Context Navigation

source: trunk/src/sh_audit.c@ 519

Last change on this file since 519 was 516, checked in by katerina, 8 years ago
Fix for ticket #409 and #410 (unprivileged suidcheck and gcc 6.2 compiler warnings).
File size: 15.2 KB

Line
1	/* SAMHAIN file system integrity testing */
2	/* Copyright (C) 2010 Rainer Wichmann */
3	/* */
4	/* This program is free software; you can redistribute it */
5	/* and/or modify */
6	/* it under the terms of the GNU General Public License as */
7	/* published by */
8	/* the Free Software Foundation; either version 2 of the License, or */
9	/* (at your option) any later version. */
10	/* */
11	/* This program is distributed in the hope that it will be useful, */
12	/* but WITHOUT ANY WARRANTY; without even the implied warranty of */
13	/* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the */
14	/* GNU General Public License for more details. */
15	/* */
16	/* You should have received a copy of the GNU General Public License */
17	/* along with this program; if not, write to the Free Software */
18	/* Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. */
19
20	#include "config_xor.h"
21
22	#if defined(SH_WITH_CLIENT) \|\| defined(SH_STANDALONE)
23
24
25	#include <stdio.h>
26	#include <stdlib.h>
27	#include <string.h>
28	#include <errno.h>
29	#include <unistd.h>
30	#include <fcntl.h>
31	#include <sys/stat.h>
32
33	#include "samhain.h"
34	#include "sh_error.h"
35
36	#undef FIL__
37	#define FIL__ _("sh_audit.c")
38
39	#if !defined(SH_COMPILE_STATIC) && defined(__linux__) && defined(HAVE_AUPARSE_H) && defined(HAVE_AUPARSE_LIB)
40	#include <auparse.h>
41
42	#include "sh_extern.h"
43	#include "sh_utils.h"
44
45
46	#define REC_SIZE_SYSCALL 32
47	#define REC_SIZE_EXE 64
48	#define REC_SIZE_SUCCESS 32
49
50	struct recordState {
51	char syscall[REC_SIZE_SYSCALL];
52	char exe[REC_SIZE_EXE];
53	char success[REC_SIZE_SUCCESS];
54	unsigned int auid;
55	unsigned int uid;
56	unsigned int gid;
57	unsigned int euid;
58	unsigned int egid;
59	unsigned int fsuid;
60	unsigned int fsgid;
61	time_t time;
62	unsigned int milli;
63	};
64
65	static int listRecords (auparse_state_t * au, struct recordState * state)
66	{
67	if (auparse_first_record(au) != 1)
68	return -1;
69
70	state->time = auparse_get_time(au);
71	state->milli = auparse_get_milli(au);
72
73	if (auparse_find_field(au, _("syscall")))
74	sl_strlcpy(state->syscall, auparse_interpret_field(au), REC_SIZE_SYSCALL);
75
76	if (auparse_find_field(au, _("success")))
77	strncpy(state->success, auparse_interpret_field(au), REC_SIZE_SUCCESS);
78
79	if (auparse_find_field(au, "uid"))
80	state->uid = auparse_get_field_int(au);
81	if (auparse_find_field(au, "gid"))
82	state->gid = auparse_get_field_int(au);
83
84	if (auparse_find_field(au, _("euid")))
85	state->euid = auparse_get_field_int(au);
86	if (auparse_find_field(au, _("fsuid")))
87	state->fsuid = auparse_get_field_int(au);
88
89	auparse_first_field(au);
90
91	if (auparse_find_field(au, _("auid")))
92	state->auid = auparse_get_field_int(au);
93
94	auparse_first_field(au);
95
96	if (auparse_find_field(au, _("egid")))
97	state->egid = auparse_get_field_int(au);
98	if (auparse_find_field(au, _("fsgid")))
99	state->fsgid = auparse_get_field_int(au);
100
101	auparse_first_field(au);
102
103	if (auparse_find_field(au, "exe"))
104	sl_strlcpy(state->exe, auparse_interpret_field(au), REC_SIZE_EXE);
