source: trunk/src/sh_prelude.c@ 209

Last change on this file since 209 was 206, checked in by katerina, 16 years ago

Fix for ticket #133 (improve port checking and its reporting to prelude).

File size: 40.8 KB
RevLine 
[1]1/*
2 *
3 * Copyright (C) 2005 Yoann Vandoorselaere, Prelude IDS Technologies
4 * Rainer Wichmann
5 *
6 * This program is free software; you can redistribute it and/or modify
7 * it under the terms of the GNU General Public License as published by
8 * the Free Software Foundation; either version 2, or (at your option)
9 * any later version.
10 *
11 * This program is distributed in the hope that it will be useful,
12 * but WITHOUT ANY WARRANTY; without even the implied warranty of
13 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 * GNU General Public License for more details.
15 *
16 * You should have received a copy of the GNU General Public License
17 * along with this program; see the file COPYING. If not, write to
18 * the Free Software Foundation, 675 Mass Ave, Cambridge, MA 02139, USA.
19 *
20 */
21
22/*
23 * 28/04/2005 : R.W.:
24 * move libprelude 0.8 code to seperate file
25 *
26 * 23/04/2005 : R.W.:
27 * include libprelude 0.9 code from Yoann Vandoorselaere
28 */
[36]29
30
31/*
32 * for strptime()
33 */
34#define _GNU_SOURCE 1
35
[1]36#include "config_xor.h"
37
38#include <stdio.h>
39#include <string.h>
40#include <sys/types.h>
41
42#if TIME_WITH_SYS_TIME
43
44# include <sys/time.h>
45# include <time.h>
46
47#else
48
49# if HAVE_SYS_TIME_H
50# include <sys/time.h>
51# else
52# include <time.h>
53# endif
54
55#endif
56
57#include <unistd.h>
58#include <syslog.h>
59#include <pwd.h>
60
[20]61int sh_argc_store;
62char ** sh_argv_store;
63
[181]64#if defined(HAVE_LIBPRELUDE)
[1]65
66
67/*
68 * _() macros are samhain specific; they are used to replace string
69 * constants at runtime. This is part of the samhain stealth mode
70 * (fill string constants with encoded strings, decode at runtime).
71 */
72#define FIL__ _("sh_prelude.c")
73
74
75#include <libprelude/idmef.h>
76#include <libprelude/prelude.h>
77
78/*
79 * includes for samhain-specific functions (sl_strstr, sh_error_handle)
80 */
[108]81#include "samhain.h"
[1]82#include "sh_cat.h"
83#include "sh_error_min.h"
84#include "sh_prelude.h"
[131]85#define SH_NEED_PWD_GRP 1
86#include "sh_static.h"
[169]87char * sh_util_strdup (const char * str) SH_GNUC_MALLOC;
[1]88/*
89 * When SH_USE_XML is set, value are formated using name="value".
90 * Otherwise, value is formatted using the format name=<value>.
91 */
92#ifdef SH_USE_XML
93# define VALUE_DELIM_START '"'
94# define VALUE_DELIM_END '"'
95#else
96# define VALUE_DELIM_START '<'
97# define VALUE_DELIM_END '>'
98#endif
99
100#define IDMEF_ANALYZER_MODEL _("Samhain")
101#define IDMEF_ANALYZER_CLASS _("Integrity Checker")
102#define IDMEF_ANALYZER_VERSION VERSION
[106]103#define IDMEF_ANALYZER_MANUFACTURER _("http://www.la-samhna.de/samhain/")
[1]104
105
106
107/*
108 * 0 = not initialized; -1 = failed; 1 = initialized
109 */
110static int initialized = 0;
111static int ready_for_init = 0;
112
113static char *profile = NULL;
114static prelude_client_t *client = NULL;
115
116static int severity_map[1 + (unsigned int) IDMEF_IMPACT_SEVERITY_HIGH] = {
117 /* 0: unused (?) */ 0,
118 /* 1: INFO */ 0,
119 /* 2: LOW */ SH_ERR_ALL|SH_ERR_INFO,
120 /* 3: MEDIUM */ SH_ERR_NOTICE|SH_ERR_WARN|SH_ERR_STAMP|SH_ERR_ERR,
121 /* 4: HIGH */ SH_ERR_SEVERE|SH_ERR_FATAL
122};
123
124/* returns 0/tiger, 1/sha1, or 2/md5
125 */
126extern int sh_tiger_get_hashtype(void);
127
128static void clear_and_set (int setpos, int flag)
129{
130 unsigned int i;
131 /* clear everywhere, and set at correct position */
132 for (i = 1; i < (1 + (unsigned int) IDMEF_IMPACT_SEVERITY_HIGH); ++i)
133 severity_map[i] &= ~flag;
134 severity_map[setpos] |= flag;
135 return;
136}
137
[22]138static int set_prelude_severity_int (const char * str, int prelude_sev)
[1]139{
[22]140 char * p;
141 char * dup = strdup (str);
[131]142#if defined(HAVE_PTHREAD) && defined (_POSIX_THREAD_SAFE_FUNCTIONS) && defined(HAVE_STRTOK_R)
143 char * saveptr;
144#endif
[1]145
[26]146 if (!dup)
147 return -1;
148
[131]149#if defined(HAVE_PTHREAD) && defined (_POSIX_THREAD_SAFE_FUNCTIONS) && defined(HAVE_STRTOK_R)
150 p = strtok_r (dup, ", \t", &saveptr);
151#else
[22]152 p = strtok (dup, ", \t");
[131]153#endif
[1]154 if (p) {
155 do {
156 if (0 == strcmp (p, _("alert")))
157 clear_and_set (prelude_sev, SH_ERR_FATAL);
158 else if (0 == strcmp (p, _("crit")))
159 clear_and_set (prelude_sev, SH_ERR_SEVERE);
160 else if (0 == strcmp (p, _("err")))
161 clear_and_set (prelude_sev, SH_ERR_ERR);
162 else if (0 == strcmp (p, _("mark")))
163 clear_and_set (prelude_sev, SH_ERR_STAMP);
164 else if (0 == strcmp (p, _("warn")))
165 clear_and_set (prelude_sev, SH_ERR_WARN);
166 else if (0 == strcmp (p, _("notice")))
167 clear_and_set (prelude_sev, SH_ERR_NOTICE);
168 else if (0 == strcmp (p, _("debug")))
169 clear_and_set (prelude_sev, SH_ERR_ALL);
170 else if (0 == strcmp (p, _("info")))
171 clear_and_set (prelude_sev, SH_ERR_INFO);
[26]172 else {
173 free (dup);
[1]174 return -1;
[26]175 }
[131]176#if defined(HAVE_PTHREAD) && defined (_POSIX_THREAD_SAFE_FUNCTIONS) && defined(HAVE_STRTOK_R)
177 p = strtok_r (NULL, ", \t", &saveptr);
178#else
[1]179 p = strtok (NULL, ", \t");
[131]180#endif
[1]181 } while (p);
182 }
[22]183 free(dup);
[1]184 return 0;
185}
186
