source: trunk/src/sh_prelude.c@ 285

Last change on this file since 285 was 283, checked in by katerina, 15 years ago

Patch for ticket #207 (server logs client reports to prelude).

File size: 43.7 KB
RevLine 
[1]1/*
2 *
3 * Copyright (C) 2005 Yoann Vandoorselaere, Prelude IDS Technologies
4 * Rainer Wichmann
5 *
6 * This program is free software; you can redistribute it and/or modify
7 * it under the terms of the GNU General Public License as published by
8 * the Free Software Foundation; either version 2, or (at your option)
9 * any later version.
10 *
11 * This program is distributed in the hope that it will be useful,
12 * but WITHOUT ANY WARRANTY; without even the implied warranty of
13 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 * GNU General Public License for more details.
15 *
16 * You should have received a copy of the GNU General Public License
17 * along with this program; see the file COPYING. If not, write to
18 * the Free Software Foundation, 675 Mass Ave, Cambridge, MA 02139, USA.
19 *
20 */
21
22/*
23 * 28/04/2005 : R.W.:
24 * move libprelude 0.8 code to seperate file
25 *
26 * 23/04/2005 : R.W.:
27 * include libprelude 0.9 code from Yoann Vandoorselaere
28 */
[36]29
30
31/*
32 * for strptime()
33 */
34#define _GNU_SOURCE 1
35
[1]36#include "config_xor.h"
37
38#include <stdio.h>
39#include <string.h>
40#include <sys/types.h>
41
42#if TIME_WITH_SYS_TIME
43
44# include <sys/time.h>
45# include <time.h>
46
47#else
48
49# if HAVE_SYS_TIME_H
50# include <sys/time.h>
51# else
52# include <time.h>
53# endif
54
55#endif
56
57#include <unistd.h>
58#include <syslog.h>
59#include <pwd.h>
60
[20]61int sh_argc_store;
62char ** sh_argv_store;
63
[181]64#if defined(HAVE_LIBPRELUDE)
[1]65
66
67/*
68 * _() macros are samhain specific; they are used to replace string
69 * constants at runtime. This is part of the samhain stealth mode
70 * (fill string constants with encoded strings, decode at runtime).
71 */
72#define FIL__ _("sh_prelude.c")
73
74
75#include <libprelude/idmef.h>
76#include <libprelude/prelude.h>
77
78/*
79 * includes for samhain-specific functions (sl_strstr, sh_error_handle)
80 */
[108]81#include "samhain.h"
[1]82#include "sh_cat.h"
83#include "sh_error_min.h"
84#include "sh_prelude.h"
[131]85#define SH_NEED_PWD_GRP 1
86#include "sh_static.h"
[169]87char * sh_util_strdup (const char * str) SH_GNUC_MALLOC;
[1]88/*
89 * When SH_USE_XML is set, value are formated using name="value".
90 * Otherwise, value is formatted using the format name=<value>.
91 */
92#ifdef SH_USE_XML
93# define VALUE_DELIM_START '"'
94# define VALUE_DELIM_END '"'
95#else
96# define VALUE_DELIM_START '<'
97# define VALUE_DELIM_END '>'
98#endif
99
100#define IDMEF_ANALYZER_MODEL _("Samhain")
101#define IDMEF_ANALYZER_CLASS _("Integrity Checker")
102#define IDMEF_ANALYZER_VERSION VERSION
[106]103#define IDMEF_ANALYZER_MANUFACTURER _("http://www.la-samhna.de/samhain/")
[1]104
105
106
107/*
108 * 0 = not initialized; -1 = failed; 1 = initialized
109 */
110static int initialized = 0;
111static int ready_for_init = 0;
112
113static char *profile = NULL;
114static prelude_client_t *client = NULL;
115
116static int severity_map[1 + (unsigned int) IDMEF_IMPACT_SEVERITY_HIGH] = {
117 /* 0: unused (?) */ 0,
118 /* 1: INFO */ 0,
119 /* 2: LOW */ SH_ERR_ALL|SH_ERR_INFO,
120 /* 3: MEDIUM */ SH_ERR_NOTICE|SH_ERR_WARN|SH_ERR_STAMP|SH_ERR_ERR,
121 /* 4: HIGH */ SH_ERR_SEVERE|SH_ERR_FATAL
122};
123
124/* returns 0/tiger, 1/sha1, or 2/md5
125 */
126extern int sh_tiger_get_hashtype(void);
127
128static void clear_and_set (int setpos, int flag)
129{
130 unsigned int i;
131 /* clear everywhere, and set at correct position */
132 for (i = 1; i < (1 + (unsigned int) IDMEF_IMPACT_SEVERITY_HIGH); ++i)
133 severity_map[i] &= ~flag;
134 severity_map[setpos] |= flag;
135 return;
136}
137
[22]138static int set_prelude_severity_int (const char * str, int prelude_sev)
[1]139{
[22]140 char * p;
141 char * dup = strdup (str);
[131]142#if defined(HAVE_PTHREAD) && defined (_POSIX_THREAD_SAFE_FUNCTIONS) && defined(HAVE_STRTOK_R)
143 char * saveptr;
144#endif
[1]145
[26]146 if (!dup)
147 return -1;
148
[131]149#if defined(HAVE_PTHREAD) && defined (_POSIX_THREAD_SAFE_FUNCTIONS) && defined(HAVE_STRTOK_R)
150 p = strtok_r (dup, ", \t", &saveptr);
151#else
[22]152 p = strtok (dup, ", \t");
[131]153#endif
[1]154 if (p) {
155 do {
156 if (0 == strcmp (p, _("alert")))
157 clear_and_set (prelude_sev, SH_ERR_FATAL);
158 else if (0 == strcmp (p, _("crit")))
159 clear_and_set (prelude_sev, SH_ERR_SEVERE);
160 else if (0 == strcmp (p, _("err")))
161 clear_and_set (prelude_sev, SH_ERR_ERR);
162 else if (0 == strcmp (p, _("mark")))
163 clear_and_set (prelude_sev, SH_ERR_STAMP);
164 else if (0 == strcmp (p, _("warn")))
165 clear_and_set (prelude_sev, SH_ERR_WARN);
166 else if (0 == strcmp (p, _("notice")))
167 clear_and_set (prelude_sev, SH_ERR_NOTICE);
168 else if (0 == strcmp (p, _("debug")))
169 clear_and_set (prelude_sev, SH_ERR_ALL);
170 else if (0 == strcmp (p, _("info")))
171 clear_and_set (prelude_sev, SH_ERR_INFO);
[26]172 else {
173 free (dup);
[1]174 return -1;
[26]175 }
[131]176#if defined(HAVE_PTHREAD) && defined (_POSIX_THREAD_SAFE_FUNCTIONS) && defined(HAVE_STRTOK_R)
177 p = strtok_r (NULL, ", \t", &saveptr);
178#else
[1]179 p = strtok (NULL, ", \t");
[131]180#endif
[1]181 } while (p);
182 }
[22]183 free(dup);
[1]184 return 0;
185}
186
[22]187int sh_prelude_map_info (const char * str)
[1]188{
189 return (set_prelude_severity_int(str,(int)IDMEF_IMPACT_SEVERITY_INFO));
190}
[22]191int sh_prelude_map_low (const char * str)
[1]192{
