source: trunk/include/samhain.h@ 268

Last change on this file since 268 was 265, checked in by katerina, 15 years ago

Enhance logfile monitoring (tickets #183, #184, #185).

File size: 13.5 KB
Line 
1/* SAMHAIN file system integrity testing */
2/* Copyright (C) 1999 Rainer Wichmann */
3/* */
4/* This program is free software; you can redistribute it */
5/* and/or modify */
6/* it under the terms of the GNU General Public License as */
7/* published by */
8/* the Free Software Foundation; either version 2 of the License, or */
9/* (at your option) any later version. */
10/* */
11/* This program is distributed in the hope that it will be useful, */
12/* but WITHOUT ANY WARRANTY; without even the implied warranty of */
13/* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the */
14/* GNU General Public License for more details. */
15/* */
16/* You should have received a copy of the GNU General Public License */
17/* along with this program; if not, write to the Free Software */
18/* Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. */
19
20#ifndef SAMHAIN_H
21#define SAMHAIN_H
22
23#include <sys/types.h>
24#include "slib.h"
25
26#ifdef SH_ENCRYPT
27#include "rijndael-api-fst.h"
28#endif
29
30/**************************************************
31 *
32 * STANDARD DEFINES
33 *
34 **************************************************/
35
36#define REPLACE_OLD
37
38/* Standard buffer sizes.
39 */
40#define SH_MINIBUF 64
41#define SH_BUFSIZE 1024
42#define SH_MAXBUF 4096
43#define SH_PATHBUF 256
44#define SH_MSG_BUF 64512
45
46#define SH_ERRBUF_SIZE 64
47
48/* MAX_PATH_STORE must be >= KEY_LEN
49 */
50#define MAX_PATH_STORE 12287
51
52/* Sizes for arrays (user, group, timestamp).
53 */
54#define SOCKPASS_MAX 14
55#define USER_MAX 20
56#define GROUP_MAX 20
57#define TIM_MAX 32
58
59#define CMODE_SIZE 11
60
61#define ATTRBUF_SIZE 16
62#define ATTRBUF_USED 12
63
64/* The number of bytes in a key,
65 * the number of chars in its hex repesentation,
66 * and the block size of the hash algorithm.
67 */
68#define KEY_BYT 24
69#define KEY_LEN 48
70#define KEY_BLOCK 24
71#define KEYBUF_SIZE (KEY_LEN+1)
72
73/* The length of the compiled-in password.
74 */
75#define PW_LEN 8
76
77#undef GOOD
78#define GOOD 1
79#undef BAD
80#define BAD 0
81#undef ON
82#define ON 1
83#undef OFF
84#define OFF 0
85#undef S_TRUE
86#define S_TRUE 1
87#undef S_FALSE
88#define S_FALSE 0
89
90/* An unsigned integer guaranteed to be 32 bit.
91 */
92#if defined(HAVE_INT_32)
93#define UINT32 unsigned int
94#define SINT32 int
95#elif defined(HAVE_LONG_32)
96#define UINT32 unsigned long
97#define SINT32 long
98#elif defined(HAVE_SHORT_32)
99#define UINT32 unsigned short
100#define SINT32 short
101#endif
102
103#ifdef HAVE_INTTYPES_H
104#include <inttypes.h>
105#endif
106#ifdef HAVE_STDINT_H
107#include <stdint.h>
108#endif
109
110#if !defined(HAVE_UINT16_T)
111#define UINT16 unsigned short
112#else
113#define UINT16 uint16_t
114#endif
115
116#if !defined(HAVE_UINT64_T)
117
118#ifdef HAVE_LONG_LONG_64
119#define UINT64 unsigned long long
120#else
121#ifdef HAVE_LONG_64
122#define UINT64 unsigned long
123#else
124#error "no 64bit type found"
125#endif
126#endif
127
128#else
129#define UINT64 uint64_t
130#endif
131
132
133
134#define UBYTE unsigned char
135
136
137enum {
