source: trunk/include/samhain.h@ 483

Last change on this file since 483 was 481, checked in by katerina, 9 years ago

Enhancements and fixes for tickets #374, #375, #376, #377, #378, and #379.

File size: 15.3 KB
RevLine 
[1]1/* SAMHAIN file system integrity testing */
2/* Copyright (C) 1999 Rainer Wichmann */
3/* */
4/* This program is free software; you can redistribute it */
5/* and/or modify */
6/* it under the terms of the GNU General Public License as */
7/* published by */
8/* the Free Software Foundation; either version 2 of the License, or */
9/* (at your option) any later version. */
10/* */
11/* This program is distributed in the hope that it will be useful, */
12/* but WITHOUT ANY WARRANTY; without even the implied warranty of */
13/* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the */
14/* GNU General Public License for more details. */
15/* */
16/* You should have received a copy of the GNU General Public License */
17/* along with this program; if not, write to the Free Software */
18/* Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. */
19
20#ifndef SAMHAIN_H
21#define SAMHAIN_H
22
23#include <sys/types.h>
24#include "slib.h"
25
26#ifdef SH_ENCRYPT
27#include "rijndael-api-fst.h"
28#endif
29
[481]30#if defined(__GNUC__) && (__GNUC__ >= 4)
31#define SH_GNUC_SENTINEL __attribute__((__sentinel__))
32#else
33#define SH_GNUC_SENTINEL
34#endif
35
36#if defined(__GNUC__) && (__GNUC__ >= 3)
37#undef SH_GNUC_PURE
38#define SH_GNUC_PURE __attribute__((pure))
39#undef SH_GNUC_CONST
40#define SH_GNUC_CONST __attribute__((const))
41#undef SH_GNUC_NORETURN
42#define SH_GNUC_NORETURN __attribute__((noreturn))
43#undef SH_GNUC_MALLOC
44#define SH_GNUC_MALLOC __attribute__((malloc))
45#else
46#undef SH_GNUC_PURE
47#define SH_GNUC_PURE
48#undef SH_GNUC_CONST
49#define SH_GNUC_CONST
50#undef SH_GNUC_NORETURN
51#define SH_GNUC_NORETURN
52#undef SH_GNUC_MALLOC
53#define SH_GNUC_MALLOC
54#endif
55
[1]56/**************************************************
57 *
58 * STANDARD DEFINES
59 *
60 **************************************************/
61
[295]62/* IPv6 */
63#if defined(HAVE_GETNAMEINFO) && defined(HAVE_GETADDRINFO)
64
65#if defined(SH_COMPILE_STATIC) && defined(__linux__)
66#undef USE_IPVX
67#define SH_SOCKMAX 1
68#else
69
70#if defined(USE_IPV4)
71#undef USE_IPVX
72#else
73#define USE_IPVX 1
74#endif
75
76#define SH_SOCKMAX 8
77#endif
78
79#else
80#undef USE_IPVX
81#define SH_SOCKMAX 1
82#endif
83
84/* end IPv6 */
85
[283]86/* Standard buffer sizes.
87 * IPv6 is 8 groups of 4 hex digits seperated by colons.
[1]88 */
[295]89#define SH_IP_BUF 48
[1]90#define SH_MINIBUF 64
91#define SH_BUFSIZE 1024
92#define SH_MAXBUF 4096
93#define SH_PATHBUF 256
[170]94#define SH_MSG_BUF 64512
[1]95
[132]96#define SH_ERRBUF_SIZE 64
[131]97
[170]98/* MAX_PATH_STORE must be >= KEY_LEN
99 */
100#define MAX_PATH_STORE 12287
101
[1]102/* Sizes for arrays (user, group, timestamp).
103 */
[40]104#define SOCKPASS_MAX 14
[149]105#define USER_MAX 20
106#define GROUP_MAX 20
107#define TIM_MAX 32
[1]108
[149]109#define CMODE_SIZE 11
[40]110
[149]111#define ATTRBUF_SIZE 16
112#define ATTRBUF_USED 12
113
[1]114/* The number of bytes in a key,
115 * the number of chars in its hex repesentation,
116 * and the block size of the hash algorithm.
117 */
118#define KEY_BYT 24
119#define KEY_LEN 48
120#define KEY_BLOCK 24
[133]121#define KEYBUF_SIZE (KEY_LEN+1)
[1]122
123/* The length of the compiled-in password.