193 return (set_prelude_severity_int(str,(int)IDMEF_IMPACT_SEVERITY_LOW));
194}
[22]195int sh_prelude_map_medium (const char * str)
[1]196{
197 return (set_prelude_severity_int(str,(int)IDMEF_IMPACT_SEVERITY_MEDIUM));
198}
[22]199int sh_prelude_map_high (const char * str)
[1]200{
201 return (set_prelude_severity_int(str,(int)IDMEF_IMPACT_SEVERITY_HIGH));
202}
203
204static idmef_impact_severity_t map_severity (int sam_sev)
205{
206 int i;
207 int max = 1 + (unsigned int) IDMEF_IMPACT_SEVERITY_HIGH;
208 idmef_impact_severity_t retval = IDMEF_IMPACT_SEVERITY_MEDIUM;
209
210 for (i = 0; i < max; ++i) {
211 if (severity_map[i] & sam_sev) {
212 retval = (idmef_impact_severity_t) i;
213 }
214 }
215 return retval;
216}
217
218static char *do_get_value(char *ptr, char delim_start, char delim_end)
219{
220 char *ret = NULL;
[283]221#if defined(SH_WITH_SERVER)
222 int delim_start_count = 0;
223 int found = 0;
224#endif
225
[1]226 ptr = strchr(ptr, delim_start);
227 if ( ! ptr )
228 return NULL;
229
230 ret = ++ptr;
[283]231#if defined(SH_WITH_SERVER)
232 while ((*ptr != '\0') && (!found)){
233 if (*ptr == delim_end) {
234 if (delim_start_count == 0)
235 found = 1;
236 delim_start_count--;
237 }
238 else if (*ptr == delim_start)
239 delim_start_count++;
240 ptr++;
241 }
242 ptr = (found) ? ptr-1 : NULL ;
243#else
[1]244 ptr = strchr(ptr, delim_end);
[283]245#endif
[1]246 if ( ! ptr )
247 return NULL;
248
249 *ptr = '\0';
250 ret = strdup(ret);
251 *ptr = delim_end;
252
253 return ret;
254}
255
256
257
258static char *get_value(char *msg, const char *toktmp, const char *toksuffix)
259{
260 char *ptr, tok[128];
261
262 snprintf(tok, sizeof(tok), "%s%s=", toktmp, (toksuffix) ? toksuffix : "");
263
264 ptr = strstr(msg, tok);
265 if ( ! ptr )
266 return NULL;
267
268 return do_get_value(ptr, VALUE_DELIM_START, VALUE_DELIM_END);
269}
270
271
272
273static char *get_time_value(char *msg, const char *toktmp, const char *toksuffix)
274{
275
276 char *ret, *ptr, tok[128];
277
278 snprintf(tok, sizeof(tok), "%s%s=", toktmp, (toksuffix) ? toksuffix : "");
279
280 ptr = strstr(msg, tok);
281 if ( ! ptr )
282 return NULL;
283
284#ifndef SH_USE_XML
285 ret = do_get_value(ptr, '[', ']');
286#else
287 ret = do_get_value(ptr, VALUE_DELIM_START, VALUE_DELIM_END);
288#endif
289
290 return ret;
291}
292
293
294
295
296#if 0
297void debug_print_message(idmef_message_t *msg)
298{
299 int ret;
300 prelude_io_t *fd;
301
302 ret = prelude_io_new(&fd);
303 if ( ret < 0 )
304 return;
305
306 prelude_io_set_file_io(fd, stderr);
307 idmef_message_print(idmef, fd);
308
309 prelude_io_destroy(fd);
310}
311#endif
312
313
314
315static int idmef_time_from_samhain(idmef_time_t **time, const char *str)
316{
317 int ret;
318 char *ptr;
319 time_t utc;
320 struct tm lt;
321
322 /*
323 * Samhain stamp are encoded in UTC.
324 */
325 ptr = strptime(str, _("%Y-%m-%dT%H:%M:%S"), &lt);
326 if ( ! ptr ) {
327 sh_error_handle((-1), FIL__, __LINE__, -1, MSG_E_SUBGEN,
328 _("could not format Samhain time"), _("idmef_time_from_samhain"));
329 return -1;
330 }
331
332 utc = prelude_timegm(&lt);
333
334 ret = idmef_time_new_from_time(time, &utc);
335 if ( ret < 0 )
336 return ret;
337
338 return 0;
339}
340
[22]341/* flawfinder: ignore *//* is part of name, not access() */
[1]342static void get_access_info(idmef_file_access_t *access, char * mode, int pos, int mpos)
343{
344 int got = 0;
345 int ret;
346 prelude_string_t *str;
347
348 do {
349 if ( mode[pos] == 'r' ) {
[22]350 /* flawfinder: ignore *//* is part of name, not access() */
[26]351 ret = idmef_file_access_new_permission(access, &str, IDMEF_LIST_APPEND);
[1]352 if ( ret < 0 )
353 return;
354 prelude_string_set_dup(str, _("read"));
355 ++got;
356 }
357 else if ( mode[pos] == 'w' ) {
[22]358 /* flawfinder: ignore *//* is part of name, not access() */
[26]359 ret = idmef_file_access_new_permission(access, &str, IDMEF_LIST_APPEND);
[1]360 if ( ret < 0 )
361 return;
362 prelude_string_set_dup(str, _("write"));
363 ++got;
364 }
365 else if ( mode[pos] == 'x' || mode[pos] == 's' || mode[pos] == 't') {
[22]366 /* flawfinder: ignore *//* is part of name, not access() */
[26]367 ret = idmef_file_access_new_permission(access, &str, IDMEF_LIST_APPEND);
[1]368 if ( ret < 0 )
369 return;
370
371 if ( mode[pos] == 'x' && mode[0] == 'd' )
372 prelude_string_set_dup(str, _("search"));
373
374 else if ( mode[pos] == 'x' || mode[pos] == 't' )
375 prelude_string_set_dup(str, _("execute"));
376
377 else /* 's' */
378 prelude_string_set_dup(str, _("executeAs"));
379 ++got;
380 }
381 ++pos;
382 } while (pos <= mpos);
383
384 if ( got == 0 ) {
[22]385 /* flawfinder: ignore *//* is part of name, not access() */
[26]386 ret = idmef_file_access_new_permission(access, &str, IDMEF_LIST_APPEND);
[1]387 if ( ret < 0 )
388 return;
389 prelude_string_set_dup(str, _("noAccess"));
390 }
391 return;
392}
393
394
395static void get_file_infos(idmef_target_t *target, char *msg,
396 idmef_file_category_t category)
397{
398 int ret;
399 int hashtype = 0;
400 char *ptr;
401 idmef_time_t *time;
402 idmef_file_t *file;
403 idmef_inode_t *inode;
404 prelude_string_t *str;
405 idmef_checksum_t *checksum;
[22]406 idmef_file_access_t *access; /* flawfinder: ignore */
[1]407 idmef_user_id_t *userid;
408 const char *suffix = (category == IDMEF_FILE_CATEGORY_CURRENT) ? "_new" : "_old";
409 char *mode = NULL;
410
[26]411 ret = idmef_target_new_file(target, &file, IDMEF_LIST_APPEND);
[1]412 if ( ret < 0 )
413 return;
414 idmef_file_set_category(file, category);
415
416 ptr = get_value(msg, _("path"), NULL);
417 if ( ptr ) {
418 /*
419 * In term of IDMEF, this is the full path,
420 * including the name.
