Context Navigation

source: trunk/include/samhain.h@ 269

Last change on this file since 269 was 265, checked in by katerina, 15 years ago
Enhance logfile monitoring (tickets #183, #184, #185).
File size: 13.5 KB

Line
1	/* SAMHAIN file system integrity testing */
2	/* Copyright (C) 1999 Rainer Wichmann */
3	/* */
4	/* This program is free software; you can redistribute it */
5	/* and/or modify */
6	/* it under the terms of the GNU General Public License as */
7	/* published by */
8	/* the Free Software Foundation; either version 2 of the License, or */
9	/* (at your option) any later version. */
10	/* */
11	/* This program is distributed in the hope that it will be useful, */
12	/* but WITHOUT ANY WARRANTY; without even the implied warranty of */
13	/* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the */
14	/* GNU General Public License for more details. */
15	/* */
16	/* You should have received a copy of the GNU General Public License */
17	/* along with this program; if not, write to the Free Software */
18	/* Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. */
19
20	#ifndef SAMHAIN_H
21	#define SAMHAIN_H
22
23	#include <sys/types.h>
24	#include "slib.h"
25
26	#ifdef SH_ENCRYPT
27	#include "rijndael-api-fst.h"
28	#endif
29
30	/**************************************************
31	*
32	* STANDARD DEFINES
33	*
34	**************************************************/
35
36	#define REPLACE_OLD
37
38	/* Standard buffer sizes.
39	*/
40	#define SH_MINIBUF 64
41	#define SH_BUFSIZE 1024
42	#define SH_MAXBUF 4096
43	#define SH_PATHBUF 256
44	#define SH_MSG_BUF 64512
45
46	#define SH_ERRBUF_SIZE 64
47
48	/* MAX_PATH_STORE must be >= KEY_LEN
49	*/
50	#define MAX_PATH_STORE 12287
51
52	/* Sizes for arrays (user, group, timestamp).
53	*/
54	#define SOCKPASS_MAX 14
55	#define USER_MAX 20
56	#define GROUP_MAX 20
57	#define TIM_MAX 32
58
59	#define CMODE_SIZE 11
60
61	#define ATTRBUF_SIZE 16
62	#define ATTRBUF_USED 12
63
64	/* The number of bytes in a key,
65	* the number of chars in its hex repesentation,
66	* and the block size of the hash algorithm.
67	*/
68	#define KEY_BYT 24
69	#define KEY_LEN 48
70	#define KEY_BLOCK 24
71	#define KEYBUF_SIZE (KEY_LEN+1)
72
73	/* The length of the compiled-in password.
74	*/
75	#define PW_LEN 8
76
77	#undef GOOD
78	#define GOOD 1
79	#undef BAD
80	#define BAD 0
81	#undef ON
82	#define ON 1
83	#undef OFF
84	#define OFF 0
85	#undef S_TRUE
86	#define S_TRUE 1
87	#undef S_FALSE
88	#define S_FALSE 0
89
90	/* An unsigned integer guaranteed to be 32 bit.
91	*/
92	#if defined(HAVE_INT_32)
93	#define UINT32 unsigned int
94	#define SINT32 int
95	#elif defined(HAVE_LONG_32)
96	#define UINT32 unsigned long
97	#define SINT32 long
98	#elif defined(HAVE_SHORT_32)
99	#define UINT32 unsigned short
100	#define SINT32 short
101	#endif
102
103	#ifdef HAVE_INTTYPES_H
104	#include <inttypes.h>
105	#endif
106	#ifdef HAVE_STDINT_H
107	#include <stdint.h>
108	#endif
109
110	#if !defined(HAVE_UINT16_T)
111	#define UINT16 unsigned short
112	#else
113	#define UINT16 uint16_t
114	#endif
115
116	#if !defined(HAVE_UINT64_T)
117
118	#ifdef HAVE_LONG_LONG_64
119	#define UINT64 unsigned long long
120	#else
121	#ifdef HAVE_LONG_64
122	#define UINT64 unsigned long
123	#else
124	#error "no 64bit type found"
125	#endif
126	#endif
127
128	#else
129	#define UINT64 uint64_t
130	#endif
131
132
133
