source: trunk/src/sh_prelude.c@ 583

Last change on this file since 583 was 583, checked in by katerina, 36 hours ago

Fix for ticket #471 (autoreconf throws warnings/errors).
File size: 43.3 KB
RevLine 
[1]1/*
2 *
3 * Copyright (C) 2005 Yoann Vandoorselaere, Prelude IDS Technologies
4 * Rainer Wichmann
5 *
6 * This program is free software; you can redistribute it and/or modify
7 * it under the terms of the GNU General Public License as published by
8 * the Free Software Foundation; either version 2, or (at your option)
9 * any later version.
10 *
11 * This program is distributed in the hope that it will be useful,
12 * but WITHOUT ANY WARRANTY; without even the implied warranty of
13 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 * GNU General Public License for more details.
15 *
16 * You should have received a copy of the GNU General Public License
17 * along with this program; see the file COPYING. If not, write to
18 * the Free Software Foundation, 675 Mass Ave, Cambridge, MA 02139, USA.
19 *
20 */
21
22/*
23 * 28/04/2005 : R.W.:
24 * move libprelude 0.8 code to seperate file
25 *
26 * 23/04/2005 : R.W.:
27 * include libprelude 0.9 code from Yoann Vandoorselaere
28 */
[36]29
30
31/*
32 * for strptime()
33 */
34#define _GNU_SOURCE 1
35
[1]36#include "config_xor.h"
37
38#include <stdio.h>
39#include <string.h>
[542]40#include <ctype.h>
[1]41#include <sys/types.h>
42
[583]43#if HAVE_SYS_TIME_H
44#include <sys/time.h>
[1]45#endif
[583]46#include <time.h>
[1]47
48#include <unistd.h>
49#include <syslog.h>
50#include <pwd.h>
51
[20]52int sh_argc_store;
53char ** sh_argv_store;
54
[181]55#if defined(HAVE_LIBPRELUDE)
[1]56
57
58/*
59 * _() macros are samhain specific; they are used to replace string
60 * constants at runtime. This is part of the samhain stealth mode
61 * (fill string constants with encoded strings, decode at runtime).
62 */
63#define FIL__ _("sh_prelude.c")
64
65
66#include <libprelude/idmef.h>
67#include <libprelude/prelude.h>
68
69/*
70 * includes for samhain-specific functions (sl_strstr, sh_error_handle)
71 */
[108]72#include "samhain.h"
[1]73#include "sh_cat.h"
74#include "sh_error_min.h"
75#include "sh_prelude.h"
[131]76#define SH_NEED_PWD_GRP 1
77#include "sh_static.h"
[169]78char * sh_util_strdup (const char * str) SH_GNUC_MALLOC;
[1]79/*
80 * When SH_USE_XML is set, value are formated using name="value".
81 * Otherwise, value is formatted using the format name=<value>.
82 */
83#ifdef SH_USE_XML
84# define VALUE_DELIM_START '"'
85# define VALUE_DELIM_END '"'
86#else
87# define VALUE_DELIM_START '<'
88# define VALUE_DELIM_END '>'
89#endif
90
91#define IDMEF_ANALYZER_MODEL _("Samhain")
92#define IDMEF_ANALYZER_CLASS _("Integrity Checker")
93#define IDMEF_ANALYZER_VERSION VERSION
[106]94#define IDMEF_ANALYZER_MANUFACTURER _("http://www.la-samhna.de/samhain/")
[1]95
96
97
98/*
99 * 0 = not initialized; -1 = failed; 1 = initialized
100 */
101static int initialized = 0;
102static int ready_for_init = 0;
103
104static char *profile = NULL;
105static prelude_client_t *client = NULL;
106
107static int severity_map[1 + (unsigned int) IDMEF_IMPACT_SEVERITY_HIGH] = {
108 /* 0: unused (?) */ 0,
109 /* 1: INFO */ 0,
110 /* 2: LOW */ SH_ERR_ALL|SH_ERR_INFO,
111 /* 3: MEDIUM */ SH_ERR_NOTICE|SH_ERR_WARN|SH_ERR_STAMP|SH_ERR_ERR,
112 /* 4: HIGH */ SH_ERR_SEVERE|SH_ERR_FATAL
113};
114
115/* returns 0/tiger, 1/sha1, or 2/md5
116 */
117extern int sh_tiger_get_hashtype(void);
118
119static void clear_and_set (int setpos, int flag)
120{
121 unsigned int i;
122 /* clear everywhere, and set at correct position */
123 for (i = 1; i < (1 + (unsigned int) IDMEF_IMPACT_SEVERITY_HIGH); ++i)
124 severity_map[i] &= ~flag;
125 severity_map[setpos] |= flag;
126 return;
127}
128
[22]129static int set_prelude_severity_int (const char * str, int prelude_sev)
[1]130{
[22]131 char * p;
132 char * dup = strdup (str);
[131]133#if defined(HAVE_PTHREAD) && defined (_POSIX_THREAD_SAFE_FUNCTIONS) && defined(HAVE_STRTOK_R)
134 char * saveptr;
135#endif
[1]136
[26]137 if (!dup)
138 return -1;
139
[131]140#if defined(HAVE_PTHREAD) && defined (_POSIX_THREAD_SAFE_FUNCTIONS) && defined(HAVE_STRTOK_R)
141 p = strtok_r (dup, ", \t", &saveptr);
142#else
[22]143 p = strtok (dup, ", \t");
[131]144#endif
[1]145 if (p) {
146 do {
147 if (0 == strcmp (p, _("alert")))
148 clear_and_set (prelude_sev, SH_ERR_FATAL);
149 else if (0 == strcmp (p, _("crit")))
150 clear_and_set (prelude_sev, SH_ERR_SEVERE);
151 else if (0 == strcmp (p, _("err")))
152 clear_and_set (prelude_sev, SH_ERR_ERR);
153 else if (0 == strcmp (p, _("mark")))
154 clear_and_set (prelude_sev, SH_ERR_STAMP);
155 else if (0 == strcmp (p, _("warn")))
156 clear_and_set (prelude_sev, SH_ERR_WARN);
157 else if (0 == strcmp (p, _("notice")))
158 clear_and_set (prelude_sev, SH_ERR_NOTICE);
159 else if (0 == strcmp (p, _("debug")))
160 clear_and_set (prelude_sev, SH_ERR_ALL);
161 else if (0 == strcmp (p, _("info")))
162 clear_and_set (prelude_sev, SH_ERR_INFO);
[26]163 else {
164 free (dup);
[1]165 return -1;
[26]166 }
[131]167#if defined(HAVE_PTHREAD) && defined (_POSIX_THREAD_SAFE_FUNCTIONS) && defined(HAVE_STRTOK_R)
168 p = strtok_r (NULL, ", \t", &saveptr);
169#else
[1]170 p = strtok (NULL, ", \t");
[131]171#endif
[1]172 } while (p);
173 }
[22]174 free(dup);
[1]175 return 0;
176}
177
[22]178int sh_prelude_map_info (const char * str)
[1]179{
180 return (set_prelude_severity_int(str,(int)IDMEF_IMPACT_SEVERITY_INFO));
181}
[22]182int sh_prelude_map_low (const char * str)
[1]183{
184 return (set_prelude_severity_int(str,(int)IDMEF_IMPACT_SEVERITY_LOW));
185}
[22]186int sh_prelude_map_medium (const char * str)
[1]187{
188 return (set_prelude_severity_int(str,(int)IDMEF_IMPACT_SEVERITY_MEDIUM));
189}
[22]190int sh_prelude_map_high (const char * str)
[1]191{
192 return (set_prelude_severity_int(str,(int)IDMEF_IMPACT_SEVERITY_HIGH));
193}
194
195static idmef_impact_severity_t map_severity (int sam_sev)
196{
197 int i;
198 int max = 1 + (unsigned int) IDMEF_IMPACT_SEVERITY_HIGH;
199 idmef_impact_severity_t retval = IDMEF_IMPACT_SEVERITY_MEDIUM;
200
201 for (i = 0; i < max; ++i) {
202 if (severity_map[i] & sam_sev) {
203 retval = (idmef_impact_severity_t) i;
204 }
205 }
206 return retval;
207}
208
209static char *do_get_value(char *ptr, char delim_start, char delim_end)
210{
211 char *ret = NULL;
[283]212#if defined(SH_WITH_SERVER)
213 int delim_start_count = 0;
214 int found = 0;
215#endif
216
[1]217 ptr = strchr(ptr, delim_start);
218 if ( ! ptr )
219 return NULL;
220
221 ret = ++ptr;
[283]222#if defined(SH_WITH_SERVER)
223 while ((*ptr != '\0') && (!found)){
224 if (*ptr == delim_end) {
225 if (delim_start_count == 0)
226 found = 1;
227 delim_start_count--;
228 }
229 else if (*ptr == delim_start)
230 delim_start_count++;
231 ptr++;
232 }
233 ptr = (found) ? ptr-1 : NULL ;
234#else
[1]235 ptr = strchr(ptr, delim_end);
[283]236#endif
[1]237 if ( ! ptr )
238 return NULL;
239
240 *ptr = '\0';
241 ret = strdup(ret);
242 *ptr = delim_end;
243
244 return ret;
245}
246
247
248
249static char *get_value(char *msg, const char *toktmp, const char *toksuffix)
250{
251 char *ptr, tok[128];
252
253 snprintf(tok, sizeof(tok), "%s%s=", toktmp, (toksuffix) ? toksuffix : "");
254
255 ptr = strstr(msg, tok);
256 if ( ! ptr )
257 return NULL;
258
259 return do_get_value(ptr, VALUE_DELIM_START, VALUE_DELIM_END);
260}
261
262
263
264static char *get_time_value(char *msg, const char *toktmp, const char *toksuffix)
265{
266
267 char *ret, *ptr, tok[128];
268
269 snprintf(tok, sizeof(tok), "%s%s=", toktmp, (toksuffix) ? toksuffix : "");
270
271 ptr = strstr(msg, tok);
272 if ( ! ptr )
273 return NULL;
274
275#ifndef SH_USE_XML
276 ret = do_get_value(ptr, '[', ']');
277#else
278 ret = do_get_value(ptr, VALUE_DELIM_START, VALUE_DELIM_END);
279#endif
280
281 return ret;
282}
283
284
285
286
287#if 0
288void debug_print_message(idmef_message_t *msg)
289{
290 int ret;
291 prelude_io_t *fd;
292
293 ret = prelude_io_new(&fd);
294 if ( ret < 0 )
295 return;
296
297 prelude_io_set_file_io(fd, stderr);
298 idmef_message_print(idmef, fd);
299
300 prelude_io_destroy(fd);
301}
302#endif
303
304
305
306static int idmef_time_from_samhain(idmef_time_t **time, const char *str)
307{
308 int ret;
309 char *ptr;
310 time_t utc;
311 struct tm lt;
312
313 /*
314 * Samhain stamp are encoded in UTC.
315 */
316 ptr = strptime(str, _("%Y-%m-%dT%H:%M:%S"), &lt);
317 if ( ! ptr ) {
318 sh_error_handle((-1), FIL__, __LINE__, -1, MSG_E_SUBGEN,
319 _("could not format Samhain time"), _("idmef_time_from_samhain"));
320 return -1;
321 }
322
323 utc = prelude_timegm(&lt);
324
325 ret = idmef_time_new_from_time(time, &utc);
326 if ( ret < 0 )
327 return ret;
328
329 return 0;
330}
331
[22]332/* flawfinder: ignore *//* is part of name, not access() */
[1]333static void get_access_info(idmef_file_access_t *access, char * mode, int pos, int mpos)
334{
335 int got = 0;
336 int ret;
337 prelude_string_t *str;
338
339 do {
340 if ( mode[pos] == 'r' ) {
[22]341 /* flawfinder: ignore *//* is part of name, not access() */
[26]342 ret = idmef_file_access_new_permission(access, &str, IDMEF_LIST_APPEND);
[1]343 if ( ret < 0 )
344 return;
345 prelude_string_set_dup(str, _("read"));
346 ++got;
347 }
348 else if ( mode[pos] == 'w' ) {
[22]349 /* flawfinder: ignore *//* is part of name, not access() */
[26]350 ret = idmef_file_access_new_permission(access, &str, IDMEF_LIST_APPEND);
[1]351 if ( ret < 0 )
352 return;
353 prelude_string_set_dup(str, _("write"));
354 ++got;
355 }
356 else if ( mode[pos] == 'x' || mode[pos] == 's' || mode[pos] == 't') {
[22]357 /* flawfinder: ignore *//* is part of name, not access() */
[26]358 ret = idmef_file_access_new_permission(access, &str, IDMEF_LIST_APPEND);
[1]359 if ( ret < 0 )
360 return;
361
362 if ( mode[pos] == 'x' && mode[0] == 'd' )
363 prelude_string_set_dup(str, _("search"));
364
365 else if ( mode[pos] == 'x' || mode[pos] == 't' )
366 prelude_string_set_dup(str, _("execute"));
367
368 else /* 's' */
369 prelude_string_set_dup(str, _("executeAs"));
370 ++got;
371 }
372 ++pos;
373 } while (pos <= mpos);
374
375 if ( got == 0 ) {
[22]376 /* flawfinder: ignore *//* is part of name, not access() */
[26]377 ret = idmef_file_access_new_permission(access, &str, IDMEF_LIST_APPEND);
[1]378 if ( ret < 0 )
379 return;
380 prelude_string_set_dup(str, _("noAccess"));
381 }
382 return;
383}
384
385
386static void get_file_infos(idmef_target_t *target, char *msg,
387 idmef_file_category_t category)
388{
389 int ret;
390 int hashtype = 0;
391 char *ptr;
392 idmef_time_t *time;
393 idmef_file_t *file;
394 idmef_inode_t *inode;
395 prelude_string_t *str;
396 idmef_checksum_t *checksum;
[22]397 idmef_file_access_t *access; /* flawfinder: ignore */
[1]398 idmef_user_id_t *userid;
399 const char *suffix = (category == IDMEF_FILE_CATEGORY_CURRENT) ? "_new" : "_old";
400 char *mode = NULL;
401
[26]402 ret = idmef_target_new_file(target, &file, IDMEF_LIST_APPEND);
[1]403 if ( ret < 0 )
404 return;
405 idmef_file_set_category(file, category);
406
407 ptr = get_value(msg, _("path"), NULL);
408 if ( ptr ) {
409 /*
410 * In term of IDMEF, this is the full path,
411 * including the name.
412 */
413 ret = idmef_file_new_path(file, &str);
[36]414 if ( ret < 0 ) {
415 free(ptr);
[1]416 return;
[36]417 }
[1]418 prelude_string_set_nodup(str, ptr);
419
420 ptr = strrchr(ptr, '/');
421 if ( ptr ) {
422 ret = idmef_file_new_name(file, &str);
[40]423 if ( ret == 0 ) {
424 prelude_string_set_dup(str, ptr + 1);
425 }
[1]426 }
427 }
428
429 ptr = get_value(msg, _("size"), suffix);
430 if ( ptr ) {
431 idmef_file_set_data_size(file, strtoul(ptr, NULL, 10));
432 free(ptr);
433 }
434
435 ptr = get_time_value(msg, _("mtime"), suffix);
436 if ( ptr ) {
437 ret = idmef_time_from_samhain(&time, ptr);
[40]438 if ( ret == 0 ) {
439 idmef_file_set_modify_time(file, time);
[36]440 }
[1]441 free(ptr);
442 }
443
444 ptr = get_time_value(msg, _("ctime"), suffix);
445 if ( ptr ) {
446 ret = idmef_time_from_samhain(&time, ptr);
[40]447 if ( ret == 0 ) {
448 idmef_file_set_create_time(file, time);
[36]449 }
[1]450 free(ptr);
451 }
452
453 ptr = get_value(msg, _("inode"), suffix);
454 if ( ptr ) {
455 ret = idmef_file_new_inode(file, &inode);
[40]456 if ( ret == 0 ) {
457 char * dev = get_value(msg, _("dev"), suffix);
458 if (dev) {
459 char * q = strchr(dev, ',');
460 if (*q) {
461 *q = '\0'; ++q;
462 idmef_inode_set_major_device(inode, strtoul(dev, NULL, 0));
463 idmef_inode_set_minor_device(inode, strtoul( q, NULL, 0));
464 }
465 free(dev);
466 }
467 idmef_inode_set_number(inode, strtoul(ptr, NULL, 10));
[36]468 }
[1]469 free(ptr);
470 }
471
472 ptr = get_value(msg, _("chksum"), suffix);
473 if ( ptr ) {
[26]474 ret = idmef_file_new_checksum(file, &checksum, IDMEF_LIST_APPEND);
[36]475 if ( ret < 0 ) {
[40]476 free(ptr);
477 goto get_mode;
[36]478 }
[1]479
480 hashtype = sh_tiger_get_hashtype();
481
482 if (hashtype == 0)
[40]483 idmef_checksum_set_algorithm(checksum, IDMEF_CHECKSUM_ALGORITHM_TIGER);
[1]484
[40]485 else if (hashtype == 1)
486 idmef_checksum_set_algorithm(checksum, IDMEF_CHECKSUM_ALGORITHM_SHA1);
487
488 else if (hashtype == 2)
489 idmef_checksum_set_algorithm(checksum, IDMEF_CHECKSUM_ALGORITHM_MD5);
490
491 else
492 idmef_checksum_set_algorithm(checksum, IDMEF_CHECKSUM_ALGORITHM_TIGER);
[1]493
494
[40]495 ret = idmef_checksum_new_value(checksum, &str);
496 if ( ret < 0 ) {
497 free(ptr);
498 goto get_mode;
[36]499 }
[1]500
501 /* will be freed on destroy()
502 */
[40]503 prelude_string_set_nodup(str, ptr);
504 }
[1]505
[40]506 get_mode:
507
[1]508 mode = get_value(msg, _("mode"), suffix);
509 if ( mode ) {
[22]510 /* flawfinder: ignore *//* is part of name, not access() */
[26]511 ret = idmef_file_new_file_access(file, &access, IDMEF_LIST_APPEND);
[1]512 if ( ret < 0 )
[40]513 goto get_owner;
[1]514
[22]515 /* flawfinder: ignore *//* is part of name, not access() */
[1]516 ret = idmef_file_access_new_user_id(access, &userid);
517 if ( ret < 0 )
[40]518 goto get_owner;
[1]519 idmef_user_id_set_type(userid, IDMEF_USER_ID_TYPE_OTHER_PRIVS);
520
[22]521 /* flawfinder: ignore *//* is part of name, not access() */
[1]522 get_access_info ( access, mode, 7, 9 );
523 }
[40]524
525 get_owner:
[1]526
527 ptr = get_value(msg, _("owner"), suffix);
528 if ( ptr ) {
[40]529 char * uid;
[1]530
[22]531 /* flawfinder: ignore *//* is part of name, not access() */
[26]532 ret = idmef_file_new_file_access(file, &access, IDMEF_LIST_APPEND);
[36]533 if ( ret < 0 ) {
534 free(ptr);
[40]535 goto get_group;
[36]536 }
[1]537
[22]538 /* flawfinder: ignore *//* is part of name, not access() */
[1]539 ret = idmef_file_access_new_user_id(access, &userid);
[36]540 if ( ret < 0 ) {
541 free(ptr);
[40]542 goto get_group;
[36]543 }
[1]544 idmef_user_id_set_type(userid, IDMEF_USER_ID_TYPE_USER_PRIVS);
545
546 ret = idmef_user_id_new_name(userid, &str);
[36]547 if ( ret < 0 ) {
548 free(ptr);
[40]549 goto get_group;
[36]550 }
[1]551 prelude_string_set_nodup(str, ptr);
552
[40]553 uid = get_value(msg, _("iowner"), suffix);
554 if ( ! uid )
555 goto get_group;
[1]556
[40]557 idmef_user_id_set_number(userid, strtoul(uid, NULL, 0));
[1]558
559 if ( mode ) {
[22]560 /* flawfinder: ignore *//* is part of name, not access() */
[1]561 get_access_info ( access, mode, 1, 3 );
562 }
[40]563
564 free(uid);
[283]565 /* Don't free(ptr) because of prelude_string_set_nodup(str, ptr) */
[1]566 }
567
[40]568 get_group:
569
[1]570 ptr = get_value(msg, _("group"), suffix);
571 if ( ptr ) {
[40]572 char *gid;
[1]573
[22]574 /* flawfinder: ignore *//* is part of name, not access() */
[26]575 ret = idmef_file_new_file_access(file, &access, IDMEF_LIST_APPEND);
[36]576 if ( ret < 0 ) {
577 free(ptr);
578 goto mode_free;
579 }
[1]580
[36]581 ret = idmef_file_access_new_user_id(access, &userid);/* flawfinder: ignore *//* is part of name, not access() */
582 if ( ret < 0 ) {
583 free(ptr);
584 goto mode_free;
585 }
586
[1]587 idmef_user_id_set_type(userid, IDMEF_USER_ID_TYPE_GROUP_PRIVS);
588
589 ret = idmef_user_id_new_name(userid, &str);
[36]590 if ( ret < 0 ) {
591 free(ptr);
592 goto mode_free;
593 }
[1]594
595 prelude_string_set_nodup(str, ptr);
596
[40]597 gid = get_value(msg, _("igroup"), suffix);
598 if ( ! gid )
[36]599 goto mode_free;
[1]600
[40]601 idmef_user_id_set_number(userid, strtoul(gid, NULL, 0));
[1]602
603 if ( mode ) {
[22]604 get_access_info ( access, mode, 4, 6 ); /* flawfinder: ignore */
[1]605 }
[40]606
607 free(gid);
[283]608 /* Don't free(ptr) because of prelude_string_set_nodup(str, ptr) */
[1]609 }
610
[36]611 mode_free:
612
[1]613 if ( mode ) {
614 free ( mode );
615 }
[36]616
617 return;
[1]618}
619
620
621
622static int map_policy_to_class(char *msg, unsigned long msgid, idmef_impact_t *impact, prelude_string_t *out)
623{
624 char *ptr;
625 int ret, i;
626 struct tbl {
627 unsigned int msgid;
628 const char *name;
629 idmef_impact_type_t type;
630 } tbl[] = {
631
632#ifdef SH_USE_UTMP
633 { MSG_UT_LG1X, N_("User Login"), IDMEF_IMPACT_TYPE_USER },
634 { MSG_UT_LG1A, N_("User Login"), IDMEF_IMPACT_TYPE_USER },
635 { MSG_UT_LG1B, N_("User Login"), IDMEF_IMPACT_TYPE_USER },
636 { MSG_UT_LG2X, N_("Multiple User Login"), IDMEF_IMPACT_TYPE_USER },
637 { MSG_UT_LG2A, N_("Multiple User Login"), IDMEF_IMPACT_TYPE_USER },
638 { MSG_UT_LG2B, N_("Multiple User Login"), IDMEF_IMPACT_TYPE_USER },
639 { MSG_UT_LG3X, N_("User Logout"), IDMEF_IMPACT_TYPE_USER },
640 { MSG_UT_LG3A, N_("User Logout"), IDMEF_IMPACT_TYPE_USER },
641 { MSG_UT_LG3B, N_("User Logout"), IDMEF_IMPACT_TYPE_USER },
642 { MSG_UT_LG3C, N_("User Logout"), IDMEF_IMPACT_TYPE_USER },
643#endif
644
645#if defined(SH_WITH_CLIENT) || defined(SH_STANDALONE)
646 { MSG_FI_MISS, N_("File Missing"), IDMEF_IMPACT_TYPE_FILE },
647 { MSG_FI_MISS2, N_("File Missing"), IDMEF_IMPACT_TYPE_FILE },
648 { MSG_FI_ADD, N_("File Added"), IDMEF_IMPACT_TYPE_FILE },
649 { MSG_FI_ADD2, N_("File Added"), IDMEF_IMPACT_TYPE_FILE },
650 { MSG_FI_CHAN, N_("File Modified"), IDMEF_IMPACT_TYPE_FILE },
651 { MSG_FI_NODIR, N_("File found where directory was expected"), IDMEF_IMPACT_TYPE_FILE },
652#endif
653
654#ifdef SH_USE_KERN
655 { MSG_KERN_POLICY, N_("Kernel Modified"), IDMEF_IMPACT_TYPE_OTHER },
656 { MSG_KERN_POL_CO, N_("Kernel Modified"), IDMEF_IMPACT_TYPE_OTHER },
657 { MSG_KERN_PROC, N_("Kernel Modified"), IDMEF_IMPACT_TYPE_OTHER },
658 { MSG_KERN_GATE, N_("Kernel Modified"), IDMEF_IMPACT_TYPE_OTHER },
659 { MSG_KERN_IDT, N_("Kernel Modified"), IDMEF_IMPACT_TYPE_OTHER },
660 { MSG_KERN_SYSCALL, N_("Kernel Modified"), IDMEF_IMPACT_TYPE_OTHER },
661#endif
662
[169]663#ifdef SH_USE_PORTCHECK
664 { MSG_PORT_MISS, N_("Service closed"), IDMEF_IMPACT_TYPE_OTHER },
665 { MSG_PORT_NEW, N_("Service opened"), IDMEF_IMPACT_TYPE_OTHER },
666 { MSG_PORT_RESTART, N_("Service restarted"), IDMEF_IMPACT_TYPE_OTHER },
667 { MSG_PORT_NEWPORT, N_("Service restarted"), IDMEF_IMPACT_TYPE_OTHER },
668#endif
669
[1]670#ifdef SH_USE_SUIDCHK
671 { MSG_SUID_POLICY, N_("SUID/SGID File Detected"), IDMEF_IMPACT_TYPE_FILE },
672#endif
673 /*
674 * This must be the last table entry
675 */
676 { 0, NULL, IDMEF_IMPACT_TYPE_OTHER },
677 };
678
679 for ( i = 0; tbl[i].name != NULL; i++ ) {
680 if ( tbl[i].msgid != msgid )
681 continue;
682
683 idmef_impact_set_type(impact, tbl[i].type);
684 return prelude_string_cat(out, _(tbl[i].name));
685 }
686
687 /* some other message
688 */
689 ptr = get_value(msg, _("msg"), NULL);
690 if ( ! ptr ) {
691 sh_error_handle((-1), FIL__, __LINE__, -1, MSG_E_SUBGEN,
692 _("could not format Samhain message"), _("map_policy_to_class"));
693 return -1;
694 }
[283]695
696#if defined(SH_WITH_SERVER)
697 /* when using yule, theres a msg=<... msg=<...> >*/
[290]698 while ( (msg = get_value(ptr, _("msg"), NULL)) ) {
699 free(ptr);
700 ptr = msg;
701 }
[283]702#endif
703
[1]704 ret = prelude_string_cat(out, ptr);
705 free(ptr);
706
707 return ret;
708}
709
710
[169]711#ifdef SH_USE_PORTCHECK
712static int get_service_info(char *msg, idmef_alert_t *alert)
713{
714 int ret;
715 long port;
[206]716 char *ptr, *new, *tmp, *ip, *srv, *protocol, *end;
[169]717 prelude_string_t *str;
718 idmef_address_t *address;
719 idmef_node_t *node;
[180]720 idmef_user_t *user;
721 idmef_process_t *process;
[169]722 idmef_service_t *service;
723 idmef_source_t *source = idmef_alert_get_next_source(alert, NULL);
[206]724 struct passwd *pw;
725#if defined(HAVE_PTHREAD) && defined (_POSIX_THREAD_SAFE_FUNCTIONS) && defined(HAVE_GETPWNAM_R)
726 struct passwd pwd;
[227]727 char * buffer;
[206]728#endif
[1]729
[169]730 new = sh_util_strdup(msg);
731
732 ptr = strstr(new, _("port: "));
733 if ( ! ptr ) {
734 sh_error_handle((-1), FIL__, __LINE__, -1, MSG_E_SUBGEN,
735 _("malformed Samhain port check message"), _("get_service_info"));
736 SH_FREE( new );
737 return -1;
738 }
739
740 ptr += 6; /* skip 'port: ', position on first byte of interface */
741 tmp = strchr(ptr, ':');
742 if ( ! tmp ) {
743 sh_error_handle((-1), FIL__, __LINE__, -1, MSG_E_SUBGEN,
744 _("malformed Samhain port check message (no port)"), _("get_service_info"));
745 SH_FREE( new );
746 return -1;
747 }
748 *tmp = '\0';
749
[170]750 /* Get interface
751 */
[169]752 ip = strdup(ptr);
753 if ( ip ) {
754 if ( ! source ) {
755 ret = idmef_alert_new_source(alert, &source, IDMEF_LIST_APPEND);
756 if ( ret < 0 ) {
757 free(ip);
758 SH_FREE( new );
759 return ret;
760 }
761 }
762
763 ret = idmef_source_new_node(source, &node);
764 if ( ret < 0 ) {
765 free(ip);
766 SH_FREE( new );
767 return ret;
768 }
769
770 ret = idmef_node_new_address(node, &address, IDMEF_LIST_APPEND);
771 if ( ret < 0 ) {
772 free(ip);
773 SH_FREE( new );
774 return ret;
775 }
776
777 ret = idmef_address_new_address(address, &str);
778 if ( ret < 0 ) {
779 free(ip);
780 SH_FREE( new );
781 return ret;
782 }
783
784 prelude_string_set_nodup(str, ip);
785 }
786
787 ptr = tmp;
788 ++ptr;
789 tmp = strchr(ptr, '/');
790 if ( ! tmp ) {
791 sh_error_handle((-1), FIL__, __LINE__, -1, MSG_E_SUBGEN,
792 _("malformed Samhain port check message (no protocol)"), _("get_service_info"));
793 SH_FREE( new );
794 return -1;
795 }
796 *tmp = '\0';
797
[170]798 /* Get port number
799 */
[169]800 port = strtol(ptr, &end, 0);
801 if ( *ptr && *end == '\0' && port >= 0 && port < 65536) {
802
803 if ( ! source ) {
804 ret = idmef_alert_new_source(alert, &source, IDMEF_LIST_APPEND);
805 if ( ret < 0 ) {
806 SH_FREE( new );
807 return ret;
808 }
809 }
810
811 ret = idmef_source_new_service(source, &service);
812 if ( ret < 0 ) {
813 SH_FREE( new );
814 return ret;
815 }
816
817 idmef_service_set_port(service, port);
[206]818
819 ret = idmef_service_new_protocol(service, &str);
820 if ( ret < 0 ) {
821 SH_FREE( new );
822 return ret;
823 }
824
825 ++tmp;
826 if (*tmp) {
827 char * tmpw = tmp;
828 char tmpw_store;
829 while (*tmpw && !isblank((int) *tmpw)) ++tmpw;
830 tmpw_store = *tmpw; *tmpw = '\0';
831 protocol = strdup(tmp);
832 *tmpw = tmpw_store;
833 prelude_string_set_nodup(str, protocol);
834 }
835
[169]836 }
837
838 ptr = tmp;
839 ++ptr;
840 ptr = strchr(ptr, '(');
841 if ( ! ptr ) {
842 sh_error_handle((-1), FIL__, __LINE__, -1, MSG_E_SUBGEN,
843 _("malformed Samhain port check message (no service)"), _("get_service_info"));
844 SH_FREE( new );
845 return -1;
846 }
847 ++ptr;
848 tmp = strchr(ptr, ')');
849 if ( ! tmp ) {
850 sh_error_handle((-1), FIL__, __LINE__, -1, MSG_E_SUBGEN,
851 _("malformed Samhain port check message (service not closed)"), _("get_service_info"));
852 SH_FREE( new );
853 return -1;
854 }
855 *tmp = '\0';
856
[170]857 /* Get service
858 */
[169]859 srv = strdup(ptr);
860 if ( srv ) {
861 if ( ! source ) {
862 ret = idmef_alert_new_source(alert, &source, IDMEF_LIST_APPEND);
863 if ( ret < 0 ) {
864 free(srv);
865 SH_FREE( new );
866 return ret;
867 }
868 }
869
870 if ( ! service ) {
871 ret = idmef_source_new_service(source, &service);
872 if ( ret < 0 ) {
873 free(srv);
874 SH_FREE( new );
875 return ret;
876 }
877 }
878
[170]879 ret = idmef_service_new_name(service, &str);
[169]880 if ( ret < 0 ) {
881 free(srv);
882 SH_FREE( new );
883 return ret;
884 }
885
886 prelude_string_set_nodup(str, srv);
887 }
888
889 SH_FREE( new );
890
[206]891 ptr = get_value(msg, _("userid"), NULL);
[180]892
893 if ( ptr ) {
894
[206]895 idmef_user_id_t * user_id;
896
[180]897 ret = idmef_source_new_user(source, &user);
898 if ( ret < 0 ) {
899 free(ptr);
900 return ret;
901 }
902
[206]903 idmef_user_set_category(user, IDMEF_USER_CATEGORY_APPLICATION);
904
905 ret = idmef_user_new_user_id(user, &user_id, IDMEF_LIST_APPEND);
[180]906 if ( ret < 0 ) {
[206]907 free(ptr);
[180]908 return ret;
[206]909 }
910
911 idmef_user_id_set_type(user_id, IDMEF_USER_ID_TYPE_CURRENT_USER);
912
913#if defined(HAVE_PTHREAD) && defined (_POSIX_THREAD_SAFE_FUNCTIONS) && defined(HAVE_GETPWNAM_R)
[227]914 buffer = SH_ALLOC(SH_PWBUF_SIZE);
915 sh_getpwnam_r(ptr, &pwd, buffer, SH_PWBUF_SIZE, &pw);
[206]916#else
917 pw = sh_getpwnam(ptr);
918#endif
919 if ( pw )
920 idmef_user_id_set_number(user_id, pw->pw_uid);
921
922 ret = idmef_user_id_new_name(user_id, &str);
923 if ( ret < 0 ) {
924 free(ptr);
[227]925#if defined(HAVE_PTHREAD) && defined (_POSIX_THREAD_SAFE_FUNCTIONS) && defined(HAVE_GETPWNAM_R)
926 SH_FREE(buffer);
927#endif
[206]928 return ret;
929 }
[180]930 prelude_string_set_nodup(str, ptr);
[206]931
[227]932#if defined(HAVE_PTHREAD) && defined (_POSIX_THREAD_SAFE_FUNCTIONS) && defined(HAVE_GETPWNAM_R)
933 SH_FREE(buffer);
934#endif
[180]935 }
936
[227]937
[180]938 ptr = get_value(msg, _("path"), NULL);
[206]939 tmp = get_value(msg, _("pid"), NULL);
[180]940
941 if ( ptr ) {
942
943 /*
944 * In term of IDMEF, this is the full path,
945 * including the name.