421 */
422 ret = idmef_file_new_path(file, &str);
[36]423 if ( ret < 0 ) {
424 free(ptr);
[1]425 return;
[36]426 }
[1]427 prelude_string_set_nodup(str, ptr);
428
429 ptr = strrchr(ptr, '/');
430 if ( ptr ) {
431 ret = idmef_file_new_name(file, &str);
[40]432 if ( ret == 0 ) {
433 prelude_string_set_dup(str, ptr + 1);
434 }
[1]435 }
436 }
437
438 ptr = get_value(msg, _("size"), suffix);
439 if ( ptr ) {
440 idmef_file_set_data_size(file, strtoul(ptr, NULL, 10));
441 free(ptr);
442 }
443
444 ptr = get_time_value(msg, _("mtime"), suffix);
445 if ( ptr ) {
446 ret = idmef_time_from_samhain(&time, ptr);
[40]447 if ( ret == 0 ) {
448 idmef_file_set_modify_time(file, time);
[36]449 }
[1]450 free(ptr);
451 }
452
453 ptr = get_time_value(msg, _("ctime"), suffix);
454 if ( ptr ) {
455 ret = idmef_time_from_samhain(&time, ptr);
[40]456 if ( ret == 0 ) {
457 idmef_file_set_create_time(file, time);
[36]458 }
[1]459 free(ptr);
460 }
461
462 ptr = get_value(msg, _("inode"), suffix);
463 if ( ptr ) {
464 ret = idmef_file_new_inode(file, &inode);
[40]465 if ( ret == 0 ) {
466 char * dev = get_value(msg, _("dev"), suffix);
467 if (dev) {
468 char * q = strchr(dev, ',');
469 if (*q) {
470 *q = '\0'; ++q;
471 idmef_inode_set_major_device(inode, strtoul(dev, NULL, 0));
472 idmef_inode_set_minor_device(inode, strtoul( q, NULL, 0));
473 }
474 free(dev);
475 }
476 idmef_inode_set_number(inode, strtoul(ptr, NULL, 10));
[36]477 }
[1]478 free(ptr);
479 }
480
481 ptr = get_value(msg, _("chksum"), suffix);
482 if ( ptr ) {
[26]483 ret = idmef_file_new_checksum(file, &checksum, IDMEF_LIST_APPEND);
[36]484 if ( ret < 0 ) {
[40]485 free(ptr);
486 goto get_mode;
[36]487 }
[1]488
489 hashtype = sh_tiger_get_hashtype();
490
491 if (hashtype == 0)
[40]492 idmef_checksum_set_algorithm(checksum, IDMEF_CHECKSUM_ALGORITHM_TIGER);
[1]493
[40]494 else if (hashtype == 1)
495 idmef_checksum_set_algorithm(checksum, IDMEF_CHECKSUM_ALGORITHM_SHA1);
496
497 else if (hashtype == 2)
498 idmef_checksum_set_algorithm(checksum, IDMEF_CHECKSUM_ALGORITHM_MD5);
499
500 else
501 idmef_checksum_set_algorithm(checksum, IDMEF_CHECKSUM_ALGORITHM_TIGER);
[1]502
503
[40]504 ret = idmef_checksum_new_value(checksum, &str);
505 if ( ret < 0 ) {
506 free(ptr);
507 goto get_mode;
[36]508 }
[1]509
510 /* will be freed on destroy()
511 */
[40]512 prelude_string_set_nodup(str, ptr);
513 }
[1]514
[40]515 get_mode:
516
[1]517 mode = get_value(msg, _("mode"), suffix);
518 if ( mode ) {
[22]519 /* flawfinder: ignore *//* is part of name, not access() */
[26]520 ret = idmef_file_new_file_access(file, &access, IDMEF_LIST_APPEND);
[1]521 if ( ret < 0 )
[40]522 goto get_owner;
[1]523
[22]524 /* flawfinder: ignore *//* is part of name, not access() */
[1]525 ret = idmef_file_access_new_user_id(access, &userid);
526 if ( ret < 0 )
[40]527 goto get_owner;
[1]528 idmef_user_id_set_type(userid, IDMEF_USER_ID_TYPE_OTHER_PRIVS);
529
[22]530 /* flawfinder: ignore *//* is part of name, not access() */
[1]531 get_access_info ( access, mode, 7, 9 );
532 }
[40]533
534 get_owner:
[1]535
536 ptr = get_value(msg, _("owner"), suffix);
537 if ( ptr ) {
[40]538 char * uid;
[1]539
[22]540 /* flawfinder: ignore *//* is part of name, not access() */
[26]541 ret = idmef_file_new_file_access(file, &access, IDMEF_LIST_APPEND);
[36]542 if ( ret < 0 ) {
543 free(ptr);
[40]544 goto get_group;
[36]545 }
[1]546
[22]547 /* flawfinder: ignore *//* is part of name, not access() */
[1]548 ret = idmef_file_access_new_user_id(access, &userid);
[36]549 if ( ret < 0 ) {
550 free(ptr);
[40]551 goto get_group;
[36]552 }
[1]553 idmef_user_id_set_type(userid, IDMEF_USER_ID_TYPE_USER_PRIVS);
554
555 ret = idmef_user_id_new_name(userid, &str);
[36]556 if ( ret < 0 ) {
557 free(ptr);
[40]558 goto get_group;
[36]559 }
[1]560 prelude_string_set_nodup(str, ptr);
561
[40]562 uid = get_value(msg, _("iowner"), suffix);
563 if ( ! uid )
564 goto get_group;
[1]565
[40]566 idmef_user_id_set_number(userid, strtoul(uid, NULL, 0));
[1]567
568 if ( mode ) {
[22]569 /* flawfinder: ignore *//* is part of name, not access() */
[1]570 get_access_info ( access, mode, 1, 3 );
571 }
[40]572
573 free(uid);
[283]574 /* Don't free(ptr) because of prelude_string_set_nodup(str, ptr) */
[1]575 }
576
[40]577 get_group:
578
[1]579 ptr = get_value(msg, _("group"), suffix);
580 if ( ptr ) {
[40]581 char *gid;
[1]582
[22]583 /* flawfinder: ignore *//* is part of name, not access() */
[26]584 ret = idmef_file_new_file_access(file, &access, IDMEF_LIST_APPEND);
[36]585 if ( ret < 0 ) {
586 free(ptr);
587 goto mode_free;
588 }
[1]589
[36]590 ret = idmef_file_access_new_user_id(access, &userid);/* flawfinder: ignore *//* is part of name, not access() */
591 if ( ret < 0 ) {
592 free(ptr);
593 goto mode_free;
594 }
595
[1]596 idmef_user_id_set_type(userid, IDMEF_USER_ID_TYPE_GROUP_PRIVS);
597
598 ret = idmef_user_id_new_name(userid, &str);