[22]187int sh_prelude_map_info (const char * str)
[1]188{
189 return (set_prelude_severity_int(str,(int)IDMEF_IMPACT_SEVERITY_INFO));
190}
[22]191int sh_prelude_map_low (const char * str)
[1]192{
193 return (set_prelude_severity_int(str,(int)IDMEF_IMPACT_SEVERITY_LOW));
194}
[22]195int sh_prelude_map_medium (const char * str)
[1]196{
197 return (set_prelude_severity_int(str,(int)IDMEF_IMPACT_SEVERITY_MEDIUM));
198}
[22]199int sh_prelude_map_high (const char * str)
[1]200{
201 return (set_prelude_severity_int(str,(int)IDMEF_IMPACT_SEVERITY_HIGH));
202}
203
204static idmef_impact_severity_t map_severity (int sam_sev)
205{
206 int i;
207 int max = 1 + (unsigned int) IDMEF_IMPACT_SEVERITY_HIGH;
208 idmef_impact_severity_t retval = IDMEF_IMPACT_SEVERITY_MEDIUM;
209
210 for (i = 0; i < max; ++i) {
211 if (severity_map[i] & sam_sev) {
212 retval = (idmef_impact_severity_t) i;
213 }
214 }
215 return retval;
216}
217
218static char *do_get_value(char *ptr, char delim_start, char delim_end)
219{
220 char *ret = NULL;
221
222 ptr = strchr(ptr, delim_start);
223 if ( ! ptr )
224 return NULL;
225
226 ret = ++ptr;
227
228 ptr = strchr(ptr, delim_end);
229 if ( ! ptr )
230 return NULL;
231
232 *ptr = '\0';
233 ret = strdup(ret);
234 *ptr = delim_end;
235
236 return ret;
237}
238
239
240
241static char *get_value(char *msg, const char *toktmp, const char *toksuffix)
242{
243 char *ptr, tok[128];
244
245 snprintf(tok, sizeof(tok), "%s%s=", toktmp, (toksuffix) ? toksuffix : "");
246
247 ptr = strstr(msg, tok);
248 if ( ! ptr )
249 return NULL;
250
251 return do_get_value(ptr, VALUE_DELIM_START, VALUE_DELIM_END);
252}
253
254
255
256static char *get_time_value(char *msg, const char *toktmp, const char *toksuffix)
257{
258
259 char *ret, *ptr, tok[128];
260
261 snprintf(tok, sizeof(tok), "%s%s=", toktmp, (toksuffix) ? toksuffix : "");
262
263 ptr = strstr(msg, tok);
264 if ( ! ptr )
265 return NULL;
266
267#ifndef SH_USE_XML
268 ret = do_get_value(ptr, '[', ']');
269#else
270 ret = do_get_value(ptr, VALUE_DELIM_START, VALUE_DELIM_END);
271#endif
272
273 return ret;
274}
275
276
277
278
279#if 0
280void debug_print_message(idmef_message_t *msg)
281{
282 int ret;
283 prelude_io_t *fd;
284
285 ret = prelude_io_new(&fd);
286 if ( ret < 0 )
287 return;
288
289 prelude_io_set_file_io(fd, stderr);
290 idmef_message_print(idmef, fd);
291
292 prelude_io_destroy(fd);
293}
294#endif
295
296
297
298static int idmef_time_from_samhain(idmef_time_t **time, const char *str)
299{
300 int ret;
301 char *ptr;
302 time_t utc;
303 struct tm lt;
304
305 /*
306 * Samhain stamp are encoded in UTC.
307 */
308 ptr = strptime(str, _("%Y-%m-%dT%H:%M:%S"), &lt);
309 if ( ! ptr ) {
310 sh_error_handle((-1), FIL__, __LINE__, -1, MSG_E_SUBGEN,
311 _("could not format Samhain time"), _("idmef_time_from_samhain"));
312 return -1;
313 }
314
315 utc = prelude_timegm(&lt);
316
317 ret = idmef_time_new_from_time(time, &utc);
318 if ( ret < 0 )
319 return ret;
320
321 return 0;
322}
323
[22]324/* flawfinder: ignore *//* is part of name, not access() */
[1]325static void get_access_info(idmef_file_access_t *access, char * mode, int pos, int mpos)
326{
327 int got = 0;
328 int ret;
329 prelude_string_t *str;
330
331 do {
332 if ( mode[pos] == 'r' ) {
[22]333 /* flawfinder: ignore *//* is part of name, not access() */
[26]334 ret = idmef_file_access_new_permission(access, &str, IDMEF_LIST_APPEND);
[1]335 if ( ret < 0 )
336 return;
337 prelude_string_set_dup(str, _("read"));
338 ++got;
339 }
340 else if ( mode[pos] == 'w' ) {
[22]341 /* flawfinder: ignore *//* is part of name, not access() */
[26]342 ret = idmef_file_access_new_permission(access, &str, IDMEF_LIST_APPEND);
[1]343 if ( ret < 0 )
344 return;
345 prelude_string_set_dup(str, _("write"));
346 ++got;
347 }
348 else if ( mode[pos] == 'x' || mode[pos] == 's' || mode[pos] == 't') {
[22]349 /* flawfinder: ignore *//* is part of name, not access() */
[26]350 ret = idmef_file_access_new_permission(access, &str, IDMEF_LIST_APPEND);
[1]351 if ( ret < 0 )
352 return;
353
354 if ( mode[pos] == 'x' && mode[0] == 'd' )
355 prelude_string_set_dup(str, _("search"));
356
357 else if ( mode[pos] == 'x' || mode[pos] == 't' )
358 prelude_string_set_dup(str, _("execute"));
359
360 else /* 's' */
361 prelude_string_set_dup(str, _("executeAs"));
362 ++got;
363 }
364 ++pos;
365 } while (pos <= mpos);
366
367 if ( got == 0 ) {
[22]368 /* flawfinder: ignore *//* is part of name, not access() */
[26]369 ret = idmef_file_access_new_permission(access, &str, IDMEF_LIST_APPEND);
[1]370 if ( ret < 0 )
371 return;
372 prelude_string_set_dup(str, _("noAccess"));
373 }
374 return;
375}
376
377
378static void get_file_infos(idmef_target_t *target, char *msg,
379 idmef_file_category_t category)
380{
381 int ret;
382 int hashtype = 0;
383 char *ptr;
384 idmef_time_t *time;
385 idmef_file_t *file;
386 idmef_inode_t *inode;
387 prelude_string_t *str;
388 idmef_checksum_t *checksum;
[22]389 idmef_file_access_t *access; /* flawfinder: ignore */
[1]390 idmef_user_id_t *userid;
391 const char *suffix = (category == IDMEF_FILE_CATEGORY_CURRENT) ? "_new" : "_old";
392 char *mode = NULL;
393
[26]394 ret = idmef_target_new_file(target, &file, IDMEF_LIST_APPEND);
[1]395 if ( ret < 0 )
396 return;
397 idmef_file_set_category(file, category);
398
399 ptr = get_value(msg, _("path"), NULL);
400 if ( ptr ) {
401 /*
402 * In term of IDMEF, this is the full path,
403 * including the name.
