source: trunk/include/samhain.h@ 135

Last change on this file since 135 was 133, checked in by rainer, 17 years ago

Reentrant checksum/hash functions.

File size: 12.5 KB
Line 
1/* SAMHAIN file system integrity testing */
2/* Copyright (C) 1999 Rainer Wichmann */
3/* */
4/* This program is free software; you can redistribute it */
5/* and/or modify */
6/* it under the terms of the GNU General Public License as */
7/* published by */
8/* the Free Software Foundation; either version 2 of the License, or */
9/* (at your option) any later version. */
10/* */
11/* This program is distributed in the hope that it will be useful, */
12/* but WITHOUT ANY WARRANTY; without even the implied warranty of */
13/* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the */
14/* GNU General Public License for more details. */
15/* */
16/* You should have received a copy of the GNU General Public License */
17/* along with this program; if not, write to the Free Software */
18/* Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. */
19
20#ifndef SAMHAIN_H
21#define SAMHAIN_H
22
23#include <sys/types.h>
24#include "slib.h"
25
26#ifdef SH_ENCRYPT
27#include "rijndael-api-fst.h"
28#endif
29
30/**************************************************
31 *
32 * STANDARD DEFINES
33 *
34 **************************************************/
35
36#define REPLACE_OLD
37
38/* Standard buffer sizes.
39 */
40#define SH_MINIBUF 64
41#define SH_BUFSIZE 1024
42#define SH_MAXBUF 4096
43#define SH_PATHBUF 256
44
45#define SH_GRBUF_SIZE 4096
46#define SH_PWBUF_SIZE 4096
47#define SH_ERRBUF_SIZE 64
48
49/* Sizes for arrays (user, group, timestamp).
50 */
51#define SOCKPASS_MAX 14
52#define USER_MAX 20
53#define GROUP_MAX 20
54#define TIM_MAX 32
55
56
57/* The number of bytes in a key,
58 * the number of chars in its hex repesentation,
59 * and the block size of the hash algorithm.
60 */
61#define KEY_BYT 24
62#define KEY_LEN 48
63#define KEY_BLOCK 24
64#define KEYBUF_SIZE (KEY_LEN+1)
65
66/* The length of the compiled-in password.
67 */
68#define PW_LEN 8
69
70#undef GOOD
71#define GOOD 1
72#undef BAD
73#define BAD 0
74#undef ON
75#define ON 1
76#undef OFF
77#define OFF 0
78#undef S_TRUE
79#define S_TRUE 1
80#undef S_FALSE
81#define S_FALSE 0
82
83/* An unsigned integer guaranteed to be 32 bit.
84 */
85#if defined(HAVE_INT_32)
86#define UINT32 unsigned int
87#define SINT32 int
88#elif defined(HAVE_LONG_32)
89#define UINT32 unsigned long
90#define SINT32 long
91#elif defined(HAVE_SHORT_32)
92#define UINT32 unsigned short
93#define SINT32 short
94#endif
95
96#ifdef HAVE_INTTYPES_H
97#include <inttypes.h>
98#else
99#ifdef HAVE_STDINT_H
100#include <stdint.h>
101#endif
102#endif
103
104#if !defined(HAVE_INTTYPES_H) && !defined(HAVE_STDINT_H)
105
106#ifdef HAVE_LONG_LONG_64
107#define UINT64 unsigned long long
108#else
109#ifdef HAVE_LONG_64
110#define UINT64 unsigned long
111#else
112#define UINT64_IS_32
113#define UINT64 unsigned long
114#endif
115#endif
116
117#else
118#define UINT64 uint64_t
119#endif
120
121
122