124 */
125#define PW_LEN 8
126
127#undef S_TRUE
128#define S_TRUE 1
129#undef S_FALSE
130#define S_FALSE 0
131
[481]132#undef GOOD
133#define GOOD S_TRUE
134#undef BAD
135#define BAD S_FALSE
136
137
138#ifdef HAVE_INTTYPES_H
139#include <inttypes.h>
140#endif
141#ifdef HAVE_STDINT_H
142#include <stdint.h>
143#endif
144
145#if !defined(HAVE_UINT16_T)
146#define UINT16 unsigned short
147#else
148#define UINT16 uint16_t
149#endif
150
151#if !defined(HAVE_UINT32_T)
152
[1]153/* An unsigned integer guaranteed to be 32 bit.
154 */
155#if defined(HAVE_INT_32)
156#define UINT32 unsigned int
157#define SINT32 int
158#elif defined(HAVE_LONG_32)
159#define UINT32 unsigned long
160#define SINT32 long
161#elif defined(HAVE_SHORT_32)
162#define UINT32 unsigned short
163#define SINT32 short
[415]164#else
165#error "No 32 bit integer type found"
[1]166#endif
167
[481]168#else
169#define UINT32 uint32_t
170#define SINT32 int32_t
[1]171
[265]172#endif
173
[156]174#if !defined(HAVE_UINT64_T)
[1]175
176#ifdef HAVE_LONG_LONG_64
177#define UINT64 unsigned long long
178#else
179#ifdef HAVE_LONG_64
180#define UINT64 unsigned long
181#else
[156]182#error "no 64bit type found"
[1]183#endif
184#endif
185
186#else
187#define UINT64 uint64_t
188#endif
189
190
191
192#define UBYTE unsigned char
193
[444]194enum {
195 SH_TIGER192 = 0,
196 SH_SHA1 = 1,
197 SH_MD5 = 2,
198 SH_SHA256 = 3
199};
[1]200
[444]201
[1]202enum {
203 SH_CHECK_NONE = 0,
204 SH_CHECK_INIT = 1,
205 SH_CHECK_CHECK = 2
206};
207
[143]208#define SH_MOD_THREAD 1
209#define SH_MOD_ACTIVE 0
210#define SH_MOD_FAILED -1
[207]211#define SH_MOD_OFFSET 10
[156]212
[114]213/* Flags for file status
214 */
215#define SH_FFLAG_ALLIGNORE (1<<0)
216#define SH_FFLAG_VISITED (1<<1)
217#define SH_FFLAG_CHECKED (1<<3)
218#define SH_FFLAG_REPORTED (1<<3)
[115]219#define SH_FFLAG_SUIDCHK (1<<4)
[458]220#define SH_FFLAG_ENOENT (1<<5)
[93]221
[114]222#define SH_FFLAG_ALLIGNORE_SET(a) (((a) & SH_FFLAG_ALLIGNORE) != 0)
223#define SET_SH_FFLAG_ALLIGNORE(a) ((a) |= SH_FFLAG_ALLIGNORE)
224#define CLEAR_SH_FFLAG_ALLIGNORE(a) ((a) &= ~SH_FFLAG_ALLIGNORE)
225
226#define SH_FFLAG_VISITED_SET(a) (((a) & SH_FFLAG_VISITED) != 0)
227#define SET_SH_FFLAG_VISITED(a) ((a) |= SH_FFLAG_VISITED)
228#define CLEAR_SH_FFLAG_VISITED(a) ((a) &= ~SH_FFLAG_VISITED)
229
230#define SH_FFLAG_CHECKED_SET(a) (((a) & SH_FFLAG_VISITED) != 0)
231#define SET_SH_FFLAG_CHECKED(a) ((a) |= SH_FFLAG_VISITED)
232#define CLEAR_SH_FFLAG_CHECKED(a) ((a) &= ~SH_FFLAG_VISITED)
233
234#define SH_FFLAG_REPORTED_SET(a) (((a) & SH_FFLAG_REPORTED) != 0)
235#define SET_SH_FFLAG_REPORTED(a) ((a) |= SH_FFLAG_REPORTED)
236#define CLEAR_SH_FFLAG_REPORTED(a) ((a) &= ~SH_FFLAG_REPORTED)
237
[115]238#define SH_FFLAG_SUIDCHK_SET(a) (((a) & SH_FFLAG_SUIDCHK) != 0)
239#define SET_SH_FFLAG_SUIDCHK(a) ((a) |= SH_FFLAG_SUIDCHK)
240#define CLEAR_SH_FFLAG_SUIDCHK(a) ((a) &= ~SH_FFLAG_SUIDCHK)
[114]241
[458]242#define SH_FFLAG_ENOENT_SET(a) (((a) & SH_FFLAG_ENOENT) != 0)
243#define SET_SH_FFLAG_ENOENT(a) ((a) |= SH_FFLAG_ENOENT)