404 */
405 ret = idmef_file_new_path(file, &str);
[36]406 if ( ret < 0 ) {
407 free(ptr);
[1]408 return;
[36]409 }
[1]410 prelude_string_set_nodup(str, ptr);
411
412 ptr = strrchr(ptr, '/');
413 if ( ptr ) {
414 ret = idmef_file_new_name(file, &str);
[40]415 if ( ret == 0 ) {
416 prelude_string_set_dup(str, ptr + 1);
417 }
[1]418 }
419 }
420
421 ptr = get_value(msg, _("size"), suffix);
422 if ( ptr ) {
423 idmef_file_set_data_size(file, strtoul(ptr, NULL, 10));
424 free(ptr);
425 }
426
427 ptr = get_time_value(msg, _("mtime"), suffix);
428 if ( ptr ) {
429 ret = idmef_time_from_samhain(&time, ptr);
[40]430 if ( ret == 0 ) {
431 idmef_file_set_modify_time(file, time);
[36]432 }
[1]433 free(ptr);
434 }
435
436 ptr = get_time_value(msg, _("ctime"), suffix);
437 if ( ptr ) {
438 ret = idmef_time_from_samhain(&time, ptr);
[40]439 if ( ret == 0 ) {
440 idmef_file_set_create_time(file, time);
[36]441 }
[1]442 free(ptr);
443 }
444
445 ptr = get_value(msg, _("inode"), suffix);
446 if ( ptr ) {
447 ret = idmef_file_new_inode(file, &inode);
[40]448 if ( ret == 0 ) {
449 char * dev = get_value(msg, _("dev"), suffix);
450 if (dev) {
451 char * q = strchr(dev, ',');
452 if (*q) {
453 *q = '\0'; ++q;
454 idmef_inode_set_major_device(inode, strtoul(dev, NULL, 0));
455 idmef_inode_set_minor_device(inode, strtoul( q, NULL, 0));
456 }
457 free(dev);
458 }
459 idmef_inode_set_number(inode, strtoul(ptr, NULL, 10));
[36]460 }
[1]461 free(ptr);
462 }
463
464 ptr = get_value(msg, _("chksum"), suffix);
465 if ( ptr ) {
[26]466 ret = idmef_file_new_checksum(file, &checksum, IDMEF_LIST_APPEND);
[36]467 if ( ret < 0 ) {
[40]468 free(ptr);
469 goto get_mode;
[36]470 }
[1]471
472 hashtype = sh_tiger_get_hashtype();
473
474 if (hashtype == 0)
[40]475 idmef_checksum_set_algorithm(checksum, IDMEF_CHECKSUM_ALGORITHM_TIGER);
[1]476
[40]477 else if (hashtype == 1)
478 idmef_checksum_set_algorithm(checksum, IDMEF_CHECKSUM_ALGORITHM_SHA1);
479
480 else if (hashtype == 2)
481 idmef_checksum_set_algorithm(checksum, IDMEF_CHECKSUM_ALGORITHM_MD5);
482
483 else
484 idmef_checksum_set_algorithm(checksum, IDMEF_CHECKSUM_ALGORITHM_TIGER);
[1]485
486
[40]487 ret = idmef_checksum_new_value(checksum, &str);
488 if ( ret < 0 ) {
489 free(ptr);
490 goto get_mode;
[36]491 }
[1]492
493 /* will be freed on destroy()
494 */
[40]495 prelude_string_set_nodup(str, ptr);
496 }
[1]497
[40]498 get_mode:
499
[1]500 mode = get_value(msg, _("mode"), suffix);
501 if ( mode ) {
[22]502 /* flawfinder: ignore *//* is part of name, not access() */
[26]503 ret = idmef_file_new_file_access(file, &access, IDMEF_LIST_APPEND);
[1]504 if ( ret < 0 )
[40]505 goto get_owner;
[1]506
[22]507 /* flawfinder: ignore *//* is part of name, not access() */
[1]508 ret = idmef_file_access_new_user_id(access, &userid);
509 if ( ret < 0 )
[40]510 goto get_owner;
[1]511 idmef_user_id_set_type(userid, IDMEF_USER_ID_TYPE_OTHER_PRIVS);
512
[22]513 /* flawfinder: ignore *//* is part of name, not access() */
[1]514 get_access_info ( access, mode, 7, 9 );
515 }
[40]516
517 get_owner:
[1]518
519 ptr = get_value(msg, _("owner"), suffix);
520 if ( ptr ) {
[40]521 char * uid;
[1]522
[22]523 /* flawfinder: ignore *//* is part of name, not access() */
[26]524 ret = idmef_file_new_file_access(file, &access, IDMEF_LIST_APPEND);
[36]525 if ( ret < 0 ) {
526 free(ptr);
[40]527 goto get_group;
[36]528 }
[1]529
[22]530 /* flawfinder: ignore *//* is part of name, not access() */
[1]531 ret = idmef_file_access_new_user_id(access, &userid);
[36]532 if ( ret < 0 ) {
533 free(ptr);
[40]534 goto get_group;
[36]535 }
[1]536 idmef_user_id_set_type(userid, IDMEF_USER_ID_TYPE_USER_PRIVS);
537
538 ret = idmef_user_id_new_name(userid, &str);
[36]539 if ( ret < 0 ) {
540 free(ptr);
[40]541 goto get_group;
[36]542 }
[1]543 prelude_string_set_nodup(str, ptr);
544
[40]545 uid = get_value(msg, _("iowner"), suffix);
546 if ( ! uid )
547 goto get_group;
[1]548
[40]549 idmef_user_id_set_number(userid, strtoul(uid, NULL, 0));
[1]550
551 if ( mode ) {
[22]552 /* flawfinder: ignore *//* is part of name, not access() */
[1]553 get_access_info ( access, mode, 1, 3 );
554 }
[40]555
556 free(uid);
[1]557 }
558
[40]559 get_group:
560
[1]561 ptr = get_value(msg, _("group"), suffix);
562 if ( ptr ) {
[40]563 char *gid;
[1]564
