[294] | 1 | /* SAMHAIN file system integrity testing */
|
---|
| 2 | /* Copyright (C) 2010 Rainer Wichmann */
|
---|
| 3 | /* */
|
---|
| 4 | /* This program is free software; you can redistribute it */
|
---|
| 5 | /* and/or modify */
|
---|
| 6 | /* it under the terms of the GNU General Public License as */
|
---|
| 7 | /* published by */
|
---|
| 8 | /* the Free Software Foundation; either version 2 of the License, or */
|
---|
| 9 | /* (at your option) any later version. */
|
---|
| 10 | /* */
|
---|
| 11 | /* This program is distributed in the hope that it will be useful, */
|
---|
| 12 | /* but WITHOUT ANY WARRANTY; without even the implied warranty of */
|
---|
| 13 | /* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the */
|
---|
| 14 | /* GNU General Public License for more details. */
|
---|
| 15 | /* */
|
---|
| 16 | /* You should have received a copy of the GNU General Public License */
|
---|
| 17 | /* along with this program; if not, write to the Free Software */
|
---|
| 18 | /* Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. */
|
---|
| 19 |
|
---|
| 20 | #include "config_xor.h"
|
---|
| 21 |
|
---|
| 22 | #if defined(SH_WITH_CLIENT) || defined(SH_STANDALONE)
|
---|
| 23 |
|
---|
| 24 |
|
---|
| 25 | #include <stdio.h>
|
---|
| 26 | #include <stdlib.h>
|
---|
| 27 | #include <string.h>
|
---|
| 28 | #include <errno.h>
|
---|
| 29 | #include <unistd.h>
|
---|
| 30 |
|
---|
| 31 | #if !defined(SH_COMPILE_STATIC) && defined(__linux__) && defined(HAVE_AUPARSE_H) && defined(HAVE_AUPARSE_LIB)
|
---|
| 32 | #include <auparse.h>
|
---|
| 33 |
|
---|
| 34 | #include "samhain.h"
|
---|
| 35 | #include "sh_error.h"
|
---|
| 36 | #include "sh_extern.h"
|
---|
| 37 | #include "sh_utils.h"
|
---|
| 38 |
|
---|
| 39 | #undef FIL__
|
---|
| 40 | #define FIL__ _("sh_audit.c")
|
---|
| 41 |
|
---|
| 42 | #define REC_SIZE_SYSCALL 32
|
---|
| 43 | #define REC_SIZE_EXE 64
|
---|
| 44 | #define REC_SIZE_SUCCESS 32
|
---|
| 45 |
|
---|
| 46 | struct recordState {
|
---|
| 47 | char syscall[REC_SIZE_SYSCALL];
|
---|
| 48 | char exe[REC_SIZE_EXE];
|
---|
| 49 | char success[REC_SIZE_SUCCESS];
|
---|
| 50 | unsigned int auid;
|
---|
| 51 | unsigned int uid;
|
---|
| 52 | unsigned int gid;
|
---|
| 53 | unsigned int euid;
|
---|
| 54 | unsigned int egid;
|
---|
| 55 | unsigned int fsuid;
|
---|
| 56 | unsigned int fsgid;
|
---|
| 57 | time_t time;
|
---|
| 58 | unsigned int milli;
|
---|
| 59 | };
|
---|
| 60 |
|
---|
| 61 | static int listRecords (auparse_state_t * au, struct recordState * state)
|
---|
| 62 | {
|
---|
| 63 | if (auparse_first_record(au) != 1)
|
---|
| 64 | return -1;
|
---|
| 65 |
|
---|
| 66 | state->time = auparse_get_time(au);
|
---|
| 67 | state->milli = auparse_get_milli(au);
|
---|
| 68 |
|
---|
| 69 | if (auparse_find_field(au, _("syscall")))
|
---|
| 70 | sl_strlcpy(state->syscall, auparse_interpret_field(au), REC_SIZE_SYSCALL);
|
---|
| 71 |
|
---|