244#define CLEAR_SH_FFLAG_ENOENT(a) ((a) &= ~SH_FFLAG_ENOENT)
245
[367]246/* Flags for inotify
247 */
248#define SH_INOTIFY_USE (1<<0)
249#define SH_INOTIFY_DOSCAN (1<<1)
250#define SH_INOTIFY_NEEDINIT (1<<2)
[373]251#define SH_INOTIFY_INSCAN (1<<3)
[433]252#define SH_INOTIFY_IFUSED(a) if ((sh.flag.inotify & SH_INOTIFY_USE) != 0) { a }
[114]253
[367]254
[1]255/**************************************************
256 *
257 * TYPEDEFS
258 *
259 **************************************************/
260
261enum {
262 SH_LEVEL_READONLY = 1,
263 SH_LEVEL_LOGFILES = 2,
264 SH_LEVEL_LOGGROW = 3,
265 SH_LEVEL_NOIGNORE = 4,
266 SH_LEVEL_ALLIGNORE = 5,
267 SH_LEVEL_ATTRIBUTES = 6,
268 SH_LEVEL_USER0 = 7,
269 SH_LEVEL_USER1 = 8,
[27]270 SH_LEVEL_USER2 = 9,
271 SH_LEVEL_USER3 = 10,
272 SH_LEVEL_USER4 = 11,
273 SH_LEVEL_PRELINK = 12
[1]274};
275
276typedef struct {
277 time_t alarm_interval;
278 time_t alarm_last;
279} sh_timer_t;
280
281typedef struct {
282 char path[SH_PATHBUF];
283 char hash[KEY_LEN+1];
284} sh_sh_df;
285
286typedef struct {
287 char user[USER_MAX];
288 char group[GROUP_MAX];
289 char home[SH_PATHBUF];
290 uid_t uid;
291 gid_t gid;
292} sh_sh_user;
293
294typedef struct {
295 char name[SH_PATHBUF]; /* local hostname */
296 char system[SH_MINIBUF]; /* system */
297 char release[SH_MINIBUF]; /* release */
298 char machine[SH_MINIBUF]; /* machine */
299} sh_sh_local;
300
301typedef struct {
302 char name[SH_PATHBUF];
303 char alt[SH_PATHBUF];
304} sh_sh_remote;
305
306typedef struct {
307 unsigned long bytes_hashed; /* bytes last check */
308 unsigned long bytes_speed; /* bytes/sec last check */
309 unsigned long mail_success; /* mails sent */
310 unsigned long mail_failed; /* mails not sent */
311 time_t time_start; /* start last check */
312 time_t time_check; /* time last check */
313 unsigned long dirs_checked; /* #dirs last check */
314 unsigned long files_checked; /* #files last check */
[405]315 unsigned long files_report; /* #file reports */
316 unsigned long files_error; /* #file access error */
317 unsigned long files_nodir; /* #file not a directory*/
[1]318} sh_sh_stat;
319
320typedef struct {
321 int exit; /* exit value */
322 int checkSum; /* whether to init/check checksums */
323 int update; /* update db */
324 int opts; /* reading cl options */
[256]325 int started; /* finished with startup stuff */
[1]326 int isdaemon; /* daemon or not */
327 int loop; /* go in loop even if not daemon */
328 int nice; /* desired nicety */
329 int isserver; /* server or not */
330 int islocked; /* BAD if logfile not locked */
331 int smsg; /* GOOD if end message sent */
332 int log_start; /* TRUE if new audit trail */
333 int reportonce; /* TRUE if bad files only once rep.*/
334 int fulldetail; /* TRUE if full details requested */
335 int client_severity; /* TRUE if client severity used */
336 int client_class; /* TRUE if client class used */
[481]337 int hidefile; /* TRUE if file not shown in log */
338 int inotify; /* Flags for inotify */
[1]339 int audit;
340 unsigned long aud_mask;
341} sh_sh_flag;
342