[22]565 /* flawfinder: ignore *//* is part of name, not access() */
[26]566 ret = idmef_file_new_file_access(file, &access, IDMEF_LIST_APPEND);
[36]567 if ( ret < 0 ) {
568 free(ptr);
569 goto mode_free;
570 }
[1]571
[36]572 ret = idmef_file_access_new_user_id(access, &userid);/* flawfinder: ignore *//* is part of name, not access() */
573 if ( ret < 0 ) {
574 free(ptr);
575 goto mode_free;
576 }
577
[1]578 idmef_user_id_set_type(userid, IDMEF_USER_ID_TYPE_GROUP_PRIVS);
579
580 ret = idmef_user_id_new_name(userid, &str);
[36]581 if ( ret < 0 ) {
582 free(ptr);
583 goto mode_free;
584 }
[1]585
586 prelude_string_set_nodup(str, ptr);
587
[40]588 gid = get_value(msg, _("igroup"), suffix);
589 if ( ! gid )
[36]590 goto mode_free;
[1]591
[40]592 idmef_user_id_set_number(userid, strtoul(gid, NULL, 0));
[1]593
594 if ( mode ) {
[22]595 get_access_info ( access, mode, 4, 6 ); /* flawfinder: ignore */
[1]596 }
[40]597
598 free(gid);
[1]599 }
600
[36]601 mode_free:
602
[1]603 if ( mode ) {
604 free ( mode );
605 }
[36]606
607 return;
[1]608}
609
610
611
612static int map_policy_to_class(char *msg, unsigned long msgid, idmef_impact_t *impact, prelude_string_t *out)
613{
614 char *ptr;
615 int ret, i;
616 struct tbl {
617 unsigned int msgid;
618 const char *name;
619 idmef_impact_type_t type;
620 } tbl[] = {
621
622#ifdef SH_USE_UTMP
623 { MSG_UT_LG1X, N_("User Login"), IDMEF_IMPACT_TYPE_USER },
624 { MSG_UT_LG1A, N_("User Login"), IDMEF_IMPACT_TYPE_USER },
625 { MSG_UT_LG1B, N_("User Login"), IDMEF_IMPACT_TYPE_USER },
626 { MSG_UT_LG2X, N_("Multiple User Login"), IDMEF_IMPACT_TYPE_USER },
627 { MSG_UT_LG2A, N_("Multiple User Login"), IDMEF_IMPACT_TYPE_USER },
628 { MSG_UT_LG2B, N_("Multiple User Login"), IDMEF_IMPACT_TYPE_USER },
629 { MSG_UT_LG3X, N_("User Logout"), IDMEF_IMPACT_TYPE_USER },
630 { MSG_UT_LG3A, N_("User Logout"), IDMEF_IMPACT_TYPE_USER },
631 { MSG_UT_LG3B, N_("User Logout"), IDMEF_IMPACT_TYPE_USER },
632 { MSG_UT_LG3C, N_("User Logout"), IDMEF_IMPACT_TYPE_USER },
633#endif
634
635#if defined(SH_WITH_CLIENT) || defined(SH_STANDALONE)
636 { MSG_FI_MISS, N_("File Missing"), IDMEF_IMPACT_TYPE_FILE },
637 { MSG_FI_MISS2, N_("File Missing"), IDMEF_IMPACT_TYPE_FILE },
638 { MSG_FI_ADD, N_("File Added"), IDMEF_IMPACT_TYPE_FILE },
639 { MSG_FI_ADD2, N_("File Added"), IDMEF_IMPACT_TYPE_FILE },
640 { MSG_FI_CHAN, N_("File Modified"), IDMEF_IMPACT_TYPE_FILE },
641 { MSG_FI_NODIR, N_("File found where directory was expected"), IDMEF_IMPACT_TYPE_FILE },
642#endif
643
644#ifdef SH_USE_KERN
645 { MSG_KERN_POLICY, N_("Kernel Modified"), IDMEF_IMPACT_TYPE_OTHER },
646 { MSG_KERN_POL_CO, N_("Kernel Modified"), IDMEF_IMPACT_TYPE_OTHER },
647 { MSG_KERN_PROC, N_("Kernel Modified"), IDMEF_IMPACT_TYPE_OTHER },
648 { MSG_KERN_GATE, N_("Kernel Modified"), IDMEF_IMPACT_TYPE_OTHER },
649 { MSG_KERN_IDT, N_("Kernel Modified"), IDMEF_IMPACT_TYPE_OTHER },
650 { MSG_KERN_SYSCALL, N_("Kernel Modified"), IDMEF_IMPACT_TYPE_OTHER },
651#endif
652
[169]653#ifdef SH_USE_PORTCHECK
654 { MSG_PORT_MISS, N_("Service closed"), IDMEF_IMPACT_TYPE_OTHER },
655 { MSG_PORT_NEW, N_("Service opened"), IDMEF_IMPACT_TYPE_OTHER },
656 { MSG_PORT_RESTART, N_("Service restarted"), IDMEF_IMPACT_TYPE_OTHER },
657 { MSG_PORT_NEWPORT, N_("Service restarted"), IDMEF_IMPACT_TYPE_OTHER },
658#endif
659
[1]660#ifdef SH_USE_SUIDCHK
661 { MSG_SUID_POLICY, N_("SUID/SGID File Detected"), IDMEF_IMPACT_TYPE_FILE },
662#endif
663 /*
664 * This must be the last table entry
665 */
666 { 0, NULL, IDMEF_IMPACT_TYPE_OTHER },
667 };
668
669 for ( i = 0; tbl[i].name != NULL; i++ ) {
670 if ( tbl[i].msgid != msgid )
671 continue;
672
673 idmef_impact_set_type(impact, tbl[i].type);
674 return prelude_string_cat(out, _(tbl[i].name));
675 }
676
677 /* some other message
678 */
679 ptr = get_value(msg, _("msg"), NULL);
680 if ( ! ptr ) {
681 sh_error_handle((-1), FIL__, __LINE__, -1, MSG_E_SUBGEN,
682 _("could not format Samhain message"), _("map_policy_to_class"));
683 return -1;
684 }
685
686 ret = prelude_string_cat(out, ptr);
687 free(ptr);
688
689 return ret;
690}
691
692
[169]693#ifdef SH_USE_PORTCHECK
694static int get_service_info(char *msg, idmef_alert_t *alert)
695{
696 int ret;
697 long port;
[206]698 char *ptr, *new, *tmp, *ip, *srv, *protocol, *end;
[169]699 prelude_string_t *str;