| 72 | if (auparse_find_field(au, _("success")))
|
---|
| 73 | strncpy(state->success, auparse_interpret_field(au), REC_SIZE_SUCCESS);
|
---|
| 74 |
|
---|
| 75 | if (auparse_find_field(au, "uid"))
|
---|
| 76 | state->uid = auparse_get_field_int(au);
|
---|
| 77 | if (auparse_find_field(au, "gid"))
|
---|
| 78 | state->gid = auparse_get_field_int(au);
|
---|
| 79 |
|
---|
| 80 | if (auparse_find_field(au, _("euid")))
|
---|
| 81 | state->euid = auparse_get_field_int(au);
|
---|
| 82 | if (auparse_find_field(au, _("fsuid")))
|
---|
| 83 | state->fsuid = auparse_get_field_int(au);
|
---|
| 84 |
|
---|
| 85 | auparse_first_field(au);
|
---|
| 86 |
|
---|
| 87 | if (auparse_find_field(au, _("auid")))
|
---|
| 88 | state->auid = auparse_get_field_int(au);
|
---|
| 89 |
|
---|
| 90 | auparse_first_field(au);
|
---|
| 91 |
|
---|
| 92 | if (auparse_find_field(au, _("egid")))
|
---|
| 93 | state->egid = auparse_get_field_int(au);
|
---|
| 94 | if (auparse_find_field(au, _("fsgid")))
|
---|
| 95 | state->fsgid = auparse_get_field_int(au);
|
---|
| 96 |
|
---|
| 97 | auparse_first_field(au);
|
---|
| 98 |
|
---|
| 99 | if (auparse_find_field(au, "exe"))
|
---|
| 100 | sl_strlcpy(state->exe, auparse_interpret_field(au), REC_SIZE_EXE);
|
---|
| 101 |
|
---|
| 102 | return 0;
|
---|
| 103 | }
|
---|
| 104 |
|
---|
| 105 | static char * doAuparse (char * file, time_t time, char * result, size_t rsize)
|
---|
| 106 | {
|
---|
| 107 | struct recordState state;
|
---|
| 108 | struct recordState stateFetched;
|
---|
| 109 |
|
---|
| 110 | auparse_state_t * au = auparse_init(AUSOURCE_LOGS, NULL);
|
---|
| 111 |
|
---|
| 112 | if (!au)
|
---|
| 113 | {
|
---|
| 114 | char ebuf[SH_ERRBUF_SIZE];
|
---|
| 115 | int errnum = errno;
|
---|
| 116 |
|
---|
| 117 | sl_snprintf(ebuf, sizeof(ebuf), _("Error in auparse_init() - %s\n"),
|
---|
| 118 | strerror(errnum));
|
---|
| 119 | sh_error_handle (SH_ERR_ERR, FIL__, __LINE__, errnum, MSG_E_SUBGEN,
|
---|
| 120 | ebuf,
|
---|
| 121 | _("doAuparse") );
|
---|
| 122 | return NULL;
|
---|
| 123 | }
|
---|
| 124 |
|
---|
| 125 | if (ausearch_add_interpreted_item(au, _("name"), "=", file,
|
---|
| 126 | AUSEARCH_RULE_CLEAR) != 0)
|
---|
| 127 | {
|
---|
| 128 | goto err;
|
---|
| 129 | }
|
---|
| 130 |
|
---|
| 131 | if (time != 0)
|
---|
| 132 | {
|
---|
| 133 | ausearch_add_timestamp_item(au, ">=", time-1, 0, AUSEARCH_RULE_AND);
|
---|
| 134 | ausearch_add_timestamp_item(au, "<=", time+1, 0, AUSEARCH_RULE_AND);
|
---|
| 135 | }
|
---|
| 136 |
|
---|
| 137 | if (ausearch_set_stop(au, AUSEARCH_STOP_RECORD) != 0)
|
---|
| 138 | {
|
---|
| 139 | sh_error_handle (SH_ERR_ERR, FIL__, __LINE__, 0, MSG_E_SUBGEN,
|
---|
| 140 | _("Error in ausearch_set_stop\n"),
|
---|
| 141 | _("doAuparse") );
|
---|
| 142 | goto err;
|
---|
| 143 | }
|
---|
| 144 |
|
---|
| 145 | memset(&state, '\0', sizeof(state));
|
---|
| 146 |
|
---|
| 147 | while (ausearch_next_event(au) == 1)
|
---|
| 148 | {
|
---|