105
106	return 0;
107	}
108
109	static char * doAuparse (const char * file, time_t time, int tol, char * result, size_t rsize, int redo_flag)
110	{
111	struct recordState state;
112	struct recordState stateFetched;
113	unsigned int found_flag = 0;
114
115	auparse_state_t * au = auparse_init(AUSOURCE_LOGS, NULL);
116
117	if (!au)
118	{
119	char ebuf[SH_ERRBUF_SIZE];
120	int errnum = errno;
121
122	sl_snprintf(ebuf, sizeof(ebuf), _("Error in auparse_init() - %s\n"),
123	strerror(errnum));
124	sh_error_handle (SH_ERR_ERR, FIL__, __LINE__, errnum, MSG_E_SUBGEN,
125	ebuf,
126	_("doAuparse") );
127	return NULL;
128	}
129
130	if (ausearch_add_interpreted_item(au, _("name"), "=", file,
131	AUSEARCH_RULE_CLEAR) != 0)
132	{
133	goto err;
134	}
135
136	if (time != 0)
137	{
138	ausearch_add_timestamp_item(au, ">=", time-tol, 0, AUSEARCH_RULE_AND);
139	ausearch_add_timestamp_item(au, "<=", time+tol, 0, AUSEARCH_RULE_AND);
140	}
141
142	if (ausearch_set_stop(au, AUSEARCH_STOP_RECORD) != 0)
143	{
144	sh_error_handle (SH_ERR_ERR, FIL__, __LINE__, 0, MSG_E_SUBGEN,
145	_("Error in ausearch_set_stop\n"),
146	_("doAuparse") );
147	goto err;
148	}
149
150	memset(&state, '\0', sizeof(state));
151
152	while (ausearch_next_event(au) == 1)
153	{
154	memset(&stateFetched, '\0', sizeof(state));
155	listRecords(au, &stateFetched);
156	if (0 == strcmp(stateFetched.success, "yes"))
157	{
158	memcpy(&state, &stateFetched, sizeof(state));
159	++found_flag;
160	}
161	auparse_next_event(au);
162	}
163
164	if (found_flag == 0 && redo_flag == S_FALSE)
165	{
166	size_t len = strlen(file);
167	char * path = SH_ALLOC(len + 2);
168	char * altres;
169
170	sl_strlcpy(path, file, len+2);
171	path[len] = '/'; path[len+1] = '\0';
172	auparse_destroy(au);
173
174	altres = doAuparse(path, time, tol, result, rsize, S_TRUE);
175
176	SH_FREE(path);
177	return altres;
178	}
179
180	if (0 == strcmp(state.success, "yes"))
181	{
182	char time_str[81];
183	char * tmp_exe = sh_util_safe_name(state.exe);
184
185	(void) sh_unix_gmttime (state.time, time_str, sizeof(time_str));
186	sl_snprintf(result, rsize,
187	_("time=%lu.%u, timestamp=%s, syscall=%s, auid=%u, uid=%u, gid=%u, euid=%u, egid=%u, fsuid=%u, fsgid=%u, exe=%s"),
188	(unsigned long) state.time, state.milli, time_str,
189	state.syscall,
190	state.auid, state.uid, state.gid, state.euid, state.egid,
191	state.fsuid, state.fsgid, tmp_exe);
192	SH_FREE(tmp_exe);
193	auparse_destroy(au);
194	return result;
195	}
196
197	err:
198	auparse_destroy(au);
199	return NULL;
200	}
201
202	#define SH_AUDIT_DEF "wa"
203	static char sh_audit_flags[32] = SH_AUDIT_DEF;
204
205	int sh_audit_set_flags(const char * str)
206	{
207	if (!str \|\| strlen(str) >= sizeof(sh_audit_flags))
208	return -1;
209	sl_strlcpy(sh_audit_flags, str, sizeof(sh_audit_flags));
210	return 0;
211	}
212	static void reset_audit_flags()
213	{
214	sl_strlcpy(sh_audit_flags, SH_AUDIT_DEF, sizeof(sh_audit_flags));
215	return;
216	}
217
218
219	static int sh_audit_checkdaemon();
220	static int actl_pnum = -1;
221	static char * actl_paths[4] =
222	{
223	N_("/sbin/auditctl"),
224	N_("/usr/sbin/auditctl"),
225	N_("/bin/auditctl"),
226	N_("/usr/bin/auditctl")
227	};
228
229	static char * getflags (char * file);
230
231	/* Public function to fetch an audit record for path 'file', time 'time'
232	* The 'result' array should be sized ~256 char.