700 idmef_address_t *address;
701 idmef_node_t *node;
[180]702 idmef_user_t *user;
703 idmef_process_t *process;
[169]704 idmef_service_t *service;
705 idmef_source_t *source = idmef_alert_get_next_source(alert, NULL);
[206]706 struct passwd *pw;
707#if defined(HAVE_PTHREAD) && defined (_POSIX_THREAD_SAFE_FUNCTIONS) && defined(HAVE_GETPWNAM_R)
708 struct passwd pwd;
709 char buffer[SH_PWBUF_SIZE];
710#endif
[1]711
[169]712 new = sh_util_strdup(msg);
713
714 ptr = strstr(new, _("port: "));
715 if ( ! ptr ) {
716 sh_error_handle((-1), FIL__, __LINE__, -1, MSG_E_SUBGEN,
717 _("malformed Samhain port check message"), _("get_service_info"));
718 SH_FREE( new );
719 return -1;
720 }
721
722 ptr += 6; /* skip 'port: ', position on first byte of interface */
723 tmp = strchr(ptr, ':');
724 if ( ! tmp ) {
725 sh_error_handle((-1), FIL__, __LINE__, -1, MSG_E_SUBGEN,
726 _("malformed Samhain port check message (no port)"), _("get_service_info"));
727 SH_FREE( new );
728 return -1;
729 }
730 *tmp = '\0';
731
[170]732 /* Get interface
733 */
[169]734 ip = strdup(ptr);
735 if ( ip ) {
736 if ( ! source ) {
737 ret = idmef_alert_new_source(alert, &source, IDMEF_LIST_APPEND);
738 if ( ret < 0 ) {
739 free(ip);
740 SH_FREE( new );
741 return ret;
742 }
743 }
744
745 ret = idmef_source_new_node(source, &node);
746 if ( ret < 0 ) {
747 free(ip);
748 SH_FREE( new );
749 return ret;
750 }
751
752 ret = idmef_node_new_address(node, &address, IDMEF_LIST_APPEND);
753 if ( ret < 0 ) {
754 free(ip);
755 SH_FREE( new );
756 return ret;
757 }
758
759 ret = idmef_address_new_address(address, &str);
760 if ( ret < 0 ) {
761 free(ip);
762 SH_FREE( new );
763 return ret;
764 }
765
766 prelude_string_set_nodup(str, ip);
767 }
768
769 ptr = tmp;
770 ++ptr;
771 tmp = strchr(ptr, '/');
772 if ( ! tmp ) {
773 sh_error_handle((-1), FIL__, __LINE__, -1, MSG_E_SUBGEN,
774 _("malformed Samhain port check message (no protocol)"), _("get_service_info"));
775 SH_FREE( new );
776 return -1;
777 }
778 *tmp = '\0';
779
[170]780 /* Get port number
781 */
[169]782 port = strtol(ptr, &end, 0);
783 if ( *ptr && *end == '\0' && port >= 0 && port < 65536) {
784
[206]785 char * tmpw;
786
[169]787 if ( ! source ) {
788 ret = idmef_alert_new_source(alert, &source, IDMEF_LIST_APPEND);
789 if ( ret < 0 ) {
790 SH_FREE( new );
791 return ret;
792 }
793 }
794
795 ret = idmef_source_new_service(source, &service);
796 if ( ret < 0 ) {
797 SH_FREE( new );
798 return ret;
799 }
800
801 idmef_service_set_port(service, port);
[206]802
803 ret = idmef_service_new_protocol(service, &str);
804 if ( ret < 0 ) {
805 SH_FREE( new );
806 return ret;
807 }
808
809 ++tmp;
810 if (*tmp) {
811 char * tmpw = tmp;
812 char tmpw_store;
813 while (*tmpw && !isblank((int) *tmpw)) ++tmpw;
814 tmpw_store = *tmpw; *tmpw = '\0';
815 protocol = strdup(tmp);
816 *tmpw = tmpw_store;
817 prelude_string_set_nodup(str, protocol);
818 }
819
[169]820 }
821
822 ptr = tmp;
823 ++ptr;
824 ptr = strchr(ptr, '(');
825 if ( ! ptr ) {
826 sh_error_handle((-1), FIL__, __LINE__, -1, MSG_E_SUBGEN,
827 _("malformed Samhain port check message (no service)"), _("get_service_info"));
828 SH_FREE( new );
829 return -1;
830 }
831 ++ptr;
832 tmp = strchr(ptr, ')');
833 if ( ! tmp ) {
834 sh_error_handle((-1), FIL__, __LINE__, -1, MSG_E_SUBGEN,
835 _("malformed Samhain port check message (service not closed)"), _("get_service_info"));
836 SH_FREE( new );
837 return -1;
838 }
839 *tmp = '\0';
840
[170]841 /* Get service
842 */
[169]843 srv = strdup(ptr);
844 if ( srv ) {
845 if ( ! source ) {
846 ret = idmef_alert_new_source(alert, &source, IDMEF_LIST_APPEND);
847 if ( ret < 0 ) {
848 free(srv);
849 SH_FREE( new );
850 return ret;
851 }
852 }
853
854 if ( ! service ) {
855 ret = idmef_source_new_service(source, &service);
856 if ( ret < 0 ) {
857 free(srv);
858 SH_FREE( new );
859 return ret;
860 }
861 }
862
[170]863 ret = idmef_service_new_name(service, &str);
[169]864 if ( ret < 0 ) {
865 free(srv);
866 SH_FREE( new );
867 return ret;
868 }
869
870 prelude_string_set_nodup(str, srv);
871 }
872
873 SH_FREE( new );
874
[206]875 ptr = get_value(msg, _("userid"), NULL);
[180]876
877 if ( ptr ) {
878
[206]879 idmef_user_id_t * user_id;
880
[180]881 ret = idmef_source_new_user(source, &user);
882 if ( ret < 0 ) {
883 free(ptr);