| 149 | memset(&stateFetched, '\0', sizeof(state));
|
---|
| 150 | listRecords(au, &stateFetched);
|
---|
| 151 | if (0 == strcmp(stateFetched.success, "yes"))
|
---|
| 152 | {
|
---|
| 153 | memcpy(&state, &stateFetched, sizeof(state));
|
---|
| 154 | }
|
---|
| 155 | auparse_next_event(au);
|
---|
| 156 | }
|
---|
| 157 |
|
---|
| 158 | if (0 == strcmp(state.success, "yes"))
|
---|
| 159 | {
|
---|
| 160 | char * tmp_exe = sh_util_safe_name(state.exe);
|
---|
| 161 | sl_snprintf(result, rsize,
|
---|
| 162 | _("time=%lu.%u, syscall=%s, auid=%u, uid=%u, gid=%u, euid=%u, egid=%u, fsuid=%u, fsgid=%u, exe=%s"),
|
---|
| 163 | (unsigned long) state.time, state.milli,
|
---|
| 164 | state.syscall,
|
---|
| 165 | state.auid, state.uid, state.gid, state.euid, state.egid,
|
---|
| 166 | state.fsuid, state.fsgid, tmp_exe);
|
---|
| 167 | SH_FREE(tmp_exe);
|
---|
| 168 | auparse_destroy(au);
|
---|
| 169 | return result;
|
---|
| 170 | }
|
---|
| 171 |
|
---|
| 172 | err:
|
---|
| 173 | auparse_destroy(au);
|
---|
| 174 | return NULL;
|
---|
| 175 | }
|
---|
| 176 |
|
---|
| 177 | static int sh_audit_checkdaemon();
|
---|
| 178 | static int actl_pnum = -1;
|
---|
| 179 | static char * actl_paths[4] =
|
---|
| 180 | {
|
---|
| 181 | N_("/sbin/auditctl"),
|
---|
| 182 | N_("/usr/sbin/auditctl"),
|
---|
| 183 | N_("/bin/auditctl"),
|
---|
| 184 | N_("/usr/bin/auditctl")
|
---|
| 185 | };
|
---|
| 186 |
|
---|
| 187 |
|
---|
| 188 | /* Public function to fetch an audit record for path 'file', time 'time'
|
---|
| 189 | * The 'result' array should be sized ~256 char.
|
---|
| 190 | */
|
---|
| 191 | char * sh_audit_fetch (char * file, time_t time, char * result, size_t rsize)
|
---|
| 192 | {
|
---|
| 193 | char * res = NULL;
|
---|
| 194 |
|
---|
| 195 | if (sh_audit_checkdaemon() >= 0)
|
---|
| 196 | {
|
---|
| 197 | res = doAuparse (file, time, result, rsize);
|
---|
| 198 |
|
---|
| 199 | if (!res)
|
---|
| 200 | {
|
---|
| 201 | res = doAuparse (file, 0, result, rsize);
|
---|
| 202 | }
|
---|
| 203 | }
|
---|
| 204 | return res;
|
---|
| 205 | }
|
---|
| 206 |
|
---|
| 207 | void sh_audit_delete_all ()
|
---|
| 208 | {
|
---|
| 209 | int p = sh_audit_checkdaemon();
|
---|
| 210 |
|
---|
| 211 | if (p >= 0)
|
---|
| 212 | {
|
---|
| 213 | char command[64];
|
---|
| 214 |
|
---|
| 215 | sl_snprintf(command, sizeof(command), _("%s -D -k samhain"),
|
---|
| 216 | _(actl_paths[p]));
|
---|
| 217 | sh_error_handle (SH_ERR_ALL, FIL__, __LINE__,
|
---|
| 218 | 0, MSG_E_SUBGEN,
|
---|
| 219 | _("Deleting audit daemon rules with key samhain"),
|
---|
| 220 | _("sh_audit_delete_all") );
|
---|
| 221 | sh_ext_system(command);
|
---|
| 222 | }
|
---|
| 223 | return;
|
---|
| 224 | }
|
---|
| 225 |
|
---|
[373] | 226 | void sh_audit_mark (const char * file)
|
---|
[294] | 227 | {
|
---|
| 228 | static int flushRules = 0;
|
---|
| 229 |
|
---|
| 230 | int p = sh_audit_checkdaemon();
|
---|
| 231 |
|
---|
| 232 | /* Flush all rules at startup.