134	#define UBYTE unsigned char
135
136
137	enum {
138	SH_CHECK_NONE = 0,
139	SH_CHECK_INIT = 1,
140	SH_CHECK_CHECK = 2
141	};
142
143	#define SH_MOD_THREAD 1
144	#define SH_MOD_ACTIVE 0
145	#define SH_MOD_FAILED -1
146	#define SH_MOD_OFFSET 10
147
148	/* Flags for file status
149	*/
150	#define SH_FFLAG_ALLIGNORE (1<<0)
151	#define SH_FFLAG_VISITED (1<<1)
152	#define SH_FFLAG_CHECKED (1<<3)
153	#define SH_FFLAG_REPORTED (1<<3)
154	#define SH_FFLAG_SUIDCHK (1<<4)
155
156	#define SH_FFLAG_ALLIGNORE_SET(a) (((a) & SH_FFLAG_ALLIGNORE) != 0)
157	#define SET_SH_FFLAG_ALLIGNORE(a) ((a) \|= SH_FFLAG_ALLIGNORE)
158	#define CLEAR_SH_FFLAG_ALLIGNORE(a) ((a) &= ~SH_FFLAG_ALLIGNORE)
159
160	#define SH_FFLAG_VISITED_SET(a) (((a) & SH_FFLAG_VISITED) != 0)
161	#define SET_SH_FFLAG_VISITED(a) ((a) \|= SH_FFLAG_VISITED)
162	#define CLEAR_SH_FFLAG_VISITED(a) ((a) &= ~SH_FFLAG_VISITED)
163
164	#define SH_FFLAG_CHECKED_SET(a) (((a) & SH_FFLAG_VISITED) != 0)
165	#define SET_SH_FFLAG_CHECKED(a) ((a) \|= SH_FFLAG_VISITED)
166	#define CLEAR_SH_FFLAG_CHECKED(a) ((a) &= ~SH_FFLAG_VISITED)
167
168	#define SH_FFLAG_REPORTED_SET(a) (((a) & SH_FFLAG_REPORTED) != 0)
169	#define SET_SH_FFLAG_REPORTED(a) ((a) \|= SH_FFLAG_REPORTED)
170	#define CLEAR_SH_FFLAG_REPORTED(a) ((a) &= ~SH_FFLAG_REPORTED)
171
172	#define SH_FFLAG_SUIDCHK_SET(a) (((a) & SH_FFLAG_SUIDCHK) != 0)
173	#define SET_SH_FFLAG_SUIDCHK(a) ((a) \|= SH_FFLAG_SUIDCHK)
174	#define CLEAR_SH_FFLAG_SUIDCHK(a) ((a) &= ~SH_FFLAG_SUIDCHK)
175
176
177	/**************************************************
178	*
179	* TYPEDEFS
180	*
181	**************************************************/
182
183	enum {
184	SH_LEVEL_READONLY = 1,
185	SH_LEVEL_LOGFILES = 2,
186	SH_LEVEL_LOGGROW = 3,
187	SH_LEVEL_NOIGNORE = 4,
188	SH_LEVEL_ALLIGNORE = 5,
189	SH_LEVEL_ATTRIBUTES = 6,
190	SH_LEVEL_USER0 = 7,
191	SH_LEVEL_USER1 = 8,
192	SH_LEVEL_USER2 = 9,
193	SH_LEVEL_USER3 = 10,
194	SH_LEVEL_USER4 = 11,
195	SH_LEVEL_PRELINK = 12
196	};
197
198	typedef struct {
199	time_t alarm_interval;
200	time_t alarm_last;
201	} sh_timer_t;
202
203	typedef struct {
204	char path[SH_PATHBUF];
205	char hash[KEY_LEN+1];
206	} sh_sh_df;
207
208	typedef struct {
209	char user[USER_MAX];
210	char group[GROUP_MAX];
211	char home[SH_PATHBUF];
212	uid_t uid;
213	gid_t gid;
214	} sh_sh_user;
215
216	typedef struct {
217	char name[SH_PATHBUF]; /* local hostname */
218	char system[SH_MINIBUF]; /* system */
219	char release[SH_MINIBUF]; /* release */
220	char machine[SH_MINIBUF]; /* machine */
221	} sh_sh_local;
222
223	typedef struct {
224	char name[SH_PATHBUF];
225	char alt[SH_PATHBUF];
226	} sh_sh_remote;
227
228	typedef struct {
229	unsigned long bytes_hashed; /* bytes last check */
230	unsigned long bytes_speed; /* bytes/sec last check */
231	unsigned long mail_success; /* mails sent */
232	unsigned long mail_failed; /* mails not sent */
233	time_t time_start; /* start last check */
234	time_t time_check; /* time last check */
235	unsigned long dirs_checked; /* #dirs last check */
236	unsigned long files_checked; /* #files last check */
237	} sh_sh_stat;
238
239	typedef struct {
240	int exit; /* exit value */
241	int checkSum; /* whether to init/check checksums */
242	int update; /* update db */
243	int opts; /* reading cl options */
244	int started; /* finished with startup stuff */
245	int isdaemon; /* daemon or not */