[36]599 if ( ret < 0 ) {
600 free(ptr);
601 goto mode_free;
602 }
[1]603
604 prelude_string_set_nodup(str, ptr);
605
[40]606 gid = get_value(msg, _("igroup"), suffix);
607 if ( ! gid )
[36]608 goto mode_free;
[1]609
[40]610 idmef_user_id_set_number(userid, strtoul(gid, NULL, 0));
[1]611
612 if ( mode ) {
[22]613 get_access_info ( access, mode, 4, 6 ); /* flawfinder: ignore */
[1]614 }
[40]615
616 free(gid);
[283]617 /* Don't free(ptr) because of prelude_string_set_nodup(str, ptr) */
[1]618 }
619
[36]620 mode_free:
621
[1]622 if ( mode ) {
623 free ( mode );
624 }
[36]625
626 return;
[1]627}
628
629
630
631static int map_policy_to_class(char *msg, unsigned long msgid, idmef_impact_t *impact, prelude_string_t *out)
632{
633 char *ptr;
634 int ret, i;
635 struct tbl {
636 unsigned int msgid;
637 const char *name;
638 idmef_impact_type_t type;
639 } tbl[] = {
640
641#ifdef SH_USE_UTMP
642 { MSG_UT_LG1X, N_("User Login"), IDMEF_IMPACT_TYPE_USER },
643 { MSG_UT_LG1A, N_("User Login"), IDMEF_IMPACT_TYPE_USER },
644 { MSG_UT_LG1B, N_("User Login"), IDMEF_IMPACT_TYPE_USER },
645 { MSG_UT_LG2X, N_("Multiple User Login"), IDMEF_IMPACT_TYPE_USER },
646 { MSG_UT_LG2A, N_("Multiple User Login"), IDMEF_IMPACT_TYPE_USER },
647 { MSG_UT_LG2B, N_("Multiple User Login"), IDMEF_IMPACT_TYPE_USER },
648 { MSG_UT_LG3X, N_("User Logout"), IDMEF_IMPACT_TYPE_USER },
649 { MSG_UT_LG3A, N_("User Logout"), IDMEF_IMPACT_TYPE_USER },
650 { MSG_UT_LG3B, N_("User Logout"), IDMEF_IMPACT_TYPE_USER },
651 { MSG_UT_LG3C, N_("User Logout"), IDMEF_IMPACT_TYPE_USER },
652#endif
653
654#if defined(SH_WITH_CLIENT) || defined(SH_STANDALONE)
655 { MSG_FI_MISS, N_("File Missing"), IDMEF_IMPACT_TYPE_FILE },
656 { MSG_FI_MISS2, N_("File Missing"), IDMEF_IMPACT_TYPE_FILE },
657 { MSG_FI_ADD, N_("File Added"), IDMEF_IMPACT_TYPE_FILE },
658 { MSG_FI_ADD2, N_("File Added"), IDMEF_IMPACT_TYPE_FILE },
659 { MSG_FI_CHAN, N_("File Modified"), IDMEF_IMPACT_TYPE_FILE },
660 { MSG_FI_NODIR, N_("File found where directory was expected"), IDMEF_IMPACT_TYPE_FILE },
661#endif
662
663#ifdef SH_USE_KERN
664 { MSG_KERN_POLICY, N_("Kernel Modified"), IDMEF_IMPACT_TYPE_OTHER },
665 { MSG_KERN_POL_CO, N_("Kernel Modified"), IDMEF_IMPACT_TYPE_OTHER },
666 { MSG_KERN_PROC, N_("Kernel Modified"), IDMEF_IMPACT_TYPE_OTHER },
667 { MSG_KERN_GATE, N_("Kernel Modified"), IDMEF_IMPACT_TYPE_OTHER },
668 { MSG_KERN_IDT, N_("Kernel Modified"), IDMEF_IMPACT_TYPE_OTHER },
669 { MSG_KERN_SYSCALL, N_("Kernel Modified"), IDMEF_IMPACT_TYPE_OTHER },
670#endif
671
[169]672#ifdef SH_USE_PORTCHECK
673 { MSG_PORT_MISS, N_("Service closed"), IDMEF_IMPACT_TYPE_OTHER },
674 { MSG_PORT_NEW, N_("Service opened"), IDMEF_IMPACT_TYPE_OTHER },
675 { MSG_PORT_RESTART, N_("Service restarted"), IDMEF_IMPACT_TYPE_OTHER },
676 { MSG_PORT_NEWPORT, N_("Service restarted"), IDMEF_IMPACT_TYPE_OTHER },
677#endif
678
[1]679#ifdef SH_USE_SUIDCHK
680 { MSG_SUID_POLICY, N_("SUID/SGID File Detected"), IDMEF_IMPACT_TYPE_FILE },
681#endif
682 /*
683 * This must be the last table entry
684 */
685 { 0, NULL, IDMEF_IMPACT_TYPE_OTHER },
686 };
687
688 for ( i = 0; tbl[i].name != NULL; i++ ) {
689 if ( tbl[i].msgid != msgid )
690 continue;
691
692 idmef_impact_set_type(impact, tbl[i].type);
693 return prelude_string_cat(out, _(tbl[i].name));
694 }
695
696 /* some other message
697 */
698 ptr = get_value(msg, _("msg"), NULL);
699 if ( ! ptr ) {
700 sh_error_handle((-1), FIL__, __LINE__, -1, MSG_E_SUBGEN,
701 _("could not format Samhain message"), _("map_policy_to_class"));
702 return -1;
703 }
[283]704
705#if defined(SH_WITH_SERVER)
706 /* when using yule, theres a msg=<... msg=<...> >*/
707 do {
708 msg = ptr;
709 ptr = get_value(msg, _("msg"), NULL);
710 if ( ! ptr ) {
711 ptr = msg;
712 break;
713 } else {
714 free(msg);
715 }
716 } while (1);
717#endif
718
[1]719 ret = prelude_string_cat(out, ptr);
720 free(ptr);
721
722 return ret;
723}
724
725
[169]726#ifdef SH_USE_PORTCHECK
727static int get_service_info(char *msg, idmef_alert_t *alert)
728{
729 int ret;
730 long port;
[206]731 char *ptr, *new, *tmp, *ip, *srv, *protocol, *end;
[169]732 prelude_string_t *str;
733 idmef_address_t *address;
734 idmef_node_t *node;
[180]735 idmef_user_t *user;
736 idmef_process_t *process;
[169]737 idmef_service_t *service;
738 idmef_source_t *source = idmef_alert_get_next_source(alert, NULL);
[206]739 struct passwd *pw;
740#if defined(HAVE_PTHREAD) && defined (_POSIX_THREAD_SAFE_FUNCTIONS) && defined(HAVE_GETPWNAM_R)
741 struct passwd pwd;
[227]742 char * buffer;
[206]743#endif
[1]744
[169]745 new = sh_util_strdup(msg);
746
747 ptr = strstr(new, _("port: "));
748 if ( ! ptr ) {
749 sh_error_handle((-1), FIL__, __LINE__, -1, MSG_E_SUBGEN,
750 _("malformed Samhain port check message"), _("get_service_info"));
751 SH_FREE( new );
752 return -1;
753 }
754
755 ptr += 6; /* skip 'port: ', position on first byte of interface */