|
---|
| 233 | */
|
---|
| 234 | if (flushRules == 0)
|
---|
| 235 | {
|
---|
| 236 | sh_audit_delete_all ();
|
---|
| 237 | flushRules = 1;
|
---|
| 238 | }
|
---|
| 239 |
|
---|
| 240 | if (p >= 0)
|
---|
| 241 | {
|
---|
| 242 | size_t len = strlen(file) + 64;
|
---|
| 243 | char * command = SH_ALLOC(len);
|
---|
| 244 | char * safe;
|
---|
| 245 |
|
---|
| 246 | sl_snprintf(command, len, _("%s -w %s -p wa -k samhain"),
|
---|
| 247 | _(actl_paths[p]),
|
---|
| 248 | file);
|
---|
| 249 |
|
---|
| 250 | safe = sh_util_safe_name_keepspace(command);
|
---|
| 251 | sh_error_handle (SH_ERR_ALL, FIL__, __LINE__,
|
---|
| 252 | 0, MSG_E_SUBGEN,
|
---|
| 253 | safe,
|
---|
| 254 | _("sh_audit_mark") );
|
---|
| 255 | SH_FREE(safe);
|
---|
| 256 |
|
---|
| 257 | sh_ext_system(command);
|
---|
| 258 | }
|
---|
| 259 | return;
|
---|
| 260 | }
|
---|
| 261 |
|
---|
| 262 |
|
---|
| 263 | static int sh_audit_checkdaemon()
|
---|
| 264 | {
|
---|
| 265 | int i;
|
---|
| 266 | static int flag = 0;
|
---|
| 267 | char command[64];
|
---|
| 268 | char * p;
|
---|
| 269 |
|
---|
| 270 | if (flag != 0)
|
---|
| 271 | return -1;
|
---|
| 272 |
|
---|
| 273 | if (actl_pnum >= 0)
|
---|
| 274 | return actl_pnum;
|
---|
| 275 |
|
---|
| 276 | for (i = 0; i < 4; ++i)
|
---|
| 277 | {
|
---|
[295] | 278 | if (0 == access(_(actl_paths[i]), F_OK))/* flawfinder: ignore */
|
---|
[294] | 279 | {
|
---|
[295] | 280 | if (0 == access(_(actl_paths[i]), X_OK))/* flawfinder: ignore */
|
---|
[294] | 281 | {
|
---|
| 282 | actl_pnum = i;
|
---|
| 283 | break;
|
---|
| 284 | }
|
---|
| 285 | else
|
---|
| 286 | {
|
---|
| 287 | char ebuf[SH_ERRBUF_SIZE];
|
---|
| 288 | int errnum = errno;
|
---|
| 289 |
|
---|
| 290 | sl_snprintf(ebuf, sizeof(ebuf),
|
---|
| 291 | _("Cannot execute auditctl - %s\n"),
|
---|
| 292 | strerror(errnum));
|
---|
| 293 | sh_error_handle (SH_ERR_ERR, FIL__, __LINE__,
|
---|
| 294 | errnum, MSG_E_SUBGEN,
|
---|
| 295 | ebuf,
|
---|
| 296 | _("sh_audit_checkdaemon") );
|
---|
| 297 | flag = 1;
|
---|
| 298 | actl_pnum = -1;
|
---|
| 299 | return -1;
|
---|
| 300 | }
|
---|
| 301 | }
|
---|
| 302 | }
|
---|
| 303 |
|
---|
| 304 | if (actl_pnum == -1 && flag == 0)
|
---|
| 305 | {
|
---|
| 306 | char ebuf[SH_ERRBUF_SIZE];
|
---|
| 307 | int errnum = errno;
|
---|
| 308 |
|
---|
| 309 | sl_snprintf(ebuf, sizeof(ebuf),
|
---|
| 310 | _("Cannot find auditctl - %s\n"),
|
---|
| 311 | strerror(errnum));
|
---|
