Index: /trunk/docs/Changelog =================================================================== --- /trunk/docs/Changelog (revision 205) +++ /trunk/docs/Changelog (revision 206) @@ -1,3 +1,5 @@ 2.5.2: + * fix reporting of user for open ports to prelude + * report process pid for open ports * replace _exit() by raise(SIGKILL) b/o pthread problem * new option LooseDirCheck ([false]/true), request by Index: /trunk/src/sh_cat.c =================================================================== --- /trunk/src/sh_cat.c (revision 205) +++ /trunk/src/sh_cat.c (revision 206) @@ -135,7 +135,7 @@ #ifdef SH_USE_PORTCHECK { MSG_PORT_MISS, SH_ERR_SEVERE, EVENT, N_("msg=\"POLICY [ServiceMissing] %s\"")}, - { MSG_PORT_NEW, SH_ERR_SEVERE, EVENT, N_("msg=\"POLICY [ServiceNew] %s\" path=\"%s\" userid=\"%s\"")}, - { MSG_PORT_RESTART,SH_ERR_SEVERE, EVENT, N_("msg=\"POLICY [ServiceRestarted] %s\" path=\"%s\" userid=\"%s\"")}, - { MSG_PORT_NEWPORT,SH_ERR_SEVERE, EVENT, N_("msg=\"POLICY [ServicePortSwitch] %s\" path=\"%s\" userid=\"%s\"")}, + { MSG_PORT_NEW, SH_ERR_SEVERE, EVENT, N_("msg=\"POLICY [ServiceNew] %s\" path=\"%s\" pid=\"%lu\" userid=\"%s\"")}, + { MSG_PORT_RESTART,SH_ERR_SEVERE, EVENT, N_("msg=\"POLICY [ServiceRestarted] %s\" path=\"%s\" pid=\"%lu\" userid=\"%s\"")}, + { MSG_PORT_NEWPORT,SH_ERR_SEVERE, EVENT, N_("msg=\"POLICY [ServicePortSwitch] %s\" path=\"%s\" pid=\"%lu\" userid=\"%s\"")}, #endif @@ -464,7 +464,7 @@ #ifdef SH_USE_PORTCHECK { MSG_PORT_MISS, SH_ERR_SEVERE, EVENT, N_("msg=")}, - { MSG_PORT_NEW, SH_ERR_SEVERE, EVENT, N_("msg= path=<%s> userid=<%s>")}, - { MSG_PORT_RESTART,SH_ERR_SEVERE, EVENT, N_("msg= path=<%s> userid=<%s>")}, - { MSG_PORT_NEWPORT,SH_ERR_SEVERE, EVENT, N_("msg= path=<%s> userid=<%s>")}, + { MSG_PORT_NEW, SH_ERR_SEVERE, EVENT, N_("msg= path=<%s> pid=<%lu> userid=<%s>")}, + { MSG_PORT_RESTART,SH_ERR_SEVERE, EVENT, N_("msg= path=<%s> pid=<%lu> userid=<%s>")}, + { MSG_PORT_NEWPORT,SH_ERR_SEVERE, EVENT, N_("msg= path=<%s> pid=<%lu> userid=<%s>")}, #endif Index: /trunk/src/sh_port2proc.c =================================================================== --- /trunk/src/sh_port2proc.c (revision 205) +++ /trunk/src/sh_port2proc.c (revision 206) @@ -311,5 +311,5 @@ /* returns the command and fills the 'user' array */ -char * sh_port2proc_query(int proto, struct in_addr * saddr, int sport, +char * sh_port2proc_query(int proto, struct in_addr * saddr, int sport, unsigned long * pid, char * user, size_t userlen) { @@ -320,4 +320,6 @@ else fd = fopen("/proc/net/udp", "r"); + + *pid = 0; if (fd) @@ -345,4 +347,5 @@ { fclose(fd); + *pid = (unsigned long) new->pid; if (new->path) { @@ -363,5 +366,5 @@ } err_out: - sl_strlcpy(user, "0", userlen); + sl_strlcpy(user, "-", userlen); return sh_util_strdup("-"); } @@ -750,5 +753,5 @@ char * sh_port2proc_query(int proto, struct in_addr * saddr, int sport, - char * user, size_t userlen) + unsigned long * pid, char * user, size_t userlen) { int