756 tmp = strchr(ptr, ':');
757 if ( ! tmp ) {
758 sh_error_handle((-1), FIL__, __LINE__, -1, MSG_E_SUBGEN,
759 _("malformed Samhain port check message (no port)"), _("get_service_info"));
760 SH_FREE( new );
761 return -1;
762 }
763 *tmp = '\0';
764
[170]765 /* Get interface
766 */
[169]767 ip = strdup(ptr);
768 if ( ip ) {
769 if ( ! source ) {
770 ret = idmef_alert_new_source(alert, &source, IDMEF_LIST_APPEND);
771 if ( ret < 0 ) {
772 free(ip);
773 SH_FREE( new );
774 return ret;
775 }
776 }
777
778 ret = idmef_source_new_node(source, &node);
779 if ( ret < 0 ) {
780 free(ip);
781 SH_FREE( new );
782 return ret;
783 }
784
785 ret = idmef_node_new_address(node, &address, IDMEF_LIST_APPEND);
786 if ( ret < 0 ) {
787 free(ip);
788 SH_FREE( new );
789 return ret;
790 }
791
792 ret = idmef_address_new_address(address, &str);
793 if ( ret < 0 ) {
794 free(ip);
795 SH_FREE( new );
796 return ret;
797 }
798
799 prelude_string_set_nodup(str, ip);
800 }
801
802 ptr = tmp;
803 ++ptr;
804 tmp = strchr(ptr, '/');
805 if ( ! tmp ) {
806 sh_error_handle((-1), FIL__, __LINE__, -1, MSG_E_SUBGEN,
807 _("malformed Samhain port check message (no protocol)"), _("get_service_info"));
808 SH_FREE( new );
809 return -1;
810 }
811 *tmp = '\0';
812
[170]813 /* Get port number
814 */
[169]815 port = strtol(ptr, &end, 0);
816 if ( *ptr && *end == '\0' && port >= 0 && port < 65536) {
817
[206]818 char * tmpw;
819
[169]820 if ( ! source ) {
821 ret = idmef_alert_new_source(alert, &source, IDMEF_LIST_APPEND);
822 if ( ret < 0 ) {
823 SH_FREE( new );
824 return ret;
825 }
826 }
827
828 ret = idmef_source_new_service(source, &service);
829 if ( ret < 0 ) {
830 SH_FREE( new );
831 return ret;
832 }
833
834 idmef_service_set_port(service, port);
[206]835
836 ret = idmef_service_new_protocol(service, &str);
837 if ( ret < 0 ) {
838 SH_FREE( new );
839 return ret;
840 }
841
842 ++tmp;
843 if (*tmp) {
844 char * tmpw = tmp;
845 char tmpw_store;
846 while (*tmpw && !isblank((int) *tmpw)) ++tmpw;
847 tmpw_store = *tmpw; *tmpw = '\0';
848 protocol = strdup(tmp);
849 *tmpw = tmpw_store;
850 prelude_string_set_nodup(str, protocol);
851 }
852
[169]853 }
854
855 ptr = tmp;
856 ++ptr;
857 ptr = strchr(ptr, '(');
858 if ( ! ptr ) {
859 sh_error_handle((-1), FIL__, __LINE__, -1, MSG_E_SUBGEN,
860 _("malformed Samhain port check message (no service)"), _("get_service_info"));
861 SH_FREE( new );
862 return -1;
863 }
864 ++ptr;
865 tmp = strchr(ptr, ')');
866 if ( ! tmp ) {
867 sh_error_handle((-1), FIL__, __LINE__, -1, MSG_E_SUBGEN,
868 _("malformed Samhain port check message (service not closed)"), _("get_service_info"));
869 SH_FREE( new );
870 return -1;
871 }
872 *tmp = '\0';
873
[170]874 /* Get service
875 */
[169]876 srv = strdup(ptr);
877 if ( srv ) {
878 if ( ! source ) {
879 ret = idmef_alert_new_source(alert, &source, IDMEF_LIST_APPEND);
880 if ( ret < 0 ) {
881 free(srv);
882 SH_FREE( new );
883 return ret;
884 }
885 }
886
887 if ( ! service ) {
888 ret = idmef_source_new_service(source, &service);
889 if ( ret < 0 ) {
890 free(srv);
891 SH_FREE( new );
892 return ret;
893 }
894 }
895
[170]896 ret = idmef_service_new_name(service, &str);
[169]897 if ( ret < 0 ) {
898 free(srv);
899 SH_FREE( new );
900 return ret;
901 }
902
903 prelude_string_set_nodup(str, srv);
904 }
905
906 SH_FREE( new );
907
[206]908 ptr = get_value(msg, _("userid"), NULL);
[180]909
910 if ( ptr ) {
911
[206]912 idmef_user_id_t * user_id;
913
[180]914 ret = idmef_source_new_user(source, &user);
915 if ( ret < 0 ) {
916 free(ptr);
917 return ret;
918 }
919
[206]920 idmef_user_set_category(user, IDMEF_USER_CATEGORY_APPLICATION);
921
922 ret = idmef_user_new_user_id(user, &user_id, IDMEF_LIST_APPEND);
[180]923 if ( ret < 0 ) {
[206]924 free(ptr);
[180]925 return ret;
[206]926 }
927
928 idmef_user_id_set_type(user_id, IDMEF_USER_ID_TYPE_CURRENT_USER);
929
930#if defined(HAVE_PTHREAD) && defined (_POSIX_THREAD_SAFE_FUNCTIONS) && defined(HAVE_GETPWNAM_R)
[227]931 buffer = SH_ALLOC(SH_PWBUF_SIZE);
932 sh_getpwnam_r(ptr, &pwd, buffer, SH_PWBUF_SIZE, &pw);
[206]933#else
934 pw = sh_getpwnam(ptr);
935#endif
936 if ( pw )
937 idmef_user_id_set_number(user_id, pw->pw_uid);
938
939 ret = idmef_user_id_new_name(user_id, &str);
940 if ( ret < 0 ) {
941 free(ptr);
[227]942#if defined(HAVE_PTHREAD) && defined (_POSIX_THREAD_SAFE_FUNCTIONS) && defined(HAVE_GETPWNAM_R)
943 SH_FREE(buffer);
944#endif
[206]945 return ret;
946 }
[180]947 prelude_string_set_nodup(str, ptr);
[206]948
[227]949#if defined(HAVE_PTHREAD) && defined (_POSIX_THREAD_SAFE_FUNCTIONS) && defined(HAVE_GETPWNAM_R)
950 SH_FREE(buffer);
951#endif
[180]952 }
953
[227]954
[180]955 ptr = get_value(msg, _("path"), NULL);
[206]956 tmp = get_value(msg, _("pid"), NULL);
[180]957
958 if ( ptr ) {
959
960 /*
961 * In term of IDMEF, this is the full path,
962 * including the name.