123#define UBYTE unsigned char
124
125
126enum {
127 SH_CHECK_NONE = 0,
128 SH_CHECK_INIT = 1,
129 SH_CHECK_CHECK = 2
130};
131
132/* Flags for file status
133 */
134#define SH_FFLAG_ALLIGNORE (1<<0)
135#define SH_FFLAG_VISITED (1<<1)
136#define SH_FFLAG_CHECKED (1<<3)
137#define SH_FFLAG_REPORTED (1<<3)
138#define SH_FFLAG_SUIDCHK (1<<4)
139
140#define SH_FFLAG_ALLIGNORE_SET(a) (((a) & SH_FFLAG_ALLIGNORE) != 0)
141#define SET_SH_FFLAG_ALLIGNORE(a) ((a) |= SH_FFLAG_ALLIGNORE)
142#define CLEAR_SH_FFLAG_ALLIGNORE(a) ((a) &= ~SH_FFLAG_ALLIGNORE)
143
144#define SH_FFLAG_VISITED_SET(a) (((a) & SH_FFLAG_VISITED) != 0)
145#define SET_SH_FFLAG_VISITED(a) ((a) |= SH_FFLAG_VISITED)
146#define CLEAR_SH_FFLAG_VISITED(a) ((a) &= ~SH_FFLAG_VISITED)
147
148#define SH_FFLAG_CHECKED_SET(a) (((a) & SH_FFLAG_VISITED) != 0)
149#define SET_SH_FFLAG_CHECKED(a) ((a) |= SH_FFLAG_VISITED)
150#define CLEAR_SH_FFLAG_CHECKED(a) ((a) &= ~SH_FFLAG_VISITED)
151
152#define SH_FFLAG_REPORTED_SET(a) (((a) & SH_FFLAG_REPORTED) != 0)
153#define SET_SH_FFLAG_REPORTED(a) ((a) |= SH_FFLAG_REPORTED)
154#define CLEAR_SH_FFLAG_REPORTED(a) ((a) &= ~SH_FFLAG_REPORTED)
155
156#define SH_FFLAG_SUIDCHK_SET(a) (((a) & SH_FFLAG_SUIDCHK) != 0)
157#define SET_SH_FFLAG_SUIDCHK(a) ((a) |= SH_FFLAG_SUIDCHK)
158#define CLEAR_SH_FFLAG_SUIDCHK(a) ((a) &= ~SH_FFLAG_SUIDCHK)
159
160
161
162/**************************************************
163 *
164 * TYPEDEFS
165 *
166 **************************************************/
167
168enum {
169 SH_LEVEL_READONLY = 1,
170 SH_LEVEL_LOGFILES = 2,
171 SH_LEVEL_LOGGROW = 3,
172 SH_LEVEL_NOIGNORE = 4,
173 SH_LEVEL_ALLIGNORE = 5,
174 SH_LEVEL_ATTRIBUTES = 6,
175 SH_LEVEL_USER0 = 7,
176 SH_LEVEL_USER1 = 8,
177 SH_LEVEL_USER2 = 9,
178 SH_LEVEL_USER3 = 10,
179 SH_LEVEL_USER4 = 11,
180 SH_LEVEL_PRELINK = 12
181};
182
183typedef struct {
184 time_t alarm_interval;
185 time_t alarm_last;
186} sh_timer_t;
187
188typedef struct {
189 char path[SH_PATHBUF];
190 char hash[KEY_LEN+1];
191} sh_sh_df;
192
193typedef struct {
194 char user[USER_MAX];
195 char group[GROUP_MAX];
196 char home[SH_PATHBUF];
197 uid_t uid;
198 gid_t gid;
199} sh_sh_user;
200
201typedef struct {
202 char name[SH_PATHBUF]; /* local hostname */
203 char system[SH_MINIBUF]; /* system */
204 char release[SH_MINIBUF]; /* release */
205 char machine[SH_MINIBUF]; /* machine */
206} sh_sh_local;
207
208typedef struct {
209 char name[SH_PATHBUF];
210 char alt[SH_PATHBUF];
211} sh_sh_remote;
212
213typedef struct {
214 unsigned long bytes_hashed; /* bytes last check */
215 unsigned long bytes_speed; /* bytes/sec last check */
216 unsigned long mail_success; /* mails sent */
217 unsigned long mail_failed; /* mails not sent */
218 time_t time_start; /* start last check */
219 time_t time_check; /* time last check */
220 unsigned long dirs_checked; /* #dirs last check */
221 unsigned long files_checked; /* #files last check */
222} sh_sh_stat;
223
224typedef struct {
225 int exit; /* exit value */
226 int checkSum; /* whether to init/check checksums */