246	int loop; /* go in loop even if not daemon */
247	int nice; /* desired nicety */
248	int isserver; /* server or not */
249	int islocked; /* BAD if logfile not locked */
250	int smsg; /* GOOD if end message sent */
251	int log_start; /* TRUE if new audit trail */
252	int reportonce; /* TRUE if bad files only once rep.*/
253	int fulldetail; /* TRUE if full details requested */
254	int client_severity; /* TRUE if client severity used */
255	int client_class; /* TRUE if client class used */
256	int audit;
257	unsigned long aud_mask;
258	int hidefile; /* TRUE if file not reveled in log */
259	} sh_sh_flag;
260
261	typedef struct {
262
263	char prg_name[8];
264
265	UINT64 pid;
266
267	sh_sh_df exec;
268	sh_sh_df conf;
269	sh_sh_df data;
270
271	sh_sh_user real;
272	sh_sh_user effective;
273	sh_sh_user run;
274
275	sh_sh_local host;
276
277	sh_sh_remote srvtime;
278	sh_sh_remote srvmail;
279	sh_sh_remote srvexport;
280	sh_sh_remote srvcons;
281	sh_sh_remote srvlog;
282
283	sh_sh_stat statistics;
284	sh_sh_flag flag;
285
286	#ifdef SH_STEALTH
287	unsigned long off_data;
288	#endif
289
290	sh_timer_t mailNum;
291	sh_timer_t mailTime;
292	sh_timer_t fileCheck;
293
294	int looptime; /* timing for main loop */
295	/@null@//@out@/ char * timezone;
296	} sh_struct;
297
298
299	extern volatile int sig_raised;
300	extern volatile int sig_urgent;
301	extern volatile int sig_debug_switch; /* SIGUSR1 */
302	extern volatile int sig_suspend_switch; /* SIGUSR2 */
303	extern volatile int sh_global_suspend_flag;
304	extern volatile int sig_fresh_trail; /* SIGIOT */
305	extern volatile int sh_thread_pause_flag;
306	extern volatile int sig_config_read_again; /* SIGHUP */
307	extern volatile int sig_terminate; /* SIGQUIT */
308	extern volatile int sig_termfast; /* SIGTERM */
309	extern volatile int sig_force_check; /* SIGTTOU */
310
311	extern long int eintr__result;
312
313	extern int sh_argc_store;
314	extern char ** sh_argv_store;
315
316	#include "sh_calls.h"
317
318
319	typedef struct {
320	char sh_sockpass[2*SOCKPASS_MAX+2];
321	char sigkey_old[KEY_LEN+1];
322	char sigkey_new[KEY_LEN+1];
323	char mailkey_old[KEY_LEN+1];
324	char mailkey_new[KEY_LEN+1];
325	char crypt[KEY_LEN+1];
326	char session[KEY_LEN+1];
327	char vernam[KEY_LEN+1];
328	int mlock_failed;
329
330	char pw[PW_LEN];
331
332	char poolv[KEY_BYT];
333	int poolc;
334
335	int rngI;
336	UINT32 rng0[3];
337	UINT32 rng1[3];
338	UINT32 rng2[3];
339
340	UINT32 res_vec[6];
341
342	UINT32 ErrFlag[2];
343
344	#ifdef SH_ENCRYPT
345	/@out@/ keyInstance keyInstE;
346	/@out@/ keyInstance keyInstD;
347	#endif
348	} sh_key_t;
349
350	extern sh_struct sh;
351	/@null@/ extern sh_key_t *skey;
352
353	/**************************************************
354	*
355	* macros
356	*
357	**************************************************/
358
359	#if defined(__GNUC__) && (__GNUC__ >= 4)
360	#define SH_GNUC_SENTINEL __attribute__((__sentinel__))
361	#else
362	#define SH_GNUC_SENTINEL
363	#endif
364
365	#if defined(__GNUC__) && (__GNUC__ >= 3)
366	#undef SH_GNUC_PURE
367	#define SH_GNUC_PURE __attribute__((pure))
368	#undef SH_GNUC_CONST
369	#define SH_GNUC_CONST __attribute__((const))
370	#undef SH_GNUC_NORETURN
371	#define SH_GNUC_NORETURN __attribute__((noreturn))
372	#undef SH_GNUC_MALLOC
373	#define SH_GNUC_MALLOC __attribute__((malloc))
374	#else
375	#undef SH_GNUC_PURE
