- <details> */
524
525/* Policy */
526/* POLICY <code> <file> */
527/* <code> = MISSING || ADDED || NOT_A_DIRECTORY || <policy> */
528
529
530
Note: See TracBrowser for help on using the repository browser.