| 312 | sh_error_handle (SH_ERR_ERR, FIL__, __LINE__,
|
---|
| 313 | errnum, MSG_E_SUBGEN,
|
---|
| 314 | ebuf,
|
---|
| 315 | _("sh_audit_checkdaemon") );
|
---|
| 316 | flag = 1;
|
---|
| 317 | actl_pnum = -1;
|
---|
| 318 | return -1;
|
---|
| 319 | }
|
---|
| 320 |
|
---|
| 321 | /* We found an executable auditctl */
|
---|
| 322 |
|
---|
| 323 | sl_snprintf(command, sizeof(command), _("%s -s"), _(actl_paths[actl_pnum]));
|
---|
| 324 | sh_error_handle (SH_ERR_ALL, FIL__, __LINE__,
|
---|
| 325 | 0, MSG_E_SUBGEN,
|
---|
| 326 | command,
|
---|
| 327 | _("sh_audit_checkdaemon") );
|
---|
| 328 | p = sh_ext_popen_str (command);
|
---|
| 329 |
|
---|
| 330 | if (p)
|
---|
| 331 | {
|
---|
| 332 | int retval = -1;
|
---|
| 333 | if (strstr(p, _(" pid=0 ")))
|
---|
| 334 | {
|
---|
| 335 | sh_error_handle (SH_ERR_ERR, FIL__, __LINE__,
|
---|
| 336 | 0, MSG_E_SUBGEN,
|
---|
| 337 | _("Audit daemon for Linux kernel audit system is not running"),
|
---|
| 338 | _("sh_audit_checkdaemon") );
|
---|
| 339 | flag = 1;
|
---|
| 340 | actl_pnum = -1;
|
---|
| 341 | }
|
---|
| 342 | else
|
---|
| 343 | {
|
---|
| 344 | retval = actl_pnum;
|
---|
| 345 | sh_error_handle (SH_ERR_ALL, FIL__, __LINE__,
|
---|
| 346 | retval, MSG_E_SUBGEN,
|
---|
| 347 | _("Audit daemon is running"),
|
---|
| 348 | _("sh_audit_checkdaemon") );
|
---|
| 349 | }
|
---|
| 350 | SH_FREE(p);
|
---|
| 351 | return retval;
|
---|
| 352 | }
|
---|
| 353 |
|
---|
| 354 | sh_error_handle (SH_ERR_ERR, FIL__, __LINE__,
|
---|
| 355 | errno, MSG_E_SUBGEN,
|
---|
| 356 | _("No output from auditctl -s"),
|
---|
| 357 | _("sh_audit_checkdaemon") );
|
---|
| 358 | flag = 1;
|
---|
| 359 | actl_pnum = -1;
|
---|
| 360 | return -1;
|
---|
| 361 | }
|
---|
| 362 |
|
---|
| 363 | /* HAVE_AUPARSE_H */
|
---|
| 364 | #else
|
---|
| 365 | char * sh_audit_fetch (char * file, time_t time, char * result, size_t rsize)
|
---|
| 366 | {
|
---|
| 367 | (void) file;
|
---|
| 368 | (void) time;
|
---|
| 369 | (void) result;
|
---|
| 370 | (void) rsize;
|
---|
| 371 |
|
---|
| 372 | return 0;
|
---|
| 373 | }
|
---|
[373] | 374 | void sh_audit_mark (const char * file)
|
---|
[294] | 375 | {
|
---|
| 376 | (void) file;
|
---|
| 377 | return;
|
---|
| 378 | }
|
---|
| 379 | void sh_audit_delete_all ()
|
---|
| 380 | {
|
---|
| 381 | return;
|
---|
| 382 | }
|
---|
| 383 | #endif
|
---|
| 384 |
|
---|
| 385 | /* client || standalone */
|
---|
| 386 | #endif
|
---|
| 387 |
|
---|