138 SH_CHECK_NONE = 0,
139 SH_CHECK_INIT = 1,
140 SH_CHECK_CHECK = 2
141};
142
143#define SH_MOD_THREAD 1
144#define SH_MOD_ACTIVE 0
145#define SH_MOD_FAILED -1
146#define SH_MOD_OFFSET 10
147
148/* Flags for file status
149 */
150#define SH_FFLAG_ALLIGNORE (1<<0)
151#define SH_FFLAG_VISITED (1<<1)
152#define SH_FFLAG_CHECKED (1<<3)
153#define SH_FFLAG_REPORTED (1<<3)
154#define SH_FFLAG_SUIDCHK (1<<4)
155
156#define SH_FFLAG_ALLIGNORE_SET(a) (((a) & SH_FFLAG_ALLIGNORE) != 0)
157#define SET_SH_FFLAG_ALLIGNORE(a) ((a) |= SH_FFLAG_ALLIGNORE)
158#define CLEAR_SH_FFLAG_ALLIGNORE(a) ((a) &= ~SH_FFLAG_ALLIGNORE)
159
160#define SH_FFLAG_VISITED_SET(a) (((a) & SH_FFLAG_VISITED) != 0)
161#define SET_SH_FFLAG_VISITED(a) ((a) |= SH_FFLAG_VISITED)
162#define CLEAR_SH_FFLAG_VISITED(a) ((a) &= ~SH_FFLAG_VISITED)
163
164#define SH_FFLAG_CHECKED_SET(a) (((a) & SH_FFLAG_VISITED) != 0)
165#define SET_SH_FFLAG_CHECKED(a) ((a) |= SH_FFLAG_VISITED)
166#define CLEAR_SH_FFLAG_CHECKED(a) ((a) &= ~SH_FFLAG_VISITED)
167
168#define SH_FFLAG_REPORTED_SET(a) (((a) & SH_FFLAG_REPORTED) != 0)
169#define SET_SH_FFLAG_REPORTED(a) ((a) |= SH_FFLAG_REPORTED)
170#define CLEAR_SH_FFLAG_REPORTED(a) ((a) &= ~SH_FFLAG_REPORTED)
171
172#define SH_FFLAG_SUIDCHK_SET(a) (((a) & SH_FFLAG_SUIDCHK) != 0)
173#define SET_SH_FFLAG_SUIDCHK(a) ((a) |= SH_FFLAG_SUIDCHK)
174#define CLEAR_SH_FFLAG_SUIDCHK(a) ((a) &= ~SH_FFLAG_SUIDCHK)
175
176
177/**************************************************
178 *
179 * TYPEDEFS
180 *
181 **************************************************/
182
183enum {
184 SH_LEVEL_READONLY = 1,
185 SH_LEVEL_LOGFILES = 2,
186 SH_LEVEL_LOGGROW = 3,
187 SH_LEVEL_NOIGNORE = 4,
188 SH_LEVEL_ALLIGNORE = 5,
189 SH_LEVEL_ATTRIBUTES = 6,
190 SH_LEVEL_USER0 = 7,
191 SH_LEVEL_USER1 = 8,
192 SH_LEVEL_USER2 = 9,
193 SH_LEVEL_USER3 = 10,
194 SH_LEVEL_USER4 = 11,
195 SH_LEVEL_PRELINK = 12
196};
197
198typedef struct {
199 time_t alarm_interval;
200 time_t alarm_last;
201} sh_timer_t;
202
203typedef struct {
204 char path[SH_PATHBUF];
205 char hash[KEY_LEN+1];
206} sh_sh_df;
207
208typedef struct {
209 char user[USER_MAX];
210 char group[GROUP_MAX];
211 char home[SH_PATHBUF];
212 uid_t uid;
213 gid_t gid;
214} sh_sh_user;
215
216typedef struct {
217 char name[SH_PATHBUF]; /* local hostname */
218 char system[SH_MINIBUF]; /* system */
219 char release[SH_MINIBUF]; /* release */
220 char machine[SH_MINIBUF]; /* machine */
221} sh_sh_local;
222
223typedef struct {
224 char name[SH_PATHBUF];
225 char alt[SH_PATHBUF];
226} sh_sh_remote;
227
228typedef struct {
229 unsigned long bytes_hashed; /* bytes last check */
230 unsigned long bytes_speed; /* bytes/sec last check */
231 unsigned long mail_success; /* mails sent */
232 unsigned long mail_failed; /* mails not sent */
233 time_t time_start; /* start last check */
234 time_t time_check; /* time last check */
235 unsigned long dirs_checked; /* #dirs last check */
236 unsigned long files_checked; /* #files last check */
237} sh_sh_stat;
238
239typedef struct {
240 int exit; /* exit value */
241 int checkSum; /* whether to init/check checksums */
242 int update; /* update db */
243 int opts; /* reading cl options */
244 int started; /* finished with startup stuff */
245 int isdaemon; /* daemon or not */