233	*/
234	char * sh_audit_fetch (char * file, time_t mtime, time_t ctime, time_t atime, char * result, size_t rsize)
235	{
236	char * res = NULL;
237	char * flags = getflags(file);
238
239	if (sh_audit_checkdaemon() >= 0)
240	{
241	time_t new;
242
243	if (flags && (strchr(flags, 'r') \|\| strchr(flags, 'x')) && atime >= ctime && atime >= mtime) { new = atime; }
244	else if (mtime >= ctime) { new = mtime; }
245	else { new = ctime; }
246
247	res = doAuparse (file, new, 1, result, rsize, S_FALSE);
248
249	if (!res)
250	{
251	res = doAuparse (file, new, 3, result, rsize, S_FALSE);
252	}
253
254	}
255	return res;
256	}
257
258	void sh_audit_delete_all ()
259	{
260	int p = sh_audit_checkdaemon();
261
262	if (p >= 0)
263	{
264	char ctl[64];
265
266	sl_snprintf(ctl, sizeof(ctl), _("%s -D -k samhain"),
267	_(actl_paths[p]));
268	sh_error_handle (SH_ERR_ALL, FIL__, __LINE__,
269	0, MSG_E_SUBGEN,
270	_("Deleting audit daemon rules with key samhain"),
271	_("sh_audit_delete_all") );
272
273	sl_strlcpy(ctl, _(actl_paths[p]), sizeof(ctl));
274	sh_ext_system(ctl, ctl, "-D", "-k", _("samhain"), NULL);
275	}
276	reset_audit_flags();
277	return;
278	}
279
280	static int sh_audit_isdir(const char * file)
281	{
282	struct stat buf;
283
284	if ( (0 == lstat (file, &buf)) && S_ISDIR(buf.st_mode))
285	return S_TRUE;
286	return S_FALSE;
287	}
288
289	static void sh_audit_mark_int (const char * file, const char * flags)
290	{
291	static int flushRules = 0;
292
293	int p = sh_audit_checkdaemon();
294
295	/* Flush all rules at startup.
296	*/
297	if (flushRules == 0)
298	{
299	sh_audit_delete_all ();
300	flushRules = 1;
301	}
302
303	if (p >= 0)
304	{
305	size_t len = strlen(file) + 64;
306	char * command = SH_ALLOC(len);
307	char * safe;
308	char ctl[64];
309	char a1[32];
310	char a2[32];
311	char a3[32];
312	char a4[32];
313
314	sl_snprintf(command, len, _("%s -w %s -p %s -k samhain"),
315	_(actl_paths[p]), file, flags);
316
317	safe = sh_util_safe_name_keepspace(command);
318	sh_error_handle (SH_ERR_ALL, FIL__, __LINE__,
319	0, MSG_E_SUBGEN,
320	safe,
321	_("sh_audit_mark") );
322
323	SH_FREE(safe);
324
325	sl_strlcpy(ctl, _(actl_paths[p]), sizeof(ctl));
326	sl_strlcpy(command, file, len);
327
328	sl_strlcpy(a3, _("samhain"), sizeof(a3));
329	sl_strlcpy(a4, flags, sizeof(a4));
330	sh_ext_system(ctl, ctl, "-w", command, "-p", a4, "-k", a3, NULL);
331
332	/* Placing a watch on a directory will not place a watch on the
333	* directory inode, so we do this explicitely.