884 return ret;
885 }
886
[206]887 idmef_user_set_category(user, IDMEF_USER_CATEGORY_APPLICATION);
888
889 ret = idmef_user_new_user_id(user, &user_id, IDMEF_LIST_APPEND);
[180]890 if ( ret < 0 ) {
[206]891 free(ptr);
[180]892 return ret;
[206]893 }
894
895 idmef_user_id_set_type(user_id, IDMEF_USER_ID_TYPE_CURRENT_USER);
896
897#if defined(HAVE_PTHREAD) && defined (_POSIX_THREAD_SAFE_FUNCTIONS) && defined(HAVE_GETPWNAM_R)
898 sh_getpwnam_r(ptr, &pwd, buffer, sizeof(buffer), &pw);
899#else
900 pw = sh_getpwnam(ptr);
901#endif
902 if ( pw )
903 idmef_user_id_set_number(user_id, pw->pw_uid);
904
905 ret = idmef_user_id_new_name(user_id, &str);
906 if ( ret < 0 ) {
907 free(ptr);
908 return ret;
909 }
[180]910 prelude_string_set_nodup(str, ptr);
[206]911
[180]912 }
913
914 ptr = get_value(msg, _("path"), NULL);
[206]915 tmp = get_value(msg, _("pid"), NULL);
[180]916
917 if ( ptr ) {
918
919 /*
920 * In term of IDMEF, this is the full path,
921 * including the name.
922 */
923 ret = idmef_source_new_process(source, &process);
924 if ( ret < 0 ) {
925 free(ptr);
926 return ret;
927 }
928
929 ret = idmef_process_new_path(process, &str);
930 if ( ret < 0 ) {
931 free(ptr);
932 return ret;
933 }
934 prelude_string_set_nodup(str, ptr);
935
[206]936
937 if ( NULL != strrchr(ptr, '/') ) {
[180]938 ret = idmef_process_new_name(process, &str);
939 if ( ret == 0 ) {
[206]940 ptr = strrchr(ptr, '/');
[180]941 prelude_string_set_dup(str, ptr + 1);
942 }
[206]943 } else {
944 ret = idmef_process_new_name(process, &str);
945 if ( ret == 0 ) {
946 prelude_string_set_dup(str, ptr);
947 }
948 }
949
950 idmef_process_set_pid(process, strtoul(tmp, NULL, 0));
[180]951 }
952
[206]953 if (tmp)
954 free(tmp);
955
[169]956 return 0;
957}
958#endif
959
[1]960static int get_login_info(char *msg, idmef_alert_t *alert)
961{
962 int ret;
963 char *ptr, *ip;
964 idmef_user_t *user;
965 idmef_node_t *node;
966 struct passwd *pw;
[131]967#if defined(HAVE_PTHREAD) && defined (_POSIX_THREAD_SAFE_FUNCTIONS) && defined(HAVE_GETPWNAM_R)
968 struct passwd pwd;
969 char buffer[SH_PWBUF_SIZE];
970#endif
[1]971 prelude_string_t *str;
972 idmef_user_id_t *user_id;
973 idmef_address_t *address;
974 idmef_target_t *target = idmef_alert_get_next_target(alert, NULL);
975 idmef_source_t *source = idmef_alert_get_next_source(alert, NULL);
976
977 ip = ptr = get_value(msg, _("ip"), NULL);
978 if ( ptr ) {
979 if ( ! source ) {
[26]980 ret = idmef_alert_new_source(alert, &source, IDMEF_LIST_APPEND);
[1]981 if ( ret < 0 ) {
982 free(ptr);
983 return ret;
984 }
985 }
986
987 ret = idmef_source_new_node(source, &node);
988 if ( ret < 0 ) {
989 free(ptr);
990 return ret;
991 }
992
[26]993 ret = idmef_node_new_address(node, &address, IDMEF_LIST_APPEND);
[1]994 if ( ret < 0 ) {
995 free(ptr);
996 return ret;
997 }
998
999 ret = idmef_address_new_address(address, &str);
1000 if ( ret < 0 ) {
1001 free(ptr);
1002 return ret;
1003 }
1004
1005 prelude_string_set_nodup(str, ptr);
1006 }
1007
1008 ptr = get_value(msg, _("host"), NULL);
1009 if ( ptr ) {
1010 if ( ip && strcmp(ptr, ip) == 0 )
1011 free(ptr);
1012 else {
1013 if ( ! source ) {
[26]1014 ret = idmef_alert_new_source(alert, &source, IDMEF_LIST_APPEND);
[1]1015 if ( ret < 0 ) {
1016 free(ptr);
1017 return ret;
1018 }
1019 }
1020
1021 ret = idmef_source_new_node(source, &node);
1022 if ( ret < 0 ) {
1023 free(ptr);
1024 return ret;
1025 }
1026
1027 ret = idmef_node_new_name(node, &str);
1028 if ( ret < 0 ) {
1029 free(ptr);
1030 return ret;
1031 }
1032
1033 prelude_string_set_nodup(str, ptr);
1034 }
1035 }
1036
1037 ptr = get_value(msg, _("name"), NULL);
1038 if ( ptr ) {
1039 ret = idmef_target_new_user(target, &user);
1040 if ( ret < 0 ) {
1041 free(ptr);
1042 return ret;
1043 }
1044
1045 idmef_user_set_category(user, IDMEF_USER_CATEGORY_OS_DEVICE);
1046
[26]1047 ret = idmef_user_new_user_id(user, &user_id, IDMEF_LIST_APPEND);
[1]1048 if ( ret < 0 ) {
1049 free(ptr);
1050 return ret;
1051 }
1052
1053 idmef_user_id_set_type(user_id, IDMEF_USER_ID_TYPE_TARGET_USER);
1054
[131]1055#if defined(HAVE_PTHREAD) && defined (_POSIX_THREAD_SAFE_FUNCTIONS) && defined(HAVE_GETPWNAM_R)
1056 sh_getpwnam_r(ptr, &pwd, buffer, sizeof(buffer), &pw);
1057#else
1058 pw = sh_getpwnam(ptr);
1059#endif
[1]1060 if ( pw )