246 int loop; /* go in loop even if not daemon */
247 int nice; /* desired nicety */
248 int isserver; /* server or not */
249 int islocked; /* BAD if logfile not locked */
250 int smsg; /* GOOD if end message sent */
251 int log_start; /* TRUE if new audit trail */
252 int reportonce; /* TRUE if bad files only once rep.*/
253 int fulldetail; /* TRUE if full details requested */
254 int client_severity; /* TRUE if client severity used */
255 int client_class; /* TRUE if client class used */
256 int audit;
257 unsigned long aud_mask;
258 int hidefile; /* TRUE if file not reveled in log */
259} sh_sh_flag;
260
261typedef struct {
262
263 char prg_name[8];
264
265 UINT64 pid;
266
267 sh_sh_df exec;
268 sh_sh_df conf;
269 sh_sh_df data;
270
271 sh_sh_user real;
272 sh_sh_user effective;
273 sh_sh_user run;
274
275 sh_sh_local host;
276
277 sh_sh_remote srvtime;
278 sh_sh_remote srvmail;
279 sh_sh_remote srvexport;
280 sh_sh_remote srvcons;
281 sh_sh_remote srvlog;
282
283 sh_sh_stat statistics;
284 sh_sh_flag flag;
285
286#ifdef SH_STEALTH
287 unsigned long off_data;
288#endif
289
290 sh_timer_t mailNum;
291 sh_timer_t mailTime;
292 sh_timer_t fileCheck;
293
294 int looptime; /* timing for main loop */
295 /*@null@*//*@out@*/ char * timezone;
296} sh_struct;
297
298
299extern volatile int sig_raised;
300extern volatile int sig_urgent;
301extern volatile int sig_debug_switch; /* SIGUSR1 */
302extern volatile int sig_suspend_switch; /* SIGUSR2 */
303extern volatile int sh_global_suspend_flag;
304extern volatile int sig_fresh_trail; /* SIGIOT */
305extern volatile int sh_thread_pause_flag;
306extern volatile int sig_config_read_again; /* SIGHUP */
307extern volatile int sig_terminate; /* SIGQUIT */
308extern volatile int sig_termfast; /* SIGTERM */
309extern volatile int sig_force_check; /* SIGTTOU */
310
311extern long int eintr__result;
312
313extern int sh_argc_store;
314extern char ** sh_argv_store;
315
316#include "sh_calls.h"
317
318
319typedef struct {
320 char sh_sockpass[2*SOCKPASS_MAX+2];
321 char sigkey_old[KEY_LEN+1];
322 char sigkey_new[KEY_LEN+1];
323 char mailkey_old[KEY_LEN+1];
324 char mailkey_new[KEY_LEN+1];
325 char crypt[KEY_LEN+1];
326 char session[KEY_LEN+1];
327 char vernam[KEY_LEN+1];
328 int mlock_failed;
329
330 char pw[PW_LEN];
331
332 char poolv[KEY_BYT];
333 int poolc;
334
335 int rngI;
336 UINT32 rng0[3];
337 UINT32 rng1[3];
338 UINT32 rng2[3];
339
340 UINT32 res_vec[6];
341
342 UINT32 ErrFlag[2];
343
344#ifdef SH_ENCRYPT
345 /*@out@*/ keyInstance keyInstE;
346 /*@out@*/ keyInstance keyInstD;
347#endif
348} sh_key_t;
349
350extern sh_struct sh;
351/*@null@*/ extern sh_key_t *skey;
352
353/**************************************************
354 *
355 * macros
356 *
357 **************************************************/
358
359#if defined(__GNUC__) && (__GNUC__ >= 4)
360#define SH_GNUC_SENTINEL __attribute__((__sentinel__))
361#else
362#define SH_GNUC_SENTINEL
363#endif
364
365#if defined(__GNUC__) && (__GNUC__ >= 3)
366#undef SH_GNUC_PURE
367#define SH_GNUC_PURE __attribute__((pure))
368#undef SH_GNUC_CONST
369#define SH_GNUC_CONST __attribute__((const))
370#undef SH_GNUC_NORETURN
371#define SH_GNUC_NORETURN __attribute__((noreturn))
372#undef SH_GNUC_MALLOC
373#define SH_GNUC_MALLOC __attribute__((malloc))
374#else