343typedef struct {
344
345 char prg_name[8];
[162]346
347 UINT64 pid;
[1]348
349 sh_sh_df exec;
350 sh_sh_df conf;
351 sh_sh_df data;
352
353 sh_sh_user real;
354 sh_sh_user effective;
355 sh_sh_user run;
356
357 sh_sh_local host;
358
359 sh_sh_remote srvtime;
360 sh_sh_remote srvmail;
361 sh_sh_remote srvexport;
362 sh_sh_remote srvcons;
363 sh_sh_remote srvlog;
364
365 sh_sh_stat statistics;
366 sh_sh_flag flag;
367
368#ifdef SH_STEALTH
369 unsigned long off_data;
370#endif
371
372 sh_timer_t mailNum;
373 sh_timer_t mailTime;
374 sh_timer_t fileCheck;
375
376 int looptime; /* timing for main loop */
377 /*@null@*//*@out@*/ char * timezone;
[411]378
[481]379 int delayload;
380
[411]381#ifdef SCREW_IT_UP
382 int sigtrap_max_duration;
383#endif
384
[481]385 char * outpath;
[1]386} sh_struct;
387
388
389extern volatile int sig_raised;
390extern volatile int sig_urgent;
391extern volatile int sig_debug_switch; /* SIGUSR1 */
392extern volatile int sig_suspend_switch; /* SIGUSR2 */
[143]393extern volatile int sh_global_suspend_flag;
[1]394extern volatile int sig_fresh_trail; /* SIGIOT */
[143]395extern volatile int sh_thread_pause_flag;
[1]396extern volatile int sig_config_read_again; /* SIGHUP */
397extern volatile int sig_terminate; /* SIGQUIT */
398extern volatile int sig_termfast; /* SIGTERM */
399extern volatile int sig_force_check; /* SIGTTOU */
[481]400extern volatile int sh_load_delta_flag;
[1]401
402extern long int eintr__result;
403
[20]404extern int sh_argc_store;
405extern char ** sh_argv_store;
406
[1]407#include "sh_calls.h"
408
409
410typedef struct {
[40]411 char sh_sockpass[2*SOCKPASS_MAX+2];
[1]412 char sigkey_old[KEY_LEN+1];
413 char sigkey_new[KEY_LEN+1];
414 char mailkey_old[KEY_LEN+1];
415 char mailkey_new[KEY_LEN+1];
416 char crypt[KEY_LEN+1];
417 char session[KEY_LEN+1];
418 char vernam[KEY_LEN+1];
419 int mlock_failed;
420
421 char pw[PW_LEN];
422
423 char poolv[KEY_BYT];
424 int poolc;
425
426 int rngI;
427 UINT32 rng0[3];
428 UINT32 rng1[3];
429 UINT32 rng2[3];
430
[156]431 UINT32 res_vec[6];
432
[1]433 UINT32 ErrFlag[2];
434
435#ifdef SH_ENCRYPT
436 /*@out@*/ keyInstance keyInstE;
437 /*@out@*/ keyInstance keyInstD;
438#endif
439} sh_key_t;
440
441extern sh_struct sh;
442/*@null@*/ extern sh_key_t *skey;
443
[22]444/**************************************************
445 *
446 * macros
447 *
448 **************************************************/
[1]449
[459]450#if defined(SH_ABORT_ON_ERROR)
451#define SH_ABORT abort()
452#else
453#define SH_ABORT
454#endif
455
[76]456
[149]457
[76]458/* The semantics of the built-in are that it is expected that expr == const
459 * for __builtin_expect ((expr), const)
460 */
461#if defined(__GNUC__) && (__GNUC__ > 2) && defined(__OPTIMIZE__)
462#define SH_LIKELY(expr) (__builtin_expect((expr), 1))
463#define SH_UNLIKELY(expr) (__builtin_expect((expr), 0))
464#else
465#define SH_LIKELY(expr) (expr)
466#define SH_UNLIKELY(expr) (expr)
467#endif
468
[22]469/* signal-safe log function
470 */
[170]471int safe_logger (int thesignal, int method, char * details);