1061 idmef_user_id_set_number(user_id, pw->pw_uid);
1062
1063 ret = idmef_user_id_new_name(user_id, &str);
1064 if ( ret < 0 ) {
1065 free(ptr);
1066 return ret;
1067 }
1068 prelude_string_set_nodup(str, ptr);
1069
1070 ptr = get_value(msg, _("tty"), NULL);
1071 if ( ptr ) {
1072 ret = idmef_user_id_new_tty(user_id, &str);
1073 if ( ret < 0 ) {
1074 free(ptr);
1075 return ret;
1076 }
1077
1078 prelude_string_set_nodup(str, ptr);
1079 }
1080 }
1081
1082 ptr = get_time_value(msg, _("time"), NULL);
1083 if ( ptr ) {
1084 idmef_time_t *time;
1085
1086 ret = idmef_time_from_samhain(&time, ptr);
1087 free(ptr);
1088
1089 if ( ret < 0 )
1090 return ret;
1091
1092 idmef_alert_set_detect_time(alert, time);
1093 }
1094
1095 return 0;
1096}
1097
1098
1099static int samhain_alert_prelude(int priority, int sh_class,
1100 char *message, unsigned long msgid)
1101{
1102 int ret;
1103 idmef_time_t *time;
1104 idmef_alert_t *alert;
1105 idmef_message_t *idmef;
1106 idmef_classification_t *classification;
1107 idmef_assessment_t *assessment;
1108 idmef_additional_data_t *data;
1109 idmef_impact_t *impact;
1110 idmef_target_t *target;
1111 idmef_confidence_t *confidence;
1112 prelude_string_t *str;
1113
[15]1114 if ( !client || sh_class == STAMP)
[1]1115 return 0;
1116
1117 ret = idmef_message_new(&idmef);
1118 if ( ret < 0 )
1119 goto err;
1120
1121 ret = idmef_message_new_alert(idmef, &alert);
1122 if ( ret < 0 )
1123 goto err;
1124
[26]1125 idmef_alert_set_analyzer(alert, idmef_analyzer_ref(prelude_client_get_analyzer(client)), IDMEF_LIST_PREPEND);
[1]1126
1127 ret = idmef_time_new_from_gettimeofday(&time);
1128 if ( ret < 0 )
1129 goto err;
1130 idmef_alert_set_detect_time(alert, time);
1131
1132 ret = idmef_time_new_from_gettimeofday(&time);
1133 if ( ret < 0 )
1134 goto err;
1135 idmef_alert_set_create_time(alert, time);
1136
1137 ret = idmef_alert_new_classification(alert, &classification);
1138 if ( ret < 0 )
1139 goto err;
1140
[26]1141 ret = idmef_alert_new_target(alert, &target, IDMEF_LIST_APPEND);
[1]1142 if ( ret < 0 )
1143 goto err;
1144
1145 idmef_target_set_decoy(target, IDMEF_TARGET_DECOY_NO);
1146
1147 if ( idmef_analyzer_get_node(prelude_client_get_analyzer(client)) ) {
1148 idmef_node_ref(idmef_analyzer_get_node(prelude_client_get_analyzer(client)));
1149 idmef_target_set_node(target, idmef_analyzer_get_node(prelude_client_get_analyzer(client)));
1150 }
1151
1152 if ( strstr(message, _("path=")) ) {
[2]1153#if defined(SH_WITH_CLIENT) || defined(SH_STANDALONE)
[1]1154 if ( msgid != MSG_FI_ADD && msgid != MSG_FI_ADD2 )
1155 get_file_infos(target, message, IDMEF_FILE_CATEGORY_ORIGINAL);
[2]1156#endif
[1]1157
1158 get_file_infos(target, message, IDMEF_FILE_CATEGORY_CURRENT);
1159 }
1160
1161 ret = idmef_alert_new_assessment(alert, &assessment);
1162 if ( ret < 0 )
1163 goto err;
1164
1165 ret = idmef_assessment_new_impact(assessment, &impact);
1166 if ( ret < 0 )
1167 goto err;
1168
1169 ret = idmef_classification_new_text(classification, &str);
1170 if ( ret < 0 )
1171 goto err;
1172
1173 ret = get_login_info(message, alert);
1174 if ( ret < 0 )
1175 goto err;
1176
[169]1177#ifdef SH_USE_PORTCHECK
1178 if (msgid == MSG_PORT_MISS || msgid == MSG_PORT_NEW || msgid == MSG_PORT_RESTART || msgid == MSG_PORT_NEWPORT) {
1179 ret = get_service_info(message, alert);
1180 if ( ret < 0 )
1181 goto err;
1182 }
1183#endif
1184
[1]1185 map_policy_to_class(message, msgid, impact, str);
1186
1187#if 0
1188 if ( priority == SH_ERR_SEVERE || priority == SH_ERR_FATAL )
1189 idmef_impact_set_severity(impact, IDMEF_IMPACT_SEVERITY_HIGH);
1190
1191 else if ( priority == SH_ERR_ALL || priority == SH_ERR_INFO || priority == SH_ERR_NOTICE )
1192 idmef_impact_set_severity(impact, IDMEF_IMPACT_SEVERITY_LOW);
1193
1194 else
1195 idmef_impact_set_severity(impact, IDMEF_IMPACT_SEVERITY_MEDIUM);
1196#endif
1197 idmef_impact_set_severity(impact, map_severity(priority));
1198
1199 idmef_impact_set_completion(impact, IDMEF_IMPACT_COMPLETION_SUCCEEDED);
1200
1201 ret = idmef_assessment_new_confidence(assessment, &confidence);
1202 if ( ret < 0 )
1203 goto err;
1204
1205 idmef_confidence_set_rating(confidence, IDMEF_CONFIDENCE_RATING_HIGH);
1206
[26]1207 ret = idmef_alert_new_additional_data(alert, &data, IDMEF_LIST_APPEND);
[1]1208 if ( ret < 0 )
1209 goto err;