n, hash; @@ -756,4 +759,6 @@ struct in_addr * haddr; struct sock * s; + + *pid = 0; for (xf = xfiles, n = 0; n < nxfiles; ++n, ++xf) { @@ -796,4 +801,6 @@ struct sock_store try; + *pid = xf->xf_pid; + try.pid = xf->xf_pid; try.path = NULL; @@ -862,5 +869,5 @@ char * sh_port2proc_query(int proto, struct in_addr * saddr, int sport, - char * user, size_t userlen) + unsigned long * pid, char * user, size_t userlen) { (void) proto; @@ -868,4 +875,6 @@ (void) sport; + *pid = 0; + sl_strlcpy(user, "-", userlen); return sh_util_strdup("-"); Index: /trunk/src/sh_portcheck.c =================================================================== --- /trunk/src/sh_portcheck.c (revision 205) +++ /trunk/src/sh_portcheck.c (revision 206) @@ -137,5 +137,5 @@ extern char * sh_port2proc_query(int proto, struct in_addr * saddr, int sport, - char * user, size_t userlen); + unsigned long * pid, char * user, size_t userlen); extern int sh_port2proc_prepare(); @@ -515,4 +515,5 @@ { char * path; + unsigned long qpid; char user[USER_MAX]; @@ -523,8 +524,8 @@ inet_ntoa(haddr), port, SH_PROTO_STR(proto), service); #else - path = sh_port2proc_query(proto, &haddr, port, user, sizeof(user)); + path = sh_port2proc_query(proto, &haddr, port, &qpid, user, sizeof(user)); SH_MUTEX_LOCK(mutex_thread_nolog); sh_error_handle(sh_portchk_severity, FIL__, __LINE__, 0, - MSG_PORT_NEW, errbuf, path, user); + MSG_PORT_NEW, errbuf, path, qpid, user); SH_MUTEX_UNLOCK(mutex_thread_nolog); SH_FREE(path); @@ -538,4 +539,5 @@ { char * path; + unsigned long qpid; char user[USER_MAX]; @@ -545,8 +547,8 @@ fprintf(stderr, _("service: %s\n"), errbuf); #else - path = sh_port2proc_query(proto, &haddr, port, user, sizeof(user)); + path = sh_port2proc_query(proto, &haddr, port, &qpid, user, sizeof(user)); SH_MUTEX_LOCK(mutex_thread_nolog); sh_error_handle(sh_portchk_severity, FIL__, __LINE__, 0, - MSG_PORT_RESTART, errbuf, path, user); + MSG_PORT_RESTART, errbuf, path, qpid, user); SH_MUTEX_UNLOCK(mutex_thread_nolog); SH_FREE(path); @@ -558,4 +560,5 @@ { char * path; + unsigned long qpid; char user[USER_MAX]; @@ -565,8 +568,8 @@ fprintf(stderr, _("service: %s\n"), errbuf); #else - path = sh_port2proc_query(proto, &haddr, port, user, sizeof(user)); + path = sh_port2proc_query(proto, &haddr, port, &qpid, user, sizeof(user)); SH_MUTEX_LOCK(mutex_thread_nolog); sh_error_handle(sh_portchk_severity, FIL__, __LINE__, 0, - MSG_PORT_NEWPORT, errbuf, path, user); + MSG_PORT_NEWPORT, errbuf, path, qpid, user); SH_MUTEX_UNLOCK(mutex_thread_nolog); SH_FREE(path); @@ -585,4 +588,5 @@ { char * path; + unsigned long qpid; char user[USER_MAX]; @@ -593,8 +597,8 @@ inet_ntoa(haddr), port, SH_PROTO_STR(proto), check_services(port, proto)); #else - path = sh_port2proc_query(proto, &haddr, port, user, sizeof(user)); + path = sh_port2proc_query(proto, &haddr, port, &qpid, user, sizeof(user)); SH_MUTEX_LOCK(mutex_thread_nolog); sh_error_handle(sh_portchk_severity, FIL__, __LINE__, 0, - MSG_PORT_NEW, errbuf, path, user); + MSG_PORT_NEW, errbuf, path, qpid, user); SH_MUTEX_UNLOCK(mutex_thread_nolog); SH_FREE(path); @@ -608,4 +612,5 @@ { char * path; + unsigned long qpid; char user[USER_MAX]; @@ -615,8 +620,8 @@ fprintf(stderr, _("port : %s\n"), errbuf); #else - path = sh_port2proc_query(proto, &haddr, port, user, sizeof(user)); + path = sh_port2proc_query(proto, &haddr, port, &qpid, user, sizeof(user)); SH_MUTEX_LOCK(mutex_thread_nolog); sh_error_handle(sh_portchk_severity, FIL__, __LINE__, 0, - MSG_PORT_RESTART, errbuf, path, user); + MSG_PORT_RESTART, errbuf, path, qpid, user); SH_MUTEX_UNLOCK(mutex_thread_nolog); SH_FREE(path); Index: /trunk/src/sh_prelude.c =================================================================== --- /trunk/src/sh_prelude.c (revision 205) +++ /trunk/src/sh_prelude.c (revision 206) @@ -696,5 +696,5 @@ int ret; long port; - char *ptr, *new, *tmp, *ip, *srv, *end; + char *ptr, *new, *tmp, *ip, *srv, *protocol, *end; prelude_string_t *str; idmef_address_t *address; @@ -704,4 +704,9 @@ idmef_service_t *service; idmef_source_t *source = idmef_alert_get_next_source(alert, NULL); + struct passwd *pw; +#if defined(HAVE_PTHREAD) && defined (_POSIX_THREAD_SAFE_FUNCTIONS) && defined(HAVE_GETPWNAM_R) + struct passwd pwd; + char buffer[SH_PWBUF_SIZE]; +#endif new = sh_util_strdup(msg); @@ -778,8 +783,9 @@ if ( *ptr && *end == '\0' && port >= 0 && port < 65536) { + char * tmpw; + if ( ! source ) { ret = idmef_alert_new_source(alert, &source, IDMEF_LIST_APPEND); if ( ret < 0 ) { - free(srv); SH_FREE( new ); return ret; @@ -789,5 +795,4 @@ ret = idmef_source_new_service(source, &service); if ( ret < 0 ) { - free(srv); SH_FREE( new ); return ret; @@ -795,4 +800,22 @@ idmef_service_set_port(service, port); + + ret = idmef_service_new_protocol(service, &str); + if ( ret < 0 ) { + SH_FREE( new ); + return ret; + } + + ++tmp; + if (*tmp) { + char * tmpw = tmp; + char tmpw_store; + while (*tmpw && !isblank((int) *tmpw)) ++tmpw; + tmpw_store = *tmpw; *tmpw = '\0'; + protocol = strdup(tmp); + *tmpw = tmpw_store; + prelude_string_set_nodup(str, protocol); + } + } @@ -850,8 +873,10 @@ SH_FREE( new ); - ptr = get_value(msg, _("user"), NULL); + ptr = get_value(msg, _("userid"), NULL); if ( ptr ) { + idmef_user_id_t * user_id; + ret = idmef_source_new_user(source, &user); if ( ret < 0 ) { @@ -860,13 +885,33 @@ } - ret = idmef_user_new_ident(user, &str); - if ( ret < 0 ) { - free(ptr); - return ret; - } + idmef_user_set_category(user, IDMEF_USER_CATEGORY_APPLICATION); + + ret = idmef_user_new_user_id(user, &user_id, IDMEF_LIST_APPEND); + if ( ret < 0 ) { + free(ptr); + return ret; + } + + idmef_user_id_set_type(user_id, IDMEF_USER_ID_TYPE_CURRENT_USER); + +#if defined(HAVE_PTHREAD) && defined (_POSIX_THREAD_SAFE_FUNCTIONS) && defined(HAVE_GETPWNAM_R) + sh_getpwnam_r(ptr, &pwd, buffer, sizeof(buffer), &pw); +#else + pw = sh_getpwnam(ptr); +#endif + if ( pw ) + idmef_user_id_set_number(user_id, pw->pw_uid); + + ret = idmef_user_id_new_name(user_id, &str); + if ( ret < 0 ) { + free(ptr); + return ret; + } prelude_string_set_nodup(str, ptr); + } ptr = get_value(msg, _("path"), NULL); + tmp = get_value(msg, _("pid"), NULL); if ( ptr ) { @@ -889,12 +934,23 @@ prelude_string_set_nodup(str, ptr); - ptr = strrchr(ptr, '/'); - if ( ptr ) { + + if ( NULL != strrchr(ptr, '/') ) { ret = idmef_process_new_name(process, &str); if ( ret == 0 ) { + ptr = strrchr(ptr, '/'); prelude_string_set_dup(str, ptr + 1); } - } - } + } else { + ret = idmef_process_new_name(process, &str); + if ( ret == 0 ) { + prelude_string_set_dup(str, ptr); + } + } + + idmef_process_set_pid(process, strtoul(tmp, NULL, 0)); + } + + if (tmp) + free(tmp); return 0; Index: /trunk/test/testrun_1b.sh =================================================================== --- /trunk/test/testrun_1b.sh (revision 205) +++ /trunk/test/testrun_1b.sh (revision 206) @@ -242,4 +242,5 @@ rm -f $PW_DIR/test_log_prelude + [ -z "$verbose" ] || { echo " starting prelude-manager.."; echo " ($PM --textmod -l $PW_DIR/test_log_prelude --listen 127.0.0.1:5500 >/dev/null 2>&1 &)"; } "$PM" --textmod -l $PW_DIR/test_log_prelude --listen 127.0.0.1:5500 >/dev/null 2>&1 & PID=$! @@ -266,8 +267,12 @@ if [ $tmp -lt 1 ]; then [ -z "$verbose" ] || log_msg_fail "/etc"; + kill $PID + return 1 fi tmp=`egrep 'Classification text: Checking' test_log_prelude 2>/dev/null | wc -l` if [ $tmp -lt 1 ]; then [ -z "$verbose" ] || log_msg_fail "checking"; + kill $PID + return 1 fi # @@ -276,8 +281,12 @@ if [ $tmp -lt 1 ]; then [ -z "$verbose" ] || log_msg_fail "service"; + kill $PID + return 1 fi tmp=`egrep 'Service: port=5500' test_log_prelude 2>/dev/null | wc -l` if [ $tmp -lt 1 ]; then [ -z "$verbose" ] || log_msg_fail "port 5500"; + kill $PID + return 1 fi fi Index: /trunk/test/testrun_1e.sh =================================================================== --- /trunk/test/testrun_1e.sh (revision 205) +++ /trunk/test/testrun_1e.sh (revision 206) @@ -23,5 +23,42 @@ export BUILDOPTS -MAXTEST=4; export MAXTEST +MAXTEST=5; export MAXTEST + +PORTPOLICY_5=" +[ReadOnly] +file=${BASE} +[PortCheck] +PortCheckActive = yes +PortCheckUDP = no +PortCheckInterface = 127.0.0.1 +" + +chk_portdata_5 () { + one_sec_sleep + + if [ -z "$PM" ]; then + log_skip 5 $MAXTEST 'prelude-manager not found in $PATH' + elif [ -z "$doall" ]; then + log_skip 5 $MAXTEST 'logging to prelude (or use --really-all)' + else + tmp=`egrep 'Service: port=5500 .unknown. protocol=tcp' test_log_prelude 2>/dev/null | wc -l` + if [ $tmp -lt 1 ]; then + [ -z "$verbose" ] || log_msg_fail "port 5500"; + [ -z "$quiet" ] && log_fail 5 ${MAXTEST}; + return 1 + fi + # + [ -z "$quiet" ] && log_ok 5 ${MAXTEST}; + fi + return 0 +} + +refine_portpolicy_5 () +{ + echo "PortCheckIgnore=2026/tcp" >>"${RCFILE}" + echo "PortCheckIgnore=2027/udp" >>"${RCFILE}" + echo "PortCheckIgnore=2028/tcp" >>"${RCFILE}" + echo "PortCheckIgnore=2029/udp" >>"${RCFILE}" +} PORTPOLICY_4=" @@ -147,4 +184,24 @@ eval echo '"$'"PORTPOLICY_$1"'"' >>"${RCFILE}" } + +run_check_prelude() +{ + ./samhain -t check -p none -l info --set-prelude-severity=info --prelude --server-addr 127.0.0.1:5500 >/dev/null + + if test x$? = x0; then + + ./samhain -j -L $LOGFILE >"${LOGFILE}.tmp" && mv "${LOGFILE}.tmp" "${LOGFILE}" + + if [ $? -ne 0 ]; then + [ -z "$quiet" ] && log_msg_fail "mv logfile..."; + return 1 + fi + [ -z "$verbose" ] || log_msg_ok "check..."; + else + [ -z "$quiet" ] && log_msg_fail "check..."; + return 1 + fi +} + testrun_internal_1e () @@ -209,8 +266,81 @@ rm -f "$LOGFILE" # - if [ $errval -eq 0 ]; then - run_check - check_err $? ${tcount}; errval=$? - fi + PRELUDEPID=0 + # + if test ${tcount} -eq 5; + then + + PM=`find_path prelude-manager` + + if [ -z "$PM" ]; then + if [ $errval -eq 0 ]; then + run_check + check_err $? ${tcount}; errval=$? + fi + elif [ -z "$doall" ]; then + if [ $errval -eq 0 ]; then + run_check + check_err $? ${tcount}; errval=$? + fi + else + # + # + ${TOP_SRCDIR}/configure ${BUILDOPTS} --with-prelude + # + # + if test x$? = x0; then + [ -z "$verbose" ] || log_msg_ok "configure..."; + $MAKE >/dev/null 2>&1 + if test x$? = x0; then + [ -z "$verbose" ] || log_msg_ok "make..."; + else + [ -z "$quiet" ] && log_msg_fail "make..."; + return 1 + fi + + else + [ -z "$quiet" ] && log_msg_fail "configure..."; + return 1 + fi + # + # + if ! test -d /var/run/prelude-manager + then + [ -z "$verbose" ] || log_msg_ok "create /var/run/prelude-manager..."; + sudo mkdir /var/run/prelude-manager + sudo chown prelude:rainer /var/run/prelude-manager + sudo chmod 770 /var/run/prelude-manager + fi + if ! test -d /var/spool/prelude/samhain/global + then + [ -z "$verbose" ] || log_msg_ok "create /var/spool/prelude/samhain/global..."; + sudo mkdir -p /var/spool/prelude/samhain/global + sudo chown prelude:rainer /var/spool/prelude/samhain/global + sudo chmod 770 /var/spool/prelude/samhain/global + fi + + # + # + [ -z "$verbose" ] || { echo " starting prelude-manager.."; echo " ($PM --textmod -l $PW_DIR/test_log_prelude --listen 127.0.0.1:5500 >/dev/null 2>&1 &)"; } + "$PM" --textmod -l $PW_DIR/test_log_prelude --listen 127.0.0.1:5500 >/dev/null 2>&1 & + PRELUDEPID=$! + # + # + five_sec_sleep + # + # + if [ $errval -eq 0 ]; then + run_check_prelude + check_err $? ${tcount}; errval=$? + fi + fi + + else + if [ $errval -eq 0 ]; then + run_check + check_err $? ${tcount}; errval=$? + fi + fi + # if [ $errval -eq 0 ]; then eval chk_portdata_${tcount} @@ -219,8 +349,16 @@ # if [ $errval -eq 0 ]; then - [ -z "$quiet" ] && log_ok ${tcount} ${MAXTEST}; + if test ${tcount} -ne 5; then + [ -z "$quiet" ] && log_ok ${tcount} ${MAXTEST}; + fi fi let "tcount = tcount + 1" >/dev/null POLICY=`eval echo '"$'"PORTPOLICY_$tcount"'"'` + + if test $PRELUDEPID -ne 0; + then + kill $PRELUDEPID + fi + done