472void safe_fatal (const char * details, const char *f, int l);
[22]473
[25]474#define SH_VALIDATE_EQ(a,b) \
[22]475 do { \
[34]476 if ((a) != (b)) safe_fatal(#a " != " #b, FIL__, __LINE__);\
[22]477 } while (0)
478
[25]479#define SH_VALIDATE_NE(a,b) \
480 do { \
[34]481 if ((a) == (b)) safe_fatal(#a " == " #b, FIL__, __LINE__);\
[25]482 } while (0)
[22]483
[68]484#define SH_VALIDATE_GE(a,b) \
485 do { \
486 if ((a) < (b)) safe_fatal(#a " < " #b, FIL__, __LINE__);\
487 } while (0)
488
[1]489#if defined(HAVE_MLOCK) && !defined(HAVE_BROKEN_MLOCK)
[412]490#ifdef USE_SUID
[1]491#define MLOCK(a, b) \
[481]492 if ((skey != NULL) && skey->mlock_failed == S_FALSE){ \
[1]493 (void) sl_set_suid(); \
[481]494 if (sh_unix_mlock(FIL__, __LINE__, a, b) < 0) skey->mlock_failed = S_TRUE; \
[412]495 (void) sl_unset_suid(); }
[1]496#else
497#define MLOCK(a, b) \
[481]498 if ((skey != NULL) && skey->mlock_failed == S_FALSE){ \
499 if (sh_unix_mlock(FIL__, __LINE__, a, b) < 0) skey->mlock_failed = S_TRUE; }
[412]500#endif
501#else
502#define MLOCK(a, b) \
[1]503 ;
504#endif
505
506#if defined(HAVE_MLOCK) && !defined(HAVE_BROKEN_MLOCK)
[412]507#ifdef USE_SUID
[1]508#define MUNLOCK(a, b) \
[481]509 if ((skey != NULL) && skey->mlock_failed == S_FALSE){ \
[1]510 (void) sl_set_suid(); \
511 (void) sh_unix_munlock( a, b );\
[412]512 (void) sl_unset_suid(); }
[1]513#else
514#define MUNLOCK(a, b) \
[481]515 if ((skey != NULL) && skey->mlock_failed == S_FALSE){ \
[412]516 (void) sh_unix_munlock( a, b ); }
517#endif
518#else
519#define MUNLOCK(a, b) \
[1]520 ;
521#endif
522
523#ifdef SH_STEALTH
524void sh_do_encode (char * str, int len);
525#define sh_do_decode sh_do_encode
526#endif
527
528/* #if defined(SCREW_IT_UP)
529 * extern volatile int sh_not_traced;
530 * inline int sh_sigtrap_prepare();
531 * inline int sh_derr();
532 * #endif
533 */
534
535#if defined(SCREW_IT_UP) && (defined(__FreeBSD__) || defined(__linux__)) && defined(__i386__)
536#define BREAKEXIT(expr) \
537 do { \
538 int ixi; \
539 for (ixi = 0; ixi < 8; ++ixi) { \
540 if ((*(volatile unsigned *)((unsigned) expr + ixi) & 0xff) == 0xcc) \
541 _exit(EXIT_FAILURE); \
542 } \
543 } \
544 while (1 == 0)
545#else
546#define BREAKEXIT(expr)
547#endif
548
549
550
551#include "sh_cat.h"
552#include "sh_trace.h"
553#include "sh_mem.h"
554
555#endif
556
557/* CRIT: */
558/* NEW_CLIENT <client> */
559/* BAD_CLIENT <client> -- <details> */
560/* ERR_CLIENT <client> -- <details> */
561
562/* ALERT: */
563/* LOG_KEY samhain|yule <key> */
564/* STARTUP samhain|yule -- user <username> */
565/* EXIT samhain|yule */
566/* GOODSIG <file> <user> */
567/* FP_KEY <fingerprint> */
568/* GOODSIG_DAT <file> <user> */
569/* FP_KEY_DAT <fingerprint> */
570/* TIGER_CFG <file> <checksum> */
571/* TIGER_DAT <file> <checksum> */
572
573/* PANIC -- <details> */
574/* ERROR -- <details> */
575
576/* Policy */
577/* POLICY <code> <file> */
578/* <code> = MISSING || ADDED || NOT_A_DIRECTORY || <policy> */
579
580
581
Note: See TracBrowser for help on using the repository browser.