376	#define SH_GNUC_PURE
377	#undef SH_GNUC_CONST
378	#define SH_GNUC_CONST
379	#undef SH_GNUC_NORETURN
380	#define SH_GNUC_NORETURN
381	#undef SH_GNUC_MALLOC
382	#define SH_GNUC_MALLOC
383	#endif
384
385
386	/* The semantics of the built-in are that it is expected that expr == const
387	* for __builtin_expect ((expr), const)
388	*/
389	#if defined(__GNUC__) && (__GNUC__ > 2) && defined(__OPTIMIZE__)
390	#define SH_LIKELY(expr) (__builtin_expect((expr), 1))
391	#define SH_UNLIKELY(expr) (__builtin_expect((expr), 0))
392	#else
393	#define SH_LIKELY(expr) (expr)
394	#define SH_UNLIKELY(expr) (expr)
395	#endif
396
397	/* signal-safe log function
398	*/
399	int safe_logger (int thesignal, int method, char * details);
400	void safe_fatal (const char * details, const char *f, int l);
401
402	#define SH_VALIDATE_EQ(a,b) \
403	do { \
404	if ((a) != (b)) safe_fatal(#a " != " #b, FIL__, __LINE__);\
405	} while (0)
406
407	#define SH_VALIDATE_NE(a,b) \
408	do { \
409	if ((a) == (b)) safe_fatal(#a " == " #b, FIL__, __LINE__);\
410	} while (0)
411
412	#define SH_VALIDATE_GE(a,b) \
413	do { \
414	if ((a) < (b)) safe_fatal(#a " < " #b, FIL__, __LINE__);\
415	} while (0)
416
417	#if defined(HAVE_MLOCK) && !defined(HAVE_BROKEN_MLOCK)
418	#define MLOCK(a, b) \
419	if ((skey != NULL) && skey->mlock_failed == SL_FALSE){ \
420	(void) sl_set_suid(); \
421	if (sh_unix_mlock(FIL__, __LINE__, a, b) < 0) skey->mlock_failed = SL_TRUE; \
422	(void) sl_unset_suid(); }
423	#else
424	#define MLOCK(a, b) \
425	;
426	#endif
427
428	#if defined(HAVE_MLOCK) && !defined(HAVE_BROKEN_MLOCK)
429	#define MUNLOCK(a, b) \
430	if ((skey != NULL) && skey->mlock_failed == SL_FALSE){ \
431	(void) sl_set_suid(); \
432	(void) sh_unix_munlock( a, b );\
433	(void) sl_unset_suid(); }
434	#else
435	#define MUNLOCK(a, b) \
436	;
437	#endif
438
439	#ifdef SH_STEALTH
440	void sh_do_encode (char * str, int len);
441	#define sh_do_decode sh_do_encode
442	#endif
443
444	/* #if defined(SCREW_IT_UP)
445	* extern volatile int sh_not_traced;
446	* inline int sh_sigtrap_prepare();
447	* inline int sh_derr();
448	* #endif
449	*/
450
451	#if defined(SCREW_IT_UP) && (defined(__FreeBSD__) \|\| defined(__linux__)) && defined(__i386__)
452	#define BREAKEXIT(expr) \
453	do { \
454	int ixi; \
455	for (ixi = 0; ixi < 8; ++ixi) { \
456	if (((volatile unsigned )((unsigned) expr + ixi) & 0xff) == 0xcc) \
457	_exit(EXIT_FAILURE); \
458	} \
459	} \
460	while (1 == 0)
461	#else
462	#define BREAKEXIT(expr)
463	#endif
464
465
466
467	#include "sh_cat.h"
468	#include "sh_trace.h"
469	#include "sh_mem.h"
470
471	#endif
472
473	/* CRIT: */
474	/* NEW_CLIENT <client> */
475	/* BAD_CLIENT <client> -- <details> */
476	/* ERR_CLIENT <client> -- <details> */
477
478	/* ALERT: */
479	/* LOG_KEY samhain\|yule <key> */
480	/* STARTUP samhain\|yule -- user <username> */
481	/* EXIT samhain\|yule */
482	/* GOODSIG <file> <user> */
483	/* FP_KEY <fingerprint> */
484	/* GOODSIG_DAT <file> <user> */
485	/* FP_KEY_DAT <fingerprint> */
486	/* TIGER_CFG <file> <checksum> */
487	/* TIGER_DAT <file> <checksum> */
488
489	/* PANIC -- <details> */
490	/* ERROR -- <details> */
491
492	/* Policy */
493	/* POLICY <code> <file> */
494	/* <code> = MISSING \|\| ADDED \|\| NOT_A_DIRECTORY \|\| <policy> */
495
496
497

Note: See TracBrowser for help on using the repository browser.

Download in other formats: