- Timestamp:
- Jul 30, 2007, 10:59:10 PM (17 years ago)
- Location:
- trunk
- Files:
-
- 8 edited
Legend:
- Unmodified
- Added
- Removed
-
trunk/docs/Changelog
r113 r114 1 1 2.3.6: 2 * sh_hash.c: replace check for prefix 'K' with check for not prefix'/' 3 to allow for arbitrary module-specific store/lookup in db 4 * replace 'visited', 'reported', 'allignore' with generic 'fflags' field 2 5 * sh_cat.c: reduce priority of MSG_TCP_RESET to avoid spamming if 3 6 port checking is used on same host as server (reported by kadafax) -
trunk/include/samhain.h
r105 r114 124 124 SH_CHECK_CHECK = 2 125 125 }; 126 127 /* Flags for file status 128 */ 129 #define SH_FFLAG_ALLIGNORE (1<<0) 130 #define SH_FFLAG_VISITED (1<<1) 131 #define SH_FFLAG_CHECKED (1<<3) 132 #define SH_FFLAG_REPORTED (1<<3) 133 134 #define SH_FFLAG_ALLIGNORE_SET(a) (((a) & SH_FFLAG_ALLIGNORE) != 0) 135 #define SET_SH_FFLAG_ALLIGNORE(a) ((a) |= SH_FFLAG_ALLIGNORE) 136 #define CLEAR_SH_FFLAG_ALLIGNORE(a) ((a) &= ~SH_FFLAG_ALLIGNORE) 137 138 #define SH_FFLAG_VISITED_SET(a) (((a) & SH_FFLAG_VISITED) != 0) 139 #define SET_SH_FFLAG_VISITED(a) ((a) |= SH_FFLAG_VISITED) 140 #define CLEAR_SH_FFLAG_VISITED(a) ((a) &= ~SH_FFLAG_VISITED) 141 142 #define SH_FFLAG_CHECKED_SET(a) (((a) & SH_FFLAG_VISITED) != 0) 143 #define SET_SH_FFLAG_CHECKED(a) ((a) |= SH_FFLAG_VISITED) 144 #define CLEAR_SH_FFLAG_CHECKED(a) ((a) &= ~SH_FFLAG_VISITED) 145 146 #define SH_FFLAG_REPORTED_SET(a) (((a) & SH_FFLAG_REPORTED) != 0) 147 #define SET_SH_FFLAG_REPORTED(a) ((a) |= SH_FFLAG_REPORTED) 148 #define CLEAR_SH_FFLAG_REPORTED(a) ((a) &= ~SH_FFLAG_REPORTED) 149 126 150 127 151 -
trunk/include/sh_unix.h
r103 r114 111 111 typedef struct file_struct { 112 112 unsigned long check_mask; 113 int reported;113 int file_reported; 114 114 char fullpath[PATH_MAX]; 115 115 ShFileType type; -
trunk/src/sh_files.c
r94 r114 116 116 short checked; 117 117 short childs_checked; 118 short reported;118 short is_reported; 119 119 /* struct dirstack_entry * next; */ 120 120 } dirstack_t; … … 234 234 235 235 BREAKEXIT(sh_files_filecheck); 236 tmp_reported = ptr-> reported; /* fix aliasing warning */236 tmp_reported = ptr->is_reported; /* fix aliasing warning */ 237 237 status = sh_files_filecheck (ptr->class, dir, file, 238 238 &tmp_reported, 0); 239 ptr-> reported = tmp_reported;239 ptr->is_reported = tmp_reported; 240 240 241 241 TPT(( 0, FIL__, __LINE__, 242 242 _("msg=<filecheck complete: %s> status=<%d> reported=<%d>\n"), 243 tmp, status, ptr-> reported));244 245 if (status == SH_FILE_UNKNOWN && ptr->reported == S_FALSE)243 tmp, status, ptr->is_reported)); 244 245 if (status == SH_FILE_UNKNOWN && (!SH_FFLAG_REPORTED_SET(ptr->is_reported))) 246 246 { 247 247 TPT(( 0, FIL__, __LINE__, _("msg=<file: %s> status=<%d>\n"), … … 288 288 #endif 289 289 if (sh.flag.reportonce == S_TRUE) 290 ptr->reported = S_TRUE;290 SET_SH_FFLAG_REPORTED(ptr->is_reported); 291 291 } 292 292 else … … 294 294 /* exists (status >= 0), but was missing (reported == TRUE) 295 295 */ 296 if (status != SH_FILE_UNKNOWN && ptr->reported == S_TRUE)296 if (status != SH_FILE_UNKNOWN && SH_FFLAG_REPORTED_SET(ptr->is_reported)) 297 297 { 298 ptr->reported = S_FALSE;298 CLEAR_SH_FFLAG_REPORTED(ptr->is_reported); 299 299 } 300 300 /* Catchall … … 759 759 new_item_ptr->rdepth = 0; 760 760 new_item_ptr->checked = S_FALSE; 761 new_item_ptr-> reported = S_FALSE;761 new_item_ptr->is_reported = 0; 762 762 new_item_ptr->childs_checked = S_FALSE; 763 763 … … 1005 1005 ptr->name); 1006 1006 1007 if (status < 0 && ptr->reported == S_FALSE)1007 if (status < 0 && (!SH_FFLAG_REPORTED_SET(ptr->is_reported))) 1008 1008 { 1009 1009 /* directory is missing … … 1024 1024 } 1025 1025 if (sh.flag.reportonce == S_TRUE) 1026 ptr->reported = S_TRUE;1026 SET_SH_FFLAG_REPORTED(ptr->is_reported); 1027 1027 } 1028 1028 else … … 1030 1030 /* exists (status >= 0), but was missing (reported == TRUE) 1031 1031 */ 1032 if (status >= 0 && ptr->reported == S_TRUE)1032 if (status >= 0 && SH_FFLAG_REPORTED_SET(ptr->is_reported)) 1033 1033 { 1034 ptr->reported = S_FALSE;1034 CLEAR_SH_FFLAG_REPORTED(ptr->is_reported); 1035 1035 #if 0 1036 1036 /* obsoleted (really?) by the mandatory sh_files_filecheck() … … 1163 1163 new_item_ptr->rdepth = rdepth; 1164 1164 new_item_ptr->checked = S_FALSE; 1165 new_item_ptr-> reported = S_FALSE;1165 new_item_ptr->is_reported = 0; 1166 1166 new_item_ptr->childs_checked = S_FALSE; 1167 1167 … … 1765 1765 */ 1766 1766 if (dst_ptr && sh.flag.reportonce == S_TRUE) 1767 dummy = dst_ptr-> reported;1767 dummy = dst_ptr->is_reported; 1768 1768 1769 1769 checkit = sh_files_filecheck (file_class_next, … … 1777 1777 */ 1778 1778 if (dst_ptr && sh.flag.reportonce == S_TRUE) 1779 dst_ptr-> reported = dummy;1779 dst_ptr->is_reported = dummy; 1780 1780 } 1781 1781 … … 1996 1996 */ 1997 1997 sl_strlcpy (theFile.fullpath, fullpath, PATH_MAX); 1998 theFile.check_mask = sh_files_maskof(class);1999 theFile. reported= (*reported);2000 theFile.attr_string = NULL;1998 theFile.check_mask = sh_files_maskof(class); 1999 theFile.file_reported = (*reported); 2000 theFile.attr_string = NULL; 2001 2001 2002 2002 TPT(( 0, FIL__, __LINE__, _("msg=<checking file: %s>\n"), fullpath)); … … 2045 2045 } 2046 2046 2047 (*reported) = theFile. reported;2047 (*reported) = theFile.file_reported; 2048 2048 2049 2049 /* reset the access time -
trunk/src/sh_hash.c
r107 r114 290 290 char * linkpath; 291 291 char * attr_string; 292 int visited; 293 int reported; 294 int allignore; 292 int fflags; 295 293 unsigned long modi_mask; 296 294 struct file_info * next; … … 487 485 } 488 486 489 /* Kernel info487 /* Not a fully qualified path, i.e. some info stored by some module 490 488 */ 491 if (p->fullpath[0] == 'K')489 if (p->fullpath[0] != '/') 492 490 { 493 491 SL_RET0(_("hash_unvisited")); 494 492 } 495 493 496 /* visited = FALSE: not seen;497 * visited = 99: not seen, and already checked498 * reported = FALSE: not reported yet499 * allignore = FALSE: not under IgnoreAll494 /* visited flag not set: not seen; 495 * checked flag set: not seen (i.e. missing), and already checked 496 * reported flag not set: not reported yet 497 * allignore flag not set: not under IgnoreAll 500 498 * 501 499 * Files/directories under IgnoreAll are noticed as missing already 502 500 * during the file check. 503 501 */ 504 if ((p->visited == S_FALSE || p->visited == 99) && p->reported == S_FALSE 505 && p->allignore == S_FALSE) 502 if (((!SH_FFLAG_VISITED_SET(p->fflags)) || SH_FFLAG_CHECKED_SET(p->fflags)) 503 && (!SH_FFLAG_REPORTED_SET(p->fflags)) 504 && (!SH_FFLAG_ALLIGNORE_SET(p->fflags))) 506 505 { 507 506 i = retry_lstat(FIL__, __LINE__, p->fullpath, &buf); … … 520 519 SH_FREE(ptr); 521 520 } 522 if (p->visited != 99) 521 522 /* Only report if !SH_FFLAG_CHECKED_SET 523 */ 524 if (!SH_FFLAG_CHECKED_SET(p->fflags)) 523 525 { 524 526 if (S_FALSE == sh_ignore_chk_del(p->fullpath)) … … 572 574 SL_RET0(_("hash_unvisited")); 573 575 #else 574 p->reported = S_TRUE;576 SET_SH_FFLAG_REPORTED(p->fflags); 575 577 #endif 576 578 } … … 578 580 } 579 581 580 else if ( p->visited == S_TRUE && p->reported == S_TRUE581 && p->allignore == S_FALSE)582 else if (SH_FFLAG_VISITED_SET(p->fflags) && SH_FFLAG_REPORTED_SET(p->fflags) 583 && (!SH_FFLAG_ALLIGNORE_SET(p->fflags))) 582 584 { 583 585 if (S_FALSE == sh_ignore_chk_new(p->fullpath)) … … 597 599 } 598 600 599 p->reported = S_FALSE;601 CLEAR_SH_FFLAG_REPORTED(p->fflags); 600 602 } 601 603 602 604 if (sh.flag.reportonce == S_FALSE) 603 p->reported = S_FALSE; 604 605 p->visited = S_FALSE; 605 CLEAR_SH_FFLAG_REPORTED(p->fflags); 606 607 CLEAR_SH_FFLAG_VISITED(p->fflags); 608 CLEAR_SH_FFLAG_CHECKED(p->fflags); 609 606 610 SL_RET0(_("hash_unvisited")); 607 611 } … … 1049 1053 1050 1054 memcpy( &(*p).theFile, &ft, sizeof(sh_filestore_t) ); 1051 p->visited = S_FALSE; 1052 p-> reported = S_FALSE;1053 p->allignore = S_FALSE; 1055 1056 p->fflags = 0; 1057 1054 1058 p->modi_mask = 0L; 1055 1059 p->fullpath = fullpath; … … 1835 1839 1836 1840 if (!p) return (-1); 1837 if ( p->allignore == S_FALSE&&1841 if ((!SH_FFLAG_ALLIGNORE_SET(p->fflags)) && 1838 1842 (p->modi_mask & MODI_CHK) != 0 && 1839 1843 (p->modi_mask & MODI_MOD) != 0) … … 1883 1887 if (p == NULL) 1884 1888 SL_RETURN((-1), _("sh_hash_set_visited_int")); 1885 if (flag == 99) 1886 { 1887 p->visited = 99; 1888 p->reported = S_FALSE; 1889 } 1890 else 1891 { 1892 p->visited = S_TRUE; 1893 p->reported = flag; 1889 1890 if (flag == SH_FFLAG_CHECKED) 1891 { 1892 CLEAR_SH_FFLAG_REPORTED(p->fflags); 1893 CLEAR_SH_FFLAG_VISITED(p->fflags); 1894 SET_SH_FFLAG_CHECKED(p->fflags); 1895 } 1896 else 1897 { 1898 SET_SH_FFLAG_VISITED(p->fflags); 1899 CLEAR_SH_FFLAG_CHECKED(p->fflags); 1900 if (flag == SH_FFLAG_REPORTED) 1901 SET_SH_FFLAG_REPORTED(p->fflags); 1902 else 1903 CLEAR_SH_FFLAG_REPORTED(p->fflags); 1894 1904 } 1895 1905 SL_RETURN((0), _("sh_hash_set_visited_int")); … … 1903 1913 int i; 1904 1914 SL_ENTER(_("sh_hash_set_visited")); 1905 i = sh_hash_set_visited_int(newname, 99);1915 i = sh_hash_set_visited_int(newname, SH_FFLAG_CHECKED); 1906 1916 SL_RETURN(i, _("sh_hash_set_visited")); 1907 1917 } 1908 1918 1919 /* mark the file as visited and reported 1920 */ 1909 1921 int sh_hash_set_visited (char * newname) 1910 1922 { 1911 1923 int i; 1912 1924 SL_ENTER(_("sh_hash_set_visited")); 1913 i = sh_hash_set_visited_int(newname, S _TRUE);1925 i = sh_hash_set_visited_int(newname, SH_FFLAG_REPORTED); 1914 1926 SL_RETURN(i, _("sh_hash_set_visited")); 1915 1927 } 1916 1928 1929 /* mark the file as visited and NOT reported 1930 * used to avoid deletion of file from internal database 1931 */ 1917 1932 int sh_hash_set_visited_true (char * newname) 1918 1933 { 1919 1934 int i; 1920 1935 SL_ENTER(_("sh_hash_set_visited_true")); 1921 i = sh_hash_set_visited_int(newname, S_FALSE);1936 i = sh_hash_set_visited_int(newname, 0); 1922 1937 SL_RETURN(i, _("sh_hash_set_visited_true")); 1923 1938 } … … 2091 2106 2092 2107 memcpy( &(*fp).theFile, &p, sizeof(sh_filestore_t) ); 2093 fp->visited = S_FALSE; 2094 fp->reported = S_FALSE; 2095 fp->allignore = S_FALSE; 2108 fp->fflags = 0; 2096 2109 fp->modi_mask = 0L; 2097 2110 … … 2599 2612 2600 2613 if (p) 2601 p->visited = S_TRUE; 2614 { 2615 SET_SH_FFLAG_VISITED(p->fflags); 2616 CLEAR_SH_FFLAG_CHECKED(p->fflags); 2617 } 2618 2602 2619 if (sh.flag.reportonce == S_TRUE) 2603 theFile->reported = S_TRUE;2620 SET_SH_FFLAG_REPORTED(theFile->file_reported); 2604 2621 2605 2622 if (sh.flag.reportonce == S_TRUE && sh.flag.update == S_FALSE) … … 2828 2845 /* --- Report on modified files. --- 2829 2846 */ 2830 if (modi_mask != 0 && p->reported == S_FALSE)2847 if (modi_mask != 0 && (!SH_FFLAG_REPORTED_SET(p->fflags))) 2831 2848 { 2832 2849 tmp = SH_ALLOC(SH_BUFSIZE); … … 3188 3205 3189 3206 #ifndef REPLACE_OLD 3190 p->reported = S_TRUE;3207 SET_SH_FFLAG_REPORTED(p->fflags); 3191 3208 #endif 3192 3209 … … 3247 3264 theFile->hardlinks = p->theFile.hardlinks; 3248 3265 3249 p->visited = S_TRUE; 3266 SET_SH_FFLAG_VISITED(p->fflags); 3267 CLEAR_SH_FFLAG_CHECKED(p->fflags); 3250 3268 SL_RETURN(1, _("sh_hash_compdata")); 3251 3269 } … … 3316 3334 } 3317 3335 3318 p->visited = S_TRUE; 3336 SET_SH_FFLAG_VISITED(p->fflags); 3337 CLEAR_SH_FFLAG_CHECKED(p->fflags); 3319 3338 3320 3339 SL_RETURN(0, _("sh_hash_compdata")); … … 3334 3353 { 3335 3354 for (p = tab[i]; p; p = p->next) 3336 p->allignore = S_FALSE;3355 CLEAR_SH_FFLAG_ALLIGNORE(p->fflags); 3337 3356 } 3338 3357 SL_RETURN (0, _("sh_hash_compdata")); … … 3362 3381 if (p->fullpath && 0 == strncmp(s, p->fullpath, len)) 3363 3382 { 3364 p->allignore = S_TRUE;3383 SET_SH_FFLAG_ALLIGNORE(p->fflags); 3365 3384 } 3366 3385 } -
trunk/src/sh_kern.c
r102 r114 901 901 (void) sl_strlcpy (theFile.fullpath, pcipath, PATH_MAX); 902 902 theFile.check_mask = sh_files_maskof(SH_LEVEL_READONLY); 903 theFile.reported = S_FALSE;903 CLEAR_SH_FFLAG_REPORTED(theFile.file_reported); 904 904 theFile.attr_string = NULL; 905 905 -
trunk/src/sh_suidchk.c
r94 r114 976 976 (void) sl_strlcpy (theFile.fullpath, tmpcat, PATH_MAX); 977 977 theFile.check_mask = sh_files_maskof(SH_LEVEL_READONLY); 978 theFile.reported = S_FALSE;978 CLEAR_SH_FFLAG_REPORTED(theFile.file_reported); 979 979 theFile.attr_string = NULL; 980 980 -
trunk/src/sh_unix.c
r107 r114 3178 3178 if (sh.flag.checkSum == SH_CHECK_INIT || 3179 3179 (sh_hash_have_it (theFile->fullpath) >= 0 && 3180 theFile->reported == S_FALSE))3180 (!SH_FFLAG_REPORTED_SET(theFile->file_reported)))) 3181 3181 { 3182 3182 if (S_FALSE == sh_ignore_chk_del(theFile->fullpath)) {
Note:
See TracChangeset
for help on using the changeset viewer.