1210
1211 ret = idmef_additional_data_new_meaning(data, &str);
1212 if ( ret < 0 )
1213 goto err;
1214
1215 prelude_string_set_dup(str, _("Message generated by Samhain"));
1216 idmef_additional_data_set_type(data, IDMEF_ADDITIONAL_DATA_TYPE_STRING);
1217 idmef_additional_data_set_string_ref(data, message);
1218
1219 /* debug_print_message(idmef); */
1220
1221 prelude_client_send_idmef(client, idmef);
1222 idmef_message_destroy(idmef);
1223
1224 return 0;
1225
1226 err:
1227 idmef_message_destroy(idmef);
1228 return -1;
1229}
1230
1231
1232int sh_prelude_alert(int priority, int sh_class, char *message, long msgflags, unsigned long msgid)
1233{
1234 int ret;
1235
1236 (void) msgflags; /* fix compiler warning */
1237
[15]1238 if ( initialized < 1 )
[1]1239 return -1;
1240
1241 ret = samhain_alert_prelude(priority, sh_class, message, msgid);
1242 if ( ret < 0 ) {
1243 sh_error_handle((-1), FIL__, __LINE__, -1, MSG_E_SUBGEN,
1244 _("Problem with IDMEF for prelude-ids support: alert lost"),
1245 _("sh_prelude_alert"));
1246 }
1247
1248 return ret;
1249}
1250
1251
1252
[22]1253int sh_prelude_set_profile(const char *arg)
[1]1254{
1255 if ( profile ) {
1256 free(profile);
1257 profile = NULL;
1258 }
1259
1260 if ( arg ) {
1261 profile = strdup(arg);
1262 if ( ! profile )
1263 return -1;
1264 }
1265
1266 return 0;
1267}
1268
[86]1269/* Allow initialization of prelude; to be called
1270 * after forking the daemon. Delays heartbeat
1271 * start after config read until it is safe.
1272 */
[1]1273void sh_prelude_reset(void)
1274{
1275 extern void sh_error_init_prelude();
1276
1277 ready_for_init = 1;
1278 sh_error_init_prelude();
1279 return;
1280}
1281
1282
1283
1284void sh_prelude_stop(void)
1285{
1286 if (initialized < 1)
1287 return;
[108]1288
1289 if (sh.flag.isdaemon == S_TRUE)
1290 prelude_client_destroy(client, PRELUDE_CLIENT_EXIT_STATUS_FAILURE);
1291 else
1292 prelude_client_destroy(client, PRELUDE_CLIENT_EXIT_STATUS_SUCCESS);
1293
[15]1294 client = NULL;
[108]1295
1296 prelude_deinit();
1297
[1]1298 initialized = 0;
1299 return;
1300}
1301
1302
1303
1304int sh_prelude_init(void)
1305{
1306 int ret;
1307 prelude_string_t *str;
1308 idmef_analyzer_t *analyzer;
1309 prelude_client_flags_t flags;
[20]1310#ifdef SH_NOFAILOVER
1311 prelude_connection_pool_t *pool;
1312 prelude_connection_pool_flags_t conn_flags;
1313#endif
[1]1314
1315 if (ready_for_init == 0)
1316 return initialized;
1317
1318 if (initialized > 0)
1319 return initialized;
1320
1321 prelude_thread_init(NULL);
[20]1322 prelude_init(&sh_argc_store, sh_argv_store);
[1]1323
1324 ret = prelude_client_new(&client, profile ? profile : _("samhain"));
1325 if ( ret < 0 ) {
1326 sh_error_handle((-1), FIL__, __LINE__, -1, MSG_E_SUBGEN,
1327 _("Failed to initialize Prelude"), _("sh_prelude_init"));
1328 initialized = -1;
1329 return -1;
1330 }
1331
1332 /*
1333 * Enable automatic heartbeat sending.
1334 */
1335 flags = prelude_client_get_flags(client);
1336 ret = prelude_client_set_flags(client, flags | PRELUDE_CLIENT_FLAGS_ASYNC_TIMER);
1337
1338 analyzer = prelude_client_get_analyzer(client);
1339
1340 ret = idmef_analyzer_new_model(analyzer, &str);
1341 prelude_string_set_dup(str, IDMEF_ANALYZER_MODEL);
1342
1343 ret = idmef_analyzer_new_class(analyzer, &str);
1344 prelude_string_set_dup(str, IDMEF_ANALYZER_CLASS);
1345
1346 ret = idmef_analyzer_new_version(analyzer, &str);
1347 prelude_string_set_dup(str, IDMEF_ANALYZER_VERSION);
1348
[20]1349#ifdef SH_NOFAILOVER
1350 pool = prelude_client_get_connection_pool(client);
1351 conn_flags = prelude_connection_pool_get_flags(pool);
1352
1353 conn_flags &= ~PRELUDE_CONNECTION_POOL_FLAGS_FAILOVER;
1354 prelude_connection_pool_set_flags(pool, conn_flags);
1355#endif
1356
[1]1357 ret = prelude_client_start(client);
1358 if ( ret < 0 ) {
1359 prelude_perror(ret, _("error starting prelude client"));
1360
1361 if ( prelude_client_is_setup_needed(ret) )
1362 prelude_client_print_setup_error(client);
1363
1364 sh_error_handle((-1), FIL__, __LINE__, -1, MSG_E_SUBGEN,
1365 _("Failed to start Prelude"), _("sh_prelude_init"));
1366 initialized = -1;
1367 return -1;
1368 }
1369
1370 initialized = 1;
1371 return 1;
1372}
1373
1374/* HAVE_LIBPRELUDE_9 */
1375#endif
1376
Note: See TracBrowser for help on using the repository browser.