334	*/
335	if (S_TRUE == sh_audit_isdir(file))
336	{
337	safe = sh_util_safe_name(file);
338	sh_error_handle (SH_ERR_ALL, FIL__, __LINE__,
339	0, MSG_E_SUBGPATH,
340	_("Add path watch for directory"),
341	_("sh_audit_mark_int"), safe );
342	SH_FREE(safe);
343	sl_strlcpy(command, _("path="), len);
344	sl_strlcat(command, file, len);
345	sl_strlcpy(a1, _("always,exit"), sizeof(a1));
346	sl_strlcpy(a2, _("perm="), sizeof(a2));
347	sl_strlcat(a2, flags, sizeof(a2));
348	sh_ext_system(ctl, ctl, "-a", a1, "-F", command, "-F", a2, "-k", a3, NULL);
349	}
350	SH_FREE(command);
351	}
352	return;
353	}
354
355	#define SH_AU_FLAGS_SIZ 32
356	struct aud_list {
357	char * file;
358	char flags[SH_AU_FLAGS_SIZ];
359	struct aud_list * next;
360	};
361
362	struct aud_list * mark_these = NULL;
363	static int marked_committed = 0;
364
365	static void delete_listofmarked()
366	{
367	struct aud_list * tmp;
368	struct aud_list * this = mark_these;
369
370	mark_these = NULL;
371
372	while (this)
373	{
374	tmp = this;
375	this = this->next;
376
377	SH_FREE(tmp->file);
378	SH_FREE(tmp);
379	}
380	marked_committed = 0;
381	}
382
383	static char * getflags (char * file)
384	{
385	struct aud_list * this = mark_these;
386
387	while (this)
388	{
389	if (0 == strcmp(file, this->file))
390	return this->flags;
391	this = this->next;
392	}
393	/* no explicit rule for this file */
394	return NULL;
395	}
396
397	static void add_this (char * file)
398	{
399	struct aud_list * this = SH_ALLOC(sizeof(struct aud_list));
400	size_t len = strlen(file);
401
402	this->file = sh_util_strdup(file);
403
404	/* strip trailing '/' */
405	if ((len > 1) && (file[len-1] == '/'))
406	this->file[len-1] = '\0';
407
408	sl_strlcpy(this->flags, sh_audit_flags, SH_AU_FLAGS_SIZ);
409
410	this->next = mark_these;
411	mark_these = this;
412	return;
413	}
414
415	/* Check whether it is already covered by a higher directory
416	*/
417	static int test_exchange (struct aud_list * this, const char * file)
418	{
419	size_t len0 = sl_strlen(this->file);
420	size_t len1 = sl_strlen(file);
421	int ret = -1;
422
423	if (!file \|\| !this \|\| !this->file)
424	return 0;
425
426	if (len0 == len1)
427	{
428	return strcmp(this->file, file);
429	}
430	else
431	{
432	if (0 == strcmp(this->flags, sh_audit_flags))
433	{
434	char * s0 = SH_ALLOC(len0 + 2);
435	char * s1 = SH_ALLOC(len1 + 2);
436
437	sl_strlcpy(s0, this->file, len0 + 2);
438	sl_strlcpy(s1, file, len1 + 2);
439
440	if (s0 < s1)
441	{
442	sl_strlcat(s0, "/", len0 + 2);
443	ret = strncmp(s0, s1, len0 + 1);
444	}
445	else
446	{
447	sl_strlcat(s1, "/", len1 + 2);
448	if (0 == strncmp(s0, s1, len1 + 1))
449	{
450	size_t len = strlen(file);
451	SH_FREE(this->file);
452	this->file = sh_util_strdup(file);
453	if ((len > 1) && (file[len-1] == '/'))
454	this->file[len-1] = '\0';
455	ret = 0;
456	}
457	}
458	SH_FREE(s0);
459	SH_FREE(s1);
460	}
461	}
462
463	return ret;
464	}
465
466	/* Place a path on the list of of paths to be watched
467	*/
468	void sh_audit_mark (char * file)
469	{
470	struct aud_list * this;
471
472	if (marked_committed != 0)
473	delete_listofmarked();
474
475	if (!mark_these) {
476	add_this (file);
477	return;
478	}
479
480	this = mark_these;
481
482	while (this)
483	{
484	/* Check whether it is already covered by a higher
485	* directory
486	*/
487	if (0 == test_exchange(this, file))