963 */
964 ret = idmef_source_new_process(source, &process);
965 if ( ret < 0 ) {
966 free(ptr);
967 return ret;
968 }
969
970 ret = idmef_process_new_path(process, &str);
971 if ( ret < 0 ) {
972 free(ptr);
973 return ret;
974 }
975 prelude_string_set_nodup(str, ptr);
976
[206]977
978 if ( NULL != strrchr(ptr, '/') ) {
[180]979 ret = idmef_process_new_name(process, &str);
980 if ( ret == 0 ) {
[206]981 ptr = strrchr(ptr, '/');
[180]982 prelude_string_set_dup(str, ptr + 1);
983 }
[206]984 } else {
985 ret = idmef_process_new_name(process, &str);
986 if ( ret == 0 ) {
987 prelude_string_set_dup(str, ptr);
988 }
989 }
990
991 idmef_process_set_pid(process, strtoul(tmp, NULL, 0));
[180]992 }
993
[206]994 if (tmp)
995 free(tmp);
996
[169]997 return 0;
998}
999#endif
1000
[1]1001static int get_login_info(char *msg, idmef_alert_t *alert)
1002{
1003 int ret;
1004 char *ptr, *ip;
1005 idmef_user_t *user;
1006 idmef_node_t *node;
1007 struct passwd *pw;
[131]1008#if defined(HAVE_PTHREAD) && defined (_POSIX_THREAD_SAFE_FUNCTIONS) && defined(HAVE_GETPWNAM_R)
1009 struct passwd pwd;
[227]1010 char * buffer;
[131]1011#endif
[1]1012 prelude_string_t *str;
1013 idmef_user_id_t *user_id;
1014 idmef_address_t *address;
1015 idmef_target_t *target = idmef_alert_get_next_target(alert, NULL);
1016 idmef_source_t *source = idmef_alert_get_next_source(alert, NULL);
1017
1018 ip = ptr = get_value(msg, _("ip"), NULL);
1019 if ( ptr ) {
1020 if ( ! source ) {
[26]1021 ret = idmef_alert_new_source(alert, &source, IDMEF_LIST_APPEND);
[1]1022 if ( ret < 0 ) {
1023 free(ptr);
1024 return ret;
1025 }
1026 }
1027
1028 ret = idmef_source_new_node(source, &node);
1029 if ( ret < 0 ) {
1030 free(ptr);
1031 return ret;
1032 }
1033
[26]1034 ret = idmef_node_new_address(node, &address, IDMEF_LIST_APPEND);
[1]1035 if ( ret < 0 ) {
1036 free(ptr);
1037 return ret;
1038 }
1039
1040 ret = idmef_address_new_address(address, &str);
1041 if ( ret < 0 ) {
1042 free(ptr);
1043 return ret;
1044 }
1045
1046 prelude_string_set_nodup(str, ptr);
1047 }
1048
1049 ptr = get_value(msg, _("host"), NULL);
1050 if ( ptr ) {
1051 if ( ip && strcmp(ptr, ip) == 0 )
1052 free(ptr);
1053 else {
1054 if ( ! source ) {
[26]1055 ret = idmef_alert_new_source(alert, &source, IDMEF_LIST_APPEND);
[1]1056 if ( ret < 0 ) {
1057 free(ptr);
1058 return ret;
1059 }
1060 }
1061
1062 ret = idmef_source_new_node(source, &node);
1063 if ( ret < 0 ) {
1064 free(ptr);
1065 return ret;
1066 }
1067
1068 ret = idmef_node_new_name(node, &str);
1069 if ( ret < 0 ) {
1070 free(ptr);
1071 return ret;
1072 }
1073
1074 prelude_string_set_nodup(str, ptr);
1075 }
1076 }
1077
1078 ptr = get_value(msg, _("name"), NULL);
1079 if ( ptr ) {
1080 ret = idmef_target_new_user(target, &user);
1081 if ( ret < 0 ) {
1082 free(ptr);
1083 return ret;
1084 }
1085
1086 idmef_user_set_category(user, IDMEF_USER_CATEGORY_OS_DEVICE);
1087
[26]1088 ret = idmef_user_new_user_id(user, &user_id, IDMEF_LIST_APPEND);
[1]1089 if ( ret < 0 ) {
1090 free(ptr);
1091 return ret;
1092 }
1093
1094 idmef_user_id_set_type(user_id, IDMEF_USER_ID_TYPE_TARGET_USER);
1095
[131]1096#if defined(HAVE_PTHREAD) && defined (_POSIX_THREAD_SAFE_FUNCTIONS) && defined(HAVE_GETPWNAM_R)
[227]1097 buffer = SH_ALLOC(SH_PWBUF_SIZE);
1098 sh_getpwnam_r(ptr, &pwd, buffer, SH_PWBUF_SIZE, &pw);
[131]1099#else
1100 pw = sh_getpwnam(ptr);
1101#endif
[1]1102 if ( pw )
1103 idmef_user_id_set_number(user_id, pw->pw_uid);
1104
1105 ret = idmef_user_id_new_name(user_id, &str);
1106 if ( ret < 0 ) {
1107 free(ptr);
[227]1108#if defined(HAVE_PTHREAD) && defined (_POSIX_THREAD_SAFE_FUNCTIONS) && defined(HAVE_GETPWNAM_R)
1109 SH_FREE(buffer);
1110#endif
[1]1111 return ret;
1112 }
1113 prelude_string_set_nodup(str, ptr);
1114
1115 ptr = get_value(msg, _("tty"), NULL);
1116 if ( ptr ) {
1117 ret = idmef_user_id_new_tty(user_id, &str);
1118 if ( ret < 0 ) {
1119 free(ptr);
[227]1120#if defined(HAVE_PTHREAD) && defined (_POSIX_THREAD_SAFE_FUNCTIONS) && defined(HAVE_GETPWNAM_R)
1121 SH_FREE(buffer);
1122#endif
[1]1123 return ret;
1124 }
1125
1126 prelude_string_set_nodup(str, ptr);
1127 }
[227]1128#if defined(HAVE_PTHREAD) && defined (_POSIX_THREAD_SAFE_FUNCTIONS) && defined(HAVE_GETPWNAM_R)
1129 SH_FREE(buffer);
1130#endif
[1]1131 }
1132
1133 ptr = get_time_value(msg, _("time"), NULL);
1134 if ( ptr ) {
1135 idmef_time_t *time;
1136
1137 ret = idmef_time_from_samhain(&time, ptr);
1138 free(ptr);
1139
1140 if ( ret < 0 )
1141 return ret;
1142
1143 idmef_alert_set_detect_time(alert, time);
1144 }
1145
1146 return 0;
1147}
1148
1149
[283]1150static int node_set_address(idmef_node_t *node, const char *addr)