227 int update; /* update db */
228 int opts; /* reading cl options */
229 int isdaemon; /* daemon or not */
230 int loop; /* go in loop even if not daemon */
231 int nice; /* desired nicety */
232 int isserver; /* server or not */
233 int islocked; /* BAD if logfile not locked */
234 int smsg; /* GOOD if end message sent */
235 int log_start; /* TRUE if new audit trail */
236 int reportonce; /* TRUE if bad files only once rep.*/
237 int fulldetail; /* TRUE if full details requested */
238 int client_severity; /* TRUE if client severity used */
239 int client_class; /* TRUE if client class used */
240 int audit;
241 unsigned long aud_mask;
242 int hidefile; /* TRUE if file not reveled in log */
243} sh_sh_flag;
244
245typedef struct {
246
247 char prg_name[8];
248
249 sh_sh_df exec;
250 sh_sh_df conf;
251 sh_sh_df data;
252
253 sh_sh_user real;
254 sh_sh_user effective;
255 sh_sh_user run;
256
257 sh_sh_local host;
258
259 sh_sh_remote srvtime;
260 sh_sh_remote srvmail;
261 sh_sh_remote srvexport;
262 sh_sh_remote srvcons;
263 sh_sh_remote srvlog;
264
265 sh_sh_stat statistics;
266 sh_sh_flag flag;
267
268#ifdef SH_STEALTH
269 unsigned long off_data;
270#endif
271
272 sh_timer_t mailNum;
273 sh_timer_t mailTime;
274 sh_timer_t fileCheck;
275
276 int looptime; /* timing for main loop */
277 /*@null@*//*@out@*/ char * timezone;
278} sh_struct;
279
280
281extern volatile int sig_raised;
282extern volatile int sig_urgent;
283extern volatile int sig_debug_switch; /* SIGUSR1 */
284extern volatile int sig_suspend_switch; /* SIGUSR2 */
285extern volatile int sh_global_suspend_flag; /* SIGUSR2 */
286extern volatile int sig_fresh_trail; /* SIGIOT */
287extern volatile int sig_config_read_again; /* SIGHUP */
288extern volatile int sig_terminate; /* SIGQUIT */
289extern volatile int sig_termfast; /* SIGTERM */
290extern volatile int sig_force_check; /* SIGTTOU */
291
292extern long int eintr__result;
293
294extern int sh_argc_store;
295extern char ** sh_argv_store;
296
297#include "sh_calls.h"
298
299
300typedef struct {
301 char sh_sockpass[2*SOCKPASS_MAX+2];
302 char sigkey_old[KEY_LEN+1];
303 char sigkey_new[KEY_LEN+1];
304 char mailkey_old[KEY_LEN+1];
305 char mailkey_new[KEY_LEN+1];
306 char crypt[KEY_LEN+1];
307 char session[KEY_LEN+1];
308 char vernam[KEY_LEN+1];
309 int mlock_failed;
310
311 char pw[PW_LEN];
312
313 char poolv[KEY_BYT];
314 int poolc;
315
316 int rngI;
317 UINT32 rng0[3];
318 UINT32 rng1[3];
319 UINT32 rng2[3];
320
321 UINT32 ErrFlag[2];
322
323#ifdef SH_ENCRYPT
324 /*@out@*/ keyInstance keyInstE;
325 /*@out@*/ keyInstance keyInstD;
326#endif
327} sh_key_t;
328
329extern sh_struct sh;
330/*@null@*/ extern sh_key_t *skey;
331
332/**************************************************
333 *
334 * macros
335 *
336 **************************************************/
337
338#if defined(__GNUC__) && (__GNUC__ >= 4)
339#define SH_GNUC_NULL_TERMINATED __attribute__((__sentinel__))
340#else
341#define SH_GNUC_NULL_TERMINATED
342#endif
343
344/* The semantics of the built-in are that it is expected that expr == const
345 * for __builtin_expect ((expr), const)
346 */
347#if defined(__GNUC__) && (__GNUC__ > 2) && defined(__OPTIMIZE__)
348#define SH_LIKELY(expr) (__builtin_expect((expr), 1))
349#define SH_UNLIKELY(expr) (__builtin_expect((expr), 0))
350#else
351#define SH_LIKELY(expr) (expr)
352#define SH_UNLIKELY(expr) (expr)
353#endif
354
355/* signal-safe log function
356 */
357int safe_logger (int signal, int method, char * details);
358void safe_fatal (char * details, char *f, int l);
359
360#define SH_VALIDATE_EQ(a,b) \
361 do { \
362 if ((a) != (b)) safe_fatal(#a " != " #b, FIL__, __LINE__);\
363 } while (0)
364
365#define SH_VALIDATE_NE(a,b) \
366 do { \
367 if ((a) == (b)) safe_fatal(#a " == " #b, FIL__, __LINE__);\
368 } while (0)
369
370#define SH_VALIDATE_GE(a,b) \
371 do { \
372 if ((a) < (b)) safe_fatal(#a " < " #b, FIL__, __LINE__);\
373 } while (0)
374
375#if defined(HAVE_MLOCK) && !defined(HAVE_BROKEN_MLOCK)
376#define MLOCK(a, b) \
377 if ((skey != NULL) && skey->mlock_failed == SL_FALSE){ \
378 (void) sl_set_suid(); \
379 if (sh_unix_mlock(FIL__, __LINE__, a, b) < 0) skey->mlock_failed = SL_TRUE; \
380 (void) sl_unset_suid(); }
381#else
382#define MLOCK(a, b) \
383 ;
384#endif
385
386#if defined(HAVE_MLOCK) && !defined(HAVE_BROKEN_MLOCK)
387#define MUNLOCK(a, b) \
388 if ((skey != NULL) && skey->mlock_failed == SL_FALSE){ \
389 (void) sl_set_suid(); \
390 (void) sh_unix_munlock( a, b );\
391 (void) sl_unset_suid(); }
392#else
393#define MUNLOCK(a, b) \
394 ;
395#endif
396
397#ifdef SH_STEALTH
398void sh_do_encode (char * str, int len);
399#define sh_do_decode sh_do_encode
400#endif
401
402/* #if defined(SCREW_IT_UP)
403 * extern volatile int sh_not_traced;
404 * inline int sh_sigtrap_prepare();
405 * inline int sh_derr();
406 * #endif
407 */
408
409#if defined(SCREW_IT_UP) && (defined(__FreeBSD__) || defined(__linux__)) && defined(__i386__)
410#define BREAKEXIT(expr) \
411 do { \
412 int ixi; \
413 for (ixi = 0; ixi < 8; ++ixi) { \
414 if ((*(volatile unsigned *)((unsigned) expr + ixi) & 0xff) == 0xcc) \
415 _exit(EXIT_FAILURE); \
416 } \
417 } \
418 while (1 == 0)
419#else
420#define BREAKEXIT(expr)
421#endif
422
423
424
425#include "sh_cat.h"
426#include "sh_trace.h"
427#include "sh_mem.h"
428
429#endif
430
431/* CRIT: */
432/* NEW_CLIENT <client> */
433/* BAD_CLIENT <client> -- <details> */
434/* ERR_CLIENT <client> -- <details> */
435
436/* ALERT: */
437/* LOG_KEY samhain|yule <key> */
438/* STARTUP samhain|yule -- user <username> */
439/* EXIT samhain|yule */
440/* GOODSIG <file> <user> */
441/* FP_KEY <fingerprint> */
442/* GOODSIG_DAT <file> <user> */
443/* FP_KEY_DAT <fingerprint> */
444/* TIGER_CFG <file> <checksum> */
445/* TIGER_DAT <file> <checksum> */
446
447/* PANIC -- <details> */
448/* ERROR -- <details> */
449
450/* Policy */
451/* POLICY <code> <file> */
452/* <code> = MISSING || ADDED || NOT_A_DIRECTORY || <policy> */
453
454
455
Note: See TracBrowser for help on using the repository browser.