946 */
947 ret = idmef_source_new_process(source, &process);
948 if ( ret < 0 ) {
949 free(ptr);
950 return ret;
951 }
952
953 ret = idmef_process_new_path(process, &str);
954 if ( ret < 0 ) {
955 free(ptr);
956 return ret;
957 }
958 prelude_string_set_nodup(str, ptr);
959
[206]960
961 if ( NULL != strrchr(ptr, '/') ) {
[180]962 ret = idmef_process_new_name(process, &str);
963 if ( ret == 0 ) {
[206]964 ptr = strrchr(ptr, '/');
[180]965 prelude_string_set_dup(str, ptr + 1);
966 }
[206]967 } else {
968 ret = idmef_process_new_name(process, &str);
969 if ( ret == 0 ) {
970 prelude_string_set_dup(str, ptr);
971 }
972 }
973
974 idmef_process_set_pid(process, strtoul(tmp, NULL, 0));
[180]975 }
976
[206]977 if (tmp)
978 free(tmp);
979
[169]980 return 0;
981}
982#endif
983
[1]984static int get_login_info(char *msg, idmef_alert_t *alert)
985{
986 int ret;
987 char *ptr, *ip;
988 idmef_user_t *user;
989 idmef_node_t *node;
990 struct passwd *pw;
[131]991#if defined(HAVE_PTHREAD) && defined (_POSIX_THREAD_SAFE_FUNCTIONS) && defined(HAVE_GETPWNAM_R)
992 struct passwd pwd;
[227]993 char * buffer;
[131]994#endif
[1]995 prelude_string_t *str;
996 idmef_user_id_t *user_id;
997 idmef_address_t *address;
998 idmef_target_t *target = idmef_alert_get_next_target(alert, NULL);
999 idmef_source_t *source = idmef_alert_get_next_source(alert, NULL);
1000
1001 ip = ptr = get_value(msg, _("ip"), NULL);
1002 if ( ptr ) {
1003 if ( ! source ) {
[26]1004 ret = idmef_alert_new_source(alert, &source, IDMEF_LIST_APPEND);
[1]1005 if ( ret < 0 ) {
1006 free(ptr);
1007 return ret;
1008 }
1009 }
1010
1011 ret = idmef_source_new_node(source, &node);
1012 if ( ret < 0 ) {
1013 free(ptr);
1014 return ret;
1015 }
1016
[26]1017 ret = idmef_node_new_address(node, &address, IDMEF_LIST_APPEND);
[1]1018 if ( ret < 0 ) {
1019 free(ptr);
1020 return ret;
1021 }
1022
1023 ret = idmef_address_new_address(address, &str);
1024 if ( ret < 0 ) {
1025 free(ptr);
1026 return ret;
1027 }
1028
1029 prelude_string_set_nodup(str, ptr);
1030 }
1031
1032 ptr = get_value(msg, _("host"), NULL);
1033 if ( ptr ) {
1034 if ( ip && strcmp(ptr, ip) == 0 )
1035 free(ptr);
1036 else {
1037 if ( ! source ) {
[26]1038 ret = idmef_alert_new_source(alert, &source, IDMEF_LIST_APPEND);
[1]1039 if ( ret < 0 ) {
1040 free(ptr);
1041 return ret;
1042 }
1043 }
1044
1045 ret = idmef_source_new_node(source, &node);
1046 if ( ret < 0 ) {
1047 free(ptr);
1048 return ret;
1049 }
1050
1051 ret = idmef_node_new_name(node, &str);
1052 if ( ret < 0 ) {
1053 free(ptr);
1054 return ret;
1055 }
1056
1057 prelude_string_set_nodup(str, ptr);
1058 }
1059 }
1060
1061 ptr = get_value(msg, _("name"), NULL);
1062 if ( ptr ) {
1063 ret = idmef_target_new_user(target, &user);
1064 if ( ret < 0 ) {
1065 free(ptr);
1066 return ret;
1067 }
1068
1069 idmef_user_set_category(user, IDMEF_USER_CATEGORY_OS_DEVICE);
1070
[26]1071 ret = idmef_user_new_user_id(user, &user_id, IDMEF_LIST_APPEND);
[1]1072 if ( ret < 0 ) {
1073 free(ptr);
1074 return ret;
1075 }
1076
1077 idmef_user_id_set_type(user_id, IDMEF_USER_ID_TYPE_TARGET_USER);
1078
[131]1079#if defined(HAVE_PTHREAD) && defined (_POSIX_THREAD_SAFE_FUNCTIONS) && defined(HAVE_GETPWNAM_R)
[227]1080 buffer = SH_ALLOC(SH_PWBUF_SIZE);
1081 sh_getpwnam_r(ptr, &pwd, buffer, SH_PWBUF_SIZE, &pw);
[131]1082#else
1083 pw = sh_getpwnam(ptr);
1084#endif
[1]1085 if ( pw )
1086 idmef_user_id_set_number(user_id, pw->pw_uid);
1087
1088 ret = idmef_user_id_new_name(user_id, &str);
1089 if ( ret < 0 ) {
1090 free(ptr);
[227]1091#if defined(HAVE_PTHREAD) && defined (_POSIX_THREAD_SAFE_FUNCTIONS) && defined(HAVE_GETPWNAM_R)
1092 SH_FREE(buffer);
1093#endif
[1]1094 return ret;
1095 }
1096 prelude_string_set_nodup(str, ptr);
1097
1098 ptr = get_value(msg, _("tty"), NULL);
1099 if ( ptr ) {
1100 ret = idmef_user_id_new_tty(user_id, &str);
1101 if ( ret < 0 ) {
1102 free(ptr);
[227]1103#if defined(HAVE_PTHREAD) && defined (_POSIX_THREAD_SAFE_FUNCTIONS) && defined(HAVE_GETPWNAM_R)
1104 SH_FREE(buffer);
1105#endif
[1]1106 return ret;
1107 }
1108
1109 prelude_string_set_nodup(str, ptr);
1110 }
[227]1111#if defined(HAVE_PTHREAD) && defined (_POSIX_THREAD_SAFE_FUNCTIONS) && defined(HAVE_GETPWNAM_R)
1112 SH_FREE(buffer);
1113#endif
[1]1114 }
1115
1116 ptr = get_time_value(msg, _("time"), NULL);
1117 if ( ptr ) {
1118 idmef_time_t *time;
1119
1120 ret = idmef_time_from_samhain(&time, ptr);
1121 free(ptr);
1122
1123 if ( ret < 0 )
1124 return ret;
1125
1126 idmef_alert_set_detect_time(alert, time);
1127 }
1128
1129 return 0;
1130}
1131
[342]1132#if defined(SH_WITH_SERVER)
[283]1133static int node_set_address(idmef_node_t *node, const char *addr)
1134{
1135 int ret;
1136 prelude_string_t *prelude_str;
1137 idmef_address_t *idmef_addr;
1138
1139 ret = prelude_string_new(&prelude_str);
1140 if ( ret < 0 )
1141 goto err;
1142
1143 ret = prelude_string_set_ref(prelude_str, addr);
1144 if ( ret < 0 )
1145 goto err;
1146
1147 ret = idmef_address_new(&idmef_addr);
1148 if ( ret < 0 )
1149 goto err;
1150
1151 idmef_address_set_category(idmef_addr, IDMEF_ADDRESS_CATEGORY_IPV4_ADDR);
1152 idmef_address_set_address(idmef_addr, prelude_str);
1153 idmef_node_set_address(node, idmef_addr, 0);
1154
1155 return 0;
1156 err:
1157 return -1;
1158}
[342]1159#endif
[283]1160
1161
[1]1162static int samhain_alert_prelude(int priority, int sh_class,
[342]1163 char *message, unsigned long msgid,
1164 char * inet_peer_ip)
[1]1165{
1166 int ret;
1167 idmef_time_t *time;
1168 idmef_alert_t *alert;
1169 idmef_message_t *idmef;
1170 idmef_classification_t *classification;
1171 idmef_assessment_t *assessment;
1172 idmef_additional_data_t *data;
1173 idmef_impact_t *impact;
1174 idmef_target_t *target;
1175 idmef_confidence_t *confidence;
1176 prelude_string_t *str;
[283]1177#if defined(SH_WITH_SERVER)
1178 idmef_node_t *node;
[342]1179#else
1180 (void) inet_peer_ip;
[283]1181#endif
[1]1182
[15]1183 if ( !client || sh_class == STAMP)
[1]1184 return 0;
1185
1186 ret = idmef_message_new(&idmef);
1187 if ( ret < 0 )
1188 goto err;
1189
1190 ret = idmef_message_new_alert(idmef, &alert);
1191 if ( ret < 0 )
1192 goto err;
1193
[26]1194 idmef_alert_set_analyzer(alert, idmef_analyzer_ref(prelude_client_get_analyzer(client)), IDMEF_LIST_PREPEND);
[1]1195
1196 ret = idmef_time_new_from_gettimeofday(&time);
1197 if ( ret < 0 )
1198 goto err;
1199 idmef_alert_set_detect_time(alert, time);
1200
1201 ret = idmef_time_new_from_gettimeofday(&time);
1202 if ( ret < 0 )
1203 goto err;
1204 idmef_alert_set_create_time(alert, time);
1205
1206 ret = idmef_alert_new_classification(alert, &classification);
1207 if ( ret < 0 )
1208 goto err;
1209
[26]1210 ret = idmef_alert_new_target(alert, &target, IDMEF_LIST_APPEND);
[1]1211 if ( ret < 0 )
1212 goto err;
1213
1214 idmef_target_set_decoy(target, IDMEF_TARGET_DECOY_NO);
[283]1215
1216#if defined(SH_WITH_SERVER)
1217 if ( inet_peer_ip != NULL){
1218 ret = idmef_target_new_node(target, &node);
[290]1219 if ( ret < 0 )
1220 goto err;
[1]1221
[283]1222 ret = node_set_address(node, inet_peer_ip);
1223 if ( ret < 0 )
1224 goto err;
1225
1226 idmef_target_set_node(target, idmef_node_ref(node));
1227 }
1228 else
[290]1229#endif
[1]1230 if ( idmef_analyzer_get_node(prelude_client_get_analyzer(client)) ) {
1231 idmef_node_ref(idmef_analyzer_get_node(prelude_client_get_analyzer(client)));
1232 idmef_target_set_node(target, idmef_analyzer_get_node(prelude_client_get_analyzer(client)));
1233 }
[290]1234
[1]1235 if ( strstr(message, _("path=")) ) {
[2]1236#if defined(SH_WITH_CLIENT) || defined(SH_STANDALONE)
[1]1237 if ( msgid != MSG_FI_ADD && msgid != MSG_FI_ADD2 )
1238 get_file_infos(target, message, IDMEF_FILE_CATEGORY_ORIGINAL);
[2]1239#endif
[1]1240
1241 get_file_infos(target, message, IDMEF_FILE_CATEGORY_CURRENT);
1242 }
1243
1244 ret = idmef_alert_new_assessment(alert, &assessment);
1245 if ( ret < 0 )
1246 goto err;
1247
1248 ret = idmef_assessment_new_impact(assessment, &impact);
1249 if ( ret < 0 )
1250 goto err;
1251
1252 ret = idmef_classification_new_text(classification, &str);
1253 if ( ret < 0 )
1254 goto err;
1255
1256 ret = get_login_info(message, alert);
1257 if ( ret < 0 )
1258 goto err;
1259
[169]1260#ifdef SH_USE_PORTCHECK
1261 if (msgid == MSG_PORT_MISS || msgid == MSG_PORT_NEW || msgid == MSG_PORT_RESTART || msgid == MSG_PORT_NEWPORT) {
1262 ret = get_service_info(message, alert);
1263 if ( ret < 0 )
1264 goto err;
1265 }
1266#endif
1267
[1]1268 map_policy_to_class(message, msgid, impact, str);
1269
1270#if 0
1271 if ( priority == SH_ERR_SEVERE || priority == SH_ERR_FATAL )
1272 idmef_impact_set_severity(impact, IDMEF_IMPACT_SEVERITY_HIGH);
1273
1274 else if ( priority == SH_ERR_ALL || priority == SH_ERR_INFO || priority == SH_ERR_NOTICE )
1275 idmef_impact_set_severity(impact, IDMEF_IMPACT_SEVERITY_LOW);
1276
1277 else
1278 idmef_impact_set_severity(impact, IDMEF_IMPACT_SEVERITY_MEDIUM);
1279#endif
1280 idmef_impact_set_severity(impact, map_severity(priority));
1281
1282 idmef_impact_set_completion(impact, IDMEF_IMPACT_COMPLETION_SUCCEEDED);
1283
1284 ret = idmef_assessment_new_confidence(assessment, &confidence);
1285 if ( ret < 0 )
1286 goto err;
1287
1288 idmef_confidence_set_rating(confidence, IDMEF_CONFIDENCE_RATING_HIGH);
1289
[26]1290 ret = idmef_alert_new_additional_data(alert, &data, IDMEF_LIST_APPEND);
[1]1291 if ( ret < 0 )
1292 goto err;
1293
1294 ret = idmef_additional_data_new_meaning(data, &str);
1295 if ( ret < 0 )
1296 goto err;
1297
1298 prelude_string_set_dup(str, _("Message generated by Samhain"));
1299 idmef_additional_data_set_type(data, IDMEF_ADDITIONAL_DATA_TYPE_STRING);
1300 idmef_additional_data_set_string_ref(data, message);
1301
1302 /* debug_print_message(idmef); */
1303
1304 prelude_client_send_idmef(client, idmef);
1305 idmef_message_destroy(idmef);
1306
1307 return 0;
1308
1309 err:
1310 idmef_message_destroy(idmef);
1311 return -1;
1312}
1313
1314
[283]1315int sh_prelude_alert(int priority, int sh_class, char *message, long msgflags, unsigned long msgid, char *inet_peer_ip)
[1]1316{
1317 int ret;
1318
1319 (void) msgflags; /* fix compiler warning */
1320
[15]1321 if ( initialized < 1 )
[1]1322 return -1;
1323
[283]1324 ret = samhain_alert_prelude(priority, sh_class, message, msgid, inet_peer_ip);
[1]1325 if ( ret < 0 ) {
1326 sh_error_handle((-1), FIL__, __LINE__, -1, MSG_E_SUBGEN,
1327 _("Problem with IDMEF for prelude-ids support: alert lost"),
1328 _("sh_prelude_alert"));
1329 }
1330
1331 return ret;
1332}
1333
1334
1335
[22]1336int sh_prelude_set_profile(const char *arg)
[1]1337{
1338 if ( profile ) {
1339 free(profile);
1340 profile = NULL;
1341 }
1342
1343 if ( arg ) {
1344 profile = strdup(arg);
1345 if ( ! profile )
1346 return -1;
1347 }
1348
1349 return 0;
1350}
1351
[86]1352/* Allow initialization of prelude; to be called
1353 * after forking the daemon. Delays heartbeat
1354 * start after config read until it is safe.
1355 */
[1]1356void sh_prelude_reset(void)
1357{
1358 extern void sh_error_init_prelude();
1359
1360 ready_for_init = 1;
1361 sh_error_init_prelude();
1362 return;
1363}
1364
1365
1366
1367void sh_prelude_stop(void)
1368{
1369 if (initialized < 1)
1370 return;
[108]1371
1372 if (sh.flag.isdaemon == S_TRUE)
1373 prelude_client_destroy(client, PRELUDE_CLIENT_EXIT_STATUS_FAILURE);
1374 else
1375 prelude_client_destroy(client, PRELUDE_CLIENT_EXIT_STATUS_SUCCESS);
1376
[15]1377 client = NULL;
[108]1378
1379 prelude_deinit();
1380
[1]1381 initialized = 0;
1382 return;
1383}
1384
1385
1386
1387int sh_prelude_init(void)
1388{
1389 int ret;
1390 prelude_string_t *str;
1391 idmef_analyzer_t *analyzer;
1392 prelude_client_flags_t flags;
[20]1393#ifdef SH_NOFAILOVER
1394 prelude_connection_pool_t *pool;
1395 prelude_connection_pool_flags_t conn_flags;
1396#endif
[1]1397
1398 if (ready_for_init == 0)
1399 return initialized;
1400
1401 if (initialized > 0)
1402 return initialized;
1403
1404 prelude_thread_init(NULL);
[20]1405 prelude_init(&sh_argc_store, sh_argv_store);
[1]1406
1407 ret = prelude_client_new(&client, profile ? profile : _("samhain"));
1408 if ( ret < 0 ) {
1409 sh_error_handle((-1), FIL__, __LINE__, -1, MSG_E_SUBGEN,
1410 _("Failed to initialize Prelude"), _("sh_prelude_init"));
1411 initialized = -1;
1412 return -1;
1413 }
1414
1415 /*
1416 * Enable automatic heartbeat sending.
1417 */
1418 flags = prelude_client_get_flags(client);
1419 ret = prelude_client_set_flags(client, flags | PRELUDE_CLIENT_FLAGS_ASYNC_TIMER);
1420
1421 analyzer = prelude_client_get_analyzer(client);
1422
1423 ret = idmef_analyzer_new_model(analyzer, &str);
1424 prelude_string_set_dup(str, IDMEF_ANALYZER_MODEL);
1425
1426 ret = idmef_analyzer_new_class(analyzer, &str);
1427 prelude_string_set_dup(str, IDMEF_ANALYZER_CLASS);
1428
1429 ret = idmef_analyzer_new_version(analyzer, &str);
1430 prelude_string_set_dup(str, IDMEF_ANALYZER_VERSION);
1431
[20]1432#ifdef SH_NOFAILOVER
1433 pool = prelude_client_get_connection_pool(client);
1434 conn_flags = prelude_connection_pool_get_flags(pool);
1435
1436 conn_flags &= ~PRELUDE_CONNECTION_POOL_FLAGS_FAILOVER;
1437 prelude_connection_pool_set_flags(pool, conn_flags);
1438#endif
1439
[1]1440 ret = prelude_client_start(client);
1441 if ( ret < 0 ) {
1442 prelude_perror(ret, _("error starting prelude client"));
1443
1444 if ( prelude_client_is_setup_needed(ret) )
1445 prelude_client_print_setup_error(client);
1446
1447 sh_error_handle((-1), FIL__, __LINE__, -1, MSG_E_SUBGEN,
1448 _("Failed to start Prelude"), _("sh_prelude_init"));
1449 initialized = -1;
1450 return -1;
1451 }
1452
1453 initialized = 1;
1454 return 1;
1455}
1456
1457/* HAVE_LIBPRELUDE_9 */
1458#endif
1459
Note: See TracBrowser for help on using the repository browser.