1151{
1152 int ret;
1153 prelude_string_t *prelude_str;
1154 idmef_address_t *idmef_addr;
1155
1156 ret = prelude_string_new(&prelude_str);
1157 if ( ret < 0 )
1158 goto err;
1159
1160 ret = prelude_string_set_ref(prelude_str, addr);
1161 if ( ret < 0 )
1162 goto err;
1163
1164 ret = idmef_address_new(&idmef_addr);
1165 if ( ret < 0 )
1166 goto err;
1167
1168 idmef_address_set_category(idmef_addr, IDMEF_ADDRESS_CATEGORY_IPV4_ADDR);
1169 idmef_address_set_address(idmef_addr, prelude_str);
1170 idmef_node_set_address(node, idmef_addr, 0);
1171
1172 return 0;
1173 err:
1174 return -1;
1175}
1176
1177
1178
[1]1179static int samhain_alert_prelude(int priority, int sh_class,
[283]1180 char *message, unsigned long msgid, char * inet_peer_ip)
[1]1181{
1182 int ret;
1183 idmef_time_t *time;
1184 idmef_alert_t *alert;
1185 idmef_message_t *idmef;
1186 idmef_classification_t *classification;
1187 idmef_assessment_t *assessment;
1188 idmef_additional_data_t *data;
1189 idmef_impact_t *impact;
1190 idmef_target_t *target;
1191 idmef_confidence_t *confidence;
1192 prelude_string_t *str;
[283]1193#if defined(SH_WITH_SERVER)
1194 idmef_node_t *node;
1195#endif
[1]1196
[15]1197 if ( !client || sh_class == STAMP)
[1]1198 return 0;
1199
1200 ret = idmef_message_new(&idmef);
1201 if ( ret < 0 )
1202 goto err;
1203
1204 ret = idmef_message_new_alert(idmef, &alert);
1205 if ( ret < 0 )
1206 goto err;
1207
[26]1208 idmef_alert_set_analyzer(alert, idmef_analyzer_ref(prelude_client_get_analyzer(client)), IDMEF_LIST_PREPEND);
[1]1209
1210 ret = idmef_time_new_from_gettimeofday(&time);
1211 if ( ret < 0 )
1212 goto err;
1213 idmef_alert_set_detect_time(alert, time);
1214
1215 ret = idmef_time_new_from_gettimeofday(&time);
1216 if ( ret < 0 )
1217 goto err;
1218 idmef_alert_set_create_time(alert, time);
1219
1220 ret = idmef_alert_new_classification(alert, &classification);
1221 if ( ret < 0 )
1222 goto err;
1223
[26]1224 ret = idmef_alert_new_target(alert, &target, IDMEF_LIST_APPEND);
[1]1225 if ( ret < 0 )
1226 goto err;
1227
1228 idmef_target_set_decoy(target, IDMEF_TARGET_DECOY_NO);
[283]1229
1230#if defined(SH_WITH_SERVER)
1231 if ( inet_peer_ip != NULL){
1232 ret = idmef_target_new_node(target, &node);
[1]1233
[283]1234 ret = node_set_address(node, inet_peer_ip);
1235 if ( ret < 0 )
1236 goto err;
1237
1238 idmef_target_set_node(target, idmef_node_ref(node));
1239 }
1240 else
[1]1241 if ( idmef_analyzer_get_node(prelude_client_get_analyzer(client)) ) {
1242 idmef_node_ref(idmef_analyzer_get_node(prelude_client_get_analyzer(client)));
1243 idmef_target_set_node(target, idmef_analyzer_get_node(prelude_client_get_analyzer(client)));
1244 }
[283]1245#else
1246 if ( idmef_analyzer_get_node(prelude_client_get_analyzer(client)) ) {
1247 idmef_node_ref(idmef_analyzer_get_node(prelude_client_get_analyzer(client)));
1248 idmef_target_set_node(target, idmef_analyzer_get_node(prelude_client_get_analyzer(client)));
1249 }
1250#endif
[1]1251 if ( strstr(message, _("path=")) ) {
[2]1252#if defined(SH_WITH_CLIENT) || defined(SH_STANDALONE)
[1]1253 if ( msgid != MSG_FI_ADD && msgid != MSG_FI_ADD2 )
1254 get_file_infos(target, message, IDMEF_FILE_CATEGORY_ORIGINAL);
[2]1255#endif
[1]1256
1257 get_file_infos(target, message, IDMEF_FILE_CATEGORY_CURRENT);
1258 }
1259
1260 ret = idmef_alert_new_assessment(alert, &assessment);
1261 if ( ret < 0 )
1262 goto err;
1263
1264 ret = idmef_assessment_new_impact(assessment, &impact);
1265 if ( ret < 0 )
1266 goto err;
1267
1268 ret = idmef_classification_new_text(classification, &str);
1269 if ( ret < 0 )
1270 goto err;
1271
1272 ret = get_login_info(message, alert);
1273 if ( ret < 0 )
1274 goto err;
1275
[169]1276#ifdef SH_USE_PORTCHECK
1277 if (msgid == MSG_PORT_MISS || msgid == MSG_PORT_NEW || msgid == MSG_PORT_RESTART || msgid == MSG_PORT_NEWPORT) {
1278 ret = get_service_info(message, alert);
1279 if ( ret < 0 )
1280 goto err;
1281 }
1282#endif
1283
[1]1284 map_policy_to_class(message, msgid, impact, str);
1285
1286#if 0
1287 if ( priority == SH_ERR_SEVERE || priority == SH_ERR_FATAL )
1288 idmef_impact_set_severity(impact, IDMEF_IMPACT_SEVERITY_HIGH);
1289
1290 else if ( priority == SH_ERR_ALL || priority == SH_ERR_INFO || priority == SH_ERR_NOTICE )
1291 idmef_impact_set_severity(impact, IDMEF_IMPACT_SEVERITY_LOW);
1292
1293 else
1294 idmef_impact_set_severity(impact, IDMEF_IMPACT_SEVERITY_MEDIUM);
1295#endif
1296 idmef_impact_set_severity(impact, map_severity(priority));
1297
1298 idmef_impact_set_completion(impact, IDMEF_IMPACT_COMPLETION_SUCCEEDED);
1299
1300 ret = idmef_assessment_new_confidence(assessment, &confidence);
1301 if ( ret < 0 )
1302 goto err;
1303
1304 idmef_confidence_set_rating(confidence, IDMEF_CONFIDENCE_RATING_HIGH);
1305
[26]1306 ret = idmef_alert_new_additional_data(alert, &data, IDMEF_LIST_APPEND);
[1]1307 if ( ret < 0 )
1308 goto err;
1309
1310 ret = idmef_additional_data_new_meaning(data, &str);
1311 if ( ret < 0 )
1312 goto err;
1313
1314 prelude_string_set_dup(str, _("Message generated by Samhain"));
1315 idmef_additional_data_set_type(data, IDMEF_ADDITIONAL_DATA_TYPE_STRING);
1316 idmef_additional_data_set_string_ref(data, message);
1317
1318 /* debug_print_message(idmef); */
1319
1320 prelude_client_send_idmef(client, idmef);
1321 idmef_message_destroy(idmef);
1322
1323 return 0;
1324
1325 err:
1326 idmef_message_destroy(idmef);
1327 return -1;
1328}
1329
1330
[283]1331int sh_prelude_alert(int priority, int sh_class, char *message, long msgflags, unsigned long msgid, char *inet_peer_ip)
[1]1332{
1333 int ret;
1334
1335 (void) msgflags; /* fix compiler warning */
1336
[15]1337 if ( initialized < 1 )
[1]1338 return -1;
1339
[283]1340 ret = samhain_alert_prelude(priority, sh_class, message, msgid, inet_peer_ip);
[1]1341 if ( ret < 0 ) {
1342 sh_error_handle((-1), FIL__, __LINE__, -1, MSG_E_SUBGEN,
1343 _("Problem with IDMEF for prelude-ids support: alert lost"),
1344 _("sh_prelude_alert"));
1345 }
1346
1347 return ret;
1348}
1349
1350
1351
[22]1352int sh_prelude_set_profile(const char *arg)
[1]1353{
1354 if ( profile ) {
1355 free(profile);
1356 profile = NULL;
1357 }
1358
1359 if ( arg ) {
1360 profile = strdup(arg);
1361 if ( ! profile )
1362 return -1;
1363 }
1364
1365 return 0;
1366}
1367
[86]1368/* Allow initialization of prelude; to be called
1369 * after forking the daemon. Delays heartbeat
1370 * start after config read until it is safe.
1371 */
[1]1372void sh_prelude_reset(void)
1373{
1374 extern void sh_error_init_prelude();
1375
1376 ready_for_init = 1;
1377 sh_error_init_prelude();
1378 return;
1379}
1380
1381
1382
1383void sh_prelude_stop(void)
1384{
1385 if (initialized < 1)
1386 return;
[108]1387
1388 if (sh.flag.isdaemon == S_TRUE)
1389 prelude_client_destroy(client, PRELUDE_CLIENT_EXIT_STATUS_FAILURE);
1390 else
1391 prelude_client_destroy(client, PRELUDE_CLIENT_EXIT_STATUS_SUCCESS);
1392
[15]1393 client = NULL;
[108]1394
1395 prelude_deinit();
1396
[1]1397 initialized = 0;
1398 return;
1399}
1400
1401
1402
1403int sh_prelude_init(void)
1404{
1405 int ret;
1406 prelude_string_t *str;
1407 idmef_analyzer_t *analyzer;
1408 prelude_client_flags_t flags;
[20]1409#ifdef SH_NOFAILOVER
1410 prelude_connection_pool_t *pool;
1411 prelude_connection_pool_flags_t conn_flags;
1412#endif
[1]1413
1414 if (ready_for_init == 0)
1415 return initialized;
1416
1417 if (initialized > 0)
1418 return initialized;
1419
1420 prelude_thread_init(NULL);
[20]1421 prelude_init(&sh_argc_store, sh_argv_store);
[1]1422
1423 ret = prelude_client_new(&client, profile ? profile : _("samhain"));
1424 if ( ret < 0 ) {
1425 sh_error_handle((-1), FIL__, __LINE__, -1, MSG_E_SUBGEN,
1426 _("Failed to initialize Prelude"), _("sh_prelude_init"));
1427 initialized = -1;
1428 return -1;
1429 }
1430
1431 /*
1432 * Enable automatic heartbeat sending.
1433 */
1434 flags = prelude_client_get_flags(client);
1435 ret = prelude_client_set_flags(client, flags | PRELUDE_CLIENT_FLAGS_ASYNC_TIMER);
1436
1437 analyzer = prelude_client_get_analyzer(client);
1438
1439 ret = idmef_analyzer_new_model(analyzer, &str);
1440 prelude_string_set_dup(str, IDMEF_ANALYZER_MODEL);
1441
1442 ret = idmef_analyzer_new_class(analyzer, &str);
1443 prelude_string_set_dup(str, IDMEF_ANALYZER_CLASS);
1444
1445 ret = idmef_analyzer_new_version(analyzer, &str);
1446 prelude_string_set_dup(str, IDMEF_ANALYZER_VERSION);
1447
[20]1448#ifdef SH_NOFAILOVER
1449 pool = prelude_client_get_connection_pool(client);
1450 conn_flags = prelude_connection_pool_get_flags(pool);
1451
1452 conn_flags &= ~PRELUDE_CONNECTION_POOL_FLAGS_FAILOVER;
1453 prelude_connection_pool_set_flags(pool, conn_flags);
1454#endif
1455
[1]1456 ret = prelude_client_start(client);
1457 if ( ret < 0 ) {
1458 prelude_perror(ret, _("error starting prelude client"));
1459
1460 if ( prelude_client_is_setup_needed(ret) )
1461 prelude_client_print_setup_error(client);
1462
1463 sh_error_handle((-1), FIL__, __LINE__, -1, MSG_E_SUBGEN,
1464 _("Failed to start Prelude"), _("sh_prelude_init"));
1465 initialized = -1;
1466 return -1;
1467 }
1468
1469 initialized = 1;
1470 return 1;
1471}
1472
1473/* HAVE_LIBPRELUDE_9 */
1474#endif
1475
Note: See TracBrowser for help on using the repository browser.