375#undef SH_GNUC_PURE
376#define SH_GNUC_PURE
377#undef SH_GNUC_CONST
378#define SH_GNUC_CONST
379#undef SH_GNUC_NORETURN
380#define SH_GNUC_NORETURN
381#undef SH_GNUC_MALLOC
382#define SH_GNUC_MALLOC
383#endif
384
385
386/* The semantics of the built-in are that it is expected that expr == const
387 * for __builtin_expect ((expr), const)
388 */
389#if defined(__GNUC__) && (__GNUC__ > 2) && defined(__OPTIMIZE__)
390#define SH_LIKELY(expr) (__builtin_expect((expr), 1))
391#define SH_UNLIKELY(expr) (__builtin_expect((expr), 0))
392#else
393#define SH_LIKELY(expr) (expr)
394#define SH_UNLIKELY(expr) (expr)
395#endif
396
397/* signal-safe log function
398 */
399int safe_logger (int thesignal, int method, char * details);
400void safe_fatal (const char * details, const char *f, int l);
401
402#define SH_VALIDATE_EQ(a,b) \
403 do { \
404 if ((a) != (b)) safe_fatal(#a " != " #b, FIL__, __LINE__);\
405 } while (0)
406
407#define SH_VALIDATE_NE(a,b) \
408 do { \
409 if ((a) == (b)) safe_fatal(#a " == " #b, FIL__, __LINE__);\
410 } while (0)
411
412#define SH_VALIDATE_GE(a,b) \
413 do { \
414 if ((a) < (b)) safe_fatal(#a " < " #b, FIL__, __LINE__);\
415 } while (0)
416
417#if defined(HAVE_MLOCK) && !defined(HAVE_BROKEN_MLOCK)
418#define MLOCK(a, b) \
419 if ((skey != NULL) && skey->mlock_failed == SL_FALSE){ \
420 (void) sl_set_suid(); \
421 if (sh_unix_mlock(FIL__, __LINE__, a, b) < 0) skey->mlock_failed = SL_TRUE; \
422 (void) sl_unset_suid(); }
423#else
424#define MLOCK(a, b) \
425 ;
426#endif
427
428#if defined(HAVE_MLOCK) && !defined(HAVE_BROKEN_MLOCK)
429#define MUNLOCK(a, b) \
430 if ((skey != NULL) && skey->mlock_failed == SL_FALSE){ \
431 (void) sl_set_suid(); \
432 (void) sh_unix_munlock( a, b );\
433 (void) sl_unset_suid(); }
434#else
435#define MUNLOCK(a, b) \
436 ;
437#endif
438
439#ifdef SH_STEALTH
440void sh_do_encode (char * str, int len);
441#define sh_do_decode sh_do_encode
442#endif
443
444/* #if defined(SCREW_IT_UP)
445 * extern volatile int sh_not_traced;
446 * inline int sh_sigtrap_prepare();
447 * inline int sh_derr();
448 * #endif
449 */
450
451#if defined(SCREW_IT_UP) && (defined(__FreeBSD__) || defined(__linux__)) && defined(__i386__)
452#define BREAKEXIT(expr) \
453 do { \
454 int ixi; \
455 for (ixi = 0; ixi < 8; ++ixi) { \
456 if ((*(volatile unsigned *)((unsigned) expr + ixi) & 0xff) == 0xcc) \
457 _exit(EXIT_FAILURE); \
458 } \
459 } \
460 while (1 == 0)
461#else
462#define BREAKEXIT(expr)
463#endif
464
465
466
467#include "sh_cat.h"
468#include "sh_trace.h"
469#include "sh_mem.h"
470
471#endif
472
473/* CRIT: */
474/* NEW_CLIENT <client> */
475/* BAD_CLIENT <client> -- <details> */
476/* ERR_CLIENT <client> -- <details> */
477
478/* ALERT: */
479/* LOG_KEY samhain|yule <key> */
480/* STARTUP samhain|yule -- user <username> */
481/* EXIT samhain|yule */
482/* GOODSIG <file> <user> */
483/* FP_KEY <fingerprint> */
484/* GOODSIG_DAT <file> <user> */
485/* FP_KEY_DAT <fingerprint> */
486/* TIGER_CFG <file> <checksum> */
487/* TIGER_DAT <file> <checksum> */
488
489/* PANIC -- <details> */
490/* ERROR -- <details> */
491
492/* Policy */
493/* POLICY <code> <file> */
494/* <code> = MISSING || ADDED || NOT_A_DIRECTORY || <policy> */
495
496
497
Note: See TracBrowser for help on using the repository browser.