488	return;
489
490	this = this->next;
491	}
492
493	add_this (file);
494	return;
495	}
496
497	void sh_audit_commit ()
498	{
499	struct aud_list * this = mark_these;
500
501	while (this)
502	{
503	sh_audit_mark_int (this->file, this->flags);
504	this = this->next;
505	}
506	marked_committed = 1;
507	}
508
509	static int sh_audit_checkdaemon()
510	{
511	int i;
512	static int flag = 0;
513	char command[64];
514	char * p;
515
516	if (flag != 0)
517	return -1;
518
519	if (actl_pnum >= 0)
520	return actl_pnum;
521
522	for (i = 0; i < 4; ++i)
523	{
524	if (0 == access(_(actl_paths[i]), F_OK))/* flawfinder: ignore */
525	{
526	if (0 == access(_(actl_paths[i]), X_OK))/* flawfinder: ignore */
527	{
528	actl_pnum = i;
529	break;
530	}
531	else
532	{
533	char ebuf[SH_ERRBUF_SIZE];
534	int errnum = errno;
535
536	sl_snprintf(ebuf, sizeof(ebuf),
537	_("Cannot execute auditctl - %s\n"),
538	strerror(errnum));
539	sh_error_handle (SH_ERR_ERR, FIL__, __LINE__,
540	errnum, MSG_E_SUBGEN,
541	ebuf,
542	_("sh_audit_checkdaemon") );
543	flag = 1;
544	actl_pnum = -1;
545	return -1;
546	}
547	}
548	}
549
550	if (actl_pnum == -1 && flag == 0)
551	{
552	char ebuf[SH_ERRBUF_SIZE];
553	int errnum = errno;
554
555	sl_snprintf(ebuf, sizeof(ebuf),
556	_("Cannot find auditctl - %s\n"),
557	strerror(errnum));
558	sh_error_handle (SH_ERR_ERR, FIL__, __LINE__,
559	errnum, MSG_E_SUBGEN,
560	ebuf,
561	_("sh_audit_checkdaemon") );
562	flag = 1;
563	actl_pnum = -1;
564	return -1;
565	}
566
567	/* We found an executable auditctl */
568
569	sl_snprintf(command, sizeof(command), _("%s -s"), _(actl_paths[actl_pnum]));
570	sh_error_handle (SH_ERR_ALL, FIL__, __LINE__,
571	0, MSG_E_SUBGEN,
572	command,
573	_("sh_audit_checkdaemon") );
574	p = sh_ext_popen_str (command);
575
576	if (p)
577	{
578	int retval = -1;
579	if (strstr(p, _(" pid=0 ")))
580	{
581	sh_error_handle (SH_ERR_ERR, FIL__, __LINE__,
582	0, MSG_E_SUBGEN,
583	_("Audit daemon for Linux kernel audit system is not running"),
584	_("sh_audit_checkdaemon") );
585	flag = 1;
586	actl_pnum = -1;
587	}
588	else
589	{
590	retval = actl_pnum;
591	sh_error_handle (SH_ERR_ALL, FIL__, __LINE__,
592	retval, MSG_E_SUBGEN,
593	_("Audit daemon is running"),
594	_("sh_audit_checkdaemon") );
595	}
596	SH_FREE(p);
597	return retval;
598	}
599
600	sh_error_handle (SH_ERR_ERR, FIL__, __LINE__,
601	errno, MSG_E_SUBGEN,
602	_("No output from auditctl -s"),
603	_("sh_audit_checkdaemon") );
604	flag = 1;
605	actl_pnum = -1;
606	return -1;
607	}
608
609	/* HAVE_AUPARSE_H */
610	#else
611	char * sh_audit_fetch (char * file, time_t mtime, time_t ctime, time_t atime, char * result, size_t rsize)
612	{
613	(void) file;
614	(void) mtime;
615	(void) ctime;
616	(void) atime;
617	(void) result;
618	(void) rsize;
619
620	return 0;
621	}
622	void sh_audit_mark (const char * file)
623	{
624	(void) file;
625	sh_error_handle(SH_ERR_WARN, FIL__, __LINE__, 0, MSG_E_SUBGEN,
626	_("Setting audit watch not supported"),
627	_("sh_audit_mark"));
628	return;
629	}
630	void sh_audit_delete_all ()
631	{
632	return;
633	}
634	void sh_audit_commit ()
635	{
636	return;
637	}
638	int sh_audit_set_flags(const char * str)
639	{
640	(void) str;
641	return -1;
642	}
643	#endif
644
645	/* client \|\| standalone */
646	#endif
647

Note: See TracBrowser for help on using the repository browser.

Download in other formats: