Changeset 279

Timestamp:

Apr 30, 2010, 11:55:18 PM (15 years ago)

Author:

katerina

Message:

Fix for tickets #200 to #206 (kernel check, login checks, bugfixes).

Location:

trunk

Files:

• Makefile.in (modified) (4 diffs)
• configure.ac (modified) (6 diffs)
• depend.dep (modified) (1 diff)
• depend.sum (modified) (1 diff)
• docs/Changelog (modified) (1 diff)
• include/kern_head.h (modified) (15 diffs)
• include/sh_cat.h (modified) (1 diff)
• include/sh_error.h (modified) (1 diff)
• include/sh_utmp.h (modified) (1 diff)
• init/samhain.startLSB.in (modified) (1 diff)
• scripts/redhat_i386.client.spec.in (modified) (1 diff)
• src/dnmalloc.c (modified) (2 diffs)
• src/kern_head.c (modified) (25 diffs)
• src/samhain_kmem.c (added)
• src/sh_cat.c (modified) (2 diffs)
• src/sh_err_log.c (modified) (1 diff)
• src/sh_err_syslog.c (modified) (2 diffs)
• src/sh_hash.c (modified) (1 diff)
• src/sh_kern.c (modified) (11 diffs)
• src/sh_login_track.c (added)
• src/sh_port2proc.c (modified) (1 diff)
• src/sh_readconf.c (modified) (2 diffs)
• src/sh_unix.c (modified) (6 diffs)
• src/sh_utmp.c (modified) (7 diffs)
• src/slib.c (modified) (3 diffs)
• test/testcompile.sh (modified) (2 diffs)

trunk/Makefile.in

@@ -136 +136 @@
         $(srcsrc)/sh_mem.c $(srcsrc)/sh_entropy.c \
         $(srcsrc)/sh_forward.c $(srcsrc)/sh_modules.c \
-        $(srcsrc)/sh_utmp.c $(srcsrc)/sh_kern.c \
+        $(srcsrc)/sh_utmp.c $(srcsrc)/sh_login_track.c $(srcsrc)/sh_kern.c \
         $(srcsrc)/sh_suidchk.c $(srcsrc)/sh_srp.c \
         $(srcsrc)/sh_fifo.c $(srcsrc)/sh_tools.c \
@@ -170 +170 @@
         samhain.o sh_unix.o sh_utils.o sh_error.o \
         sh_getopt.o sh_readconf.o sh_filter.o \
-        sh_hash.o sh_mail.o sh_nmail.o sh_mem.o \
+        sh_hash.o sh_mail.o sh_nmail.o sh_mem.o sh_login_track.o \
         sh_entropy.o sh_forward.o sh_modules.o sh_utmp.o sh_kern.o \
         sh_suidchk.o sh_srp.o sh_fifo.o sh_tools.o sh_html.o sh_gpg.o \
@@ -1233 +1233 @@
           exit 1; \
         fi
+
+# -- NEW --
+samhain_kmem.ko: $(srcsrc)/samhain_kmem.c
+        @test -d m_comp || mkdir m_comp; \
+        echo "KVERSION := \$$(shell uname -r)" > m_comp/Makefile;\
+        echo "KSOURCE ?= /lib/modules/\$$(KVERSION)/build" >> m_comp/Makefile;\
+        echo "obj-m   := samhain_kmem.o"                   >> m_comp/Makefile;\
+        echo ".PHONY: modules install clean modules_add"   >> m_comp/Makefile;\
+        echo "install : modules_add"                       >> m_comp/Makefile;\
+        echo "modules modules_install clean:"              >> m_comp/Makefile;\
+        echo "T\$$(MAKE) -C \$$(KSOURCE) \$$@ SUBDIRS=\$$(CURDIR) KBUILD_VERBOSE=2" |  tr T '\t' >> m_comp/Makefile;\
+        cp config.h m_comp/; \
+        cp $(srcsrc)/samhain_kmem.c m_comp/; \
+        cd m_comp && $(MAKE) modules
+        @if test -f m_comp/samhain_kmem.ko; then \
+          cp -p m_comp/samhain_kmem.ko samhain_kmem.ko; \
+          rm -rf m_comp/; \
+        else \
+          echo "Kernel module samhain_kmem.ko not build"; \
+          exit 1; \
+        fi
+
 
 # -- NEW --
@@ -1743 +1765 @@
 sh_log_repeat.o: $(srcsrc)/sh_log_repeat.c Makefile config_xor.h $(srcinc)/samhain.h $(srcinc)/sh_pthread.h $(srcinc)/sh_utils.h $(srcinc)/sh_string.h $(srcinc)/sh_log_check.h $(srcinc)/sh_log_evalrule.h 
 sh_log_parse_generic.o: $(srcsrc)/sh_log_parse_generic.c Makefile config_xor.h $(srcinc)/samhain.h $(srcinc)/sh_log_check.h $(srcinc)/sh_string.h 
+sh_login_track.o: $(srcsrc)/sh_login_track.c Makefile config_xor.h $(srcinc)/samhain.h $(srcinc)/sh_pthread.h $(srcinc)/sh_utils.h $(srcinc)/sh_unix.h $(srcinc)/sh_string.h $(srcinc)/sh_tools.h $(srcinc)/sh_error_min.h $(srcinc)/CuTest.h $(srcinc)/CuTest.h 

trunk/configure.ac

@@ -12 +12 @@
 dnl start
 dnl
-AM_INIT_AUTOMAKE(samhain, 2.6.4)
+AM_INIT_AUTOMAKE(samhain, 2.7.0)
 AC_DEFINE([SAMHAIN], 1, [Application is samhain])
 AC_CANONICAL_HOST
@@ -63 +63 @@
            i*86*)
            AC_DEFINE(HOST_IS_I86LINUX)
+           ;;
+           x86_64)
+           AC_DEFINE([HOST_IS_64LINUX], 1, [Define if host OS is 64bit Linux])
            ;;
            *)
@@ -2020 +2023 @@
         ]
 )
-AC_SUBST(lkm_inc)
-AC_SUBST(sh_lkm)
-AC_SUBST(sh_insmod_cmd)
+
 AC_SUBST(install_name)
 AC_SUBST(INSTALL_NAME)
@@ -2064 +2065 @@
                 kernelversion=`uname -r`
                 AC_DEFINE_UNQUOTED(SH_KERNEL_VERSION, _("${kernelversion}"), [Define the kernel version])
+
                 if test "x${withval}" != "xyes"; then
                         systemmap="${withval}"
                 fi
+
                 if test "x${cross_compiling}" = xyes; then
                         :
@@ -2072 +2075 @@
                         LIBS="$LIBS -lkvm"
                         sh_libkvm="-lkvm"
-                elif test -f "${systemmap}"; then 
-                        :
+                elif test -f "${systemmap}"; then
+                        if test -f /dev/kmem; then 
+                           :
+                        else
+                           # need kernel module
+
+                           if test -f /lib/modules/${kernelversion}/build/include/linux/kernel.h; then
+                              lkm_inc="-I/lib/modules/${kernelversion}/build/include"
+                           else
+                               AC_MSG_WARN([--enable-khide: /lib/modules/${kernelversion}/build/include/linux not found])
+                               AC_MSG_WARN([--enable-khide: You may need to install the kernel-source])
+                               AC_MSG_WARN([--enable-khide: headers for the currently-running kernel.])
+                           fi
+
+                           AC_MSG_CHECKING([for vmlist_lock])
+                           sh_vmlist_lock=`egrep ['[bdBD] vmlist_lock$'] ${systemmap} | awk '{print $1}'` 
+                           if test x"$sh_vmlist_lock" = x; then 
+                               AC_MSG_RESULT(no)
+                           else
+                               sh_vmlist_lock="0x${sh_vmlist_lock}"
+                               AC_MSG_RESULT([${sh_vmlist_lock}])
+                               AC_DEFINE_UNQUOTED(SH_VMLIST_LOCK, ${sh_vmlist_lock}, [The address of the vmlist spinlock])
+                           fi
+
+                           AC_MSG_CHECKING([for vmlist])
+                           sh_vmlist_lock=`egrep ['[bdBD] vmlist$'] ${systemmap} | awk '{print $1}'` 
+                           if test x"$sh_vmlist" = x; then 
+                               AC_MSG_RESULT(no)
+                           else
+                               sh_vmlist="0x${sh_vmlist}"
+                               AC_MSG_RESULT([${sh_vmlist}])
+                               AC_DEFINE_UNQUOTED(SH_VMLIST, ${sh_vmlist}, [The address of the vmlist])
+                           fi
+
+                           sh_lkm="${sh_lkm} samhain_kmem.ko"
+                           echo "${sh_insmod_cmd}" | grep 'no kernel module' >/dev/null
+                           if [ $? -eq 0 ]; then
+                              sh_insmod_cmd="modprobe ${install_name}_kmem"
+                           else
+                              sh_insmod_cmd="modprobe ${install_name}_kmem; ${sh_insmod_cmd}"
+                           fi
+                        fi
                 else
                         AC_MSG_ERROR([Option --with-kcheck=systemmap cannot be used, because system map ${systemmap} does not exist.])
@@ -2080 +2123 @@
         ]
 )
+
+AC_SUBST(lkm_inc)
+AC_SUBST(sh_lkm)
+AC_SUBST(sh_insmod_cmd)
+
 AC_SUBST(systemmap)
 AC_SUBST(sh_libkvm)

trunk/depend.dep

@@ -82 +82 @@
 sh_log_repeat.o: $(srcsrc)/sh_log_repeat.c Makefile config_xor.h $(srcinc)/samhain.h $(srcinc)/sh_pthread.h $(srcinc)/sh_utils.h $(srcinc)/sh_string.h $(srcinc)/sh_log_check.h $(srcinc)/sh_log_evalrule.h 
 sh_log_parse_generic.o: $(srcsrc)/sh_log_parse_generic.c Makefile config_xor.h $(srcinc)/samhain.h $(srcinc)/sh_log_check.h $(srcinc)/sh_string.h 
+sh_login_track.o: $(srcsrc)/sh_login_track.c Makefile config_xor.h $(srcinc)/samhain.h $(srcinc)/sh_pthread.h $(srcinc)/sh_utils.h $(srcinc)/sh_unix.h $(srcinc)/sh_string.h $(srcinc)/sh_tools.h $(srcinc)/sh_error_min.h $(srcinc)/CuTest.h $(srcinc)/CuTest.h 

trunk/depend.sum

@@ -1 @@
-315325077
+3825914950

trunk/docs/Changelog

@@ +1 @@
+2.7.0:
+        * sh_utmp.c, sh_login_track.c: additional login checks
+        * sh_unix.c: use SIGTTIN as alternative for SIGABRT
+          (SIGABRT seems not to work on AIX, reported by Peter)
+        * sh_utmp.c: fix compile error without pthreads (inotify_watch used)
+        * sh_kern.c, kern_head.c: fix some 64bit issues
+        * dnmalloc.c: fix compiler warning (ignored ret value)
+        * Fix LSB init script for kernel module
+        * samhain_kmem kernel module for /proc/kmem added
+
 2.6.4:
-        * Don't read proc_root_iops in sh_kern.c (Problem report
-          by H. R.)
-        * Logfile check can check output of shell commands
-        * Use data directory as default for logfile checkpoints
-        * Fix broken checkpoint save/restore for logfiles
+        * Don't read proc_root_iops in sh_kern.c (Problem report
+          by H. R.)
+        * Logfile check can check output of shell commands
+        * Use data directory as default for logfile checkpoints
+        * Fix broken checkpoint save/restore for logfiles
 
 2.6.3:

trunk/include/kern_head.h

@@ -1 +1 @@
 
+
+/* x86_64 sys_call_table for kernel 2.4.x
+ * generated from 2.6.33 unistd_64.h
+ * grep ^__SYSCALL unistd_64.h | \
+ *   sed s/.*,[[:blank:]]// | sed 's/)//' | \
+ *   awk 'BEGIN{n = 0;}{ printf "    %-32s /%c %03d %c/\n", \
+ *                              sprintf("\"%s\",", $1), "*", n, "*"; ++n; }'
+ *
+ */
+char * syscalls_64[] = {
+    "sys_read",                      /* 000 */
+    "sys_write",                     /* 001 */
+    "sys_open",                      /* 002 */
+    "sys_close",                     /* 003 */
+    "sys_newstat",                   /* 004 */
+    "sys_newfstat",                  /* 005 */
+    "sys_newlstat",                  /* 006 */
+    "sys_poll",                      /* 007 */
+    "sys_lseek",                     /* 008 */
+    "sys_mmap",                      /* 009 */
+    "sys_mprotect",                  /* 010 */
+    "sys_munmap",                    /* 011 */
+    "sys_brk",                       /* 012 */
+    "sys_rt_sigaction",              /* 013 */
+    "sys_rt_sigprocmask",            /* 014 */
+    "stub_rt_sigreturn",             /* 015 */
+    "sys_ioctl",                     /* 016 */
+    "sys_pread64",                   /* 017 */
+    "sys_pwrite64",                  /* 018 */
+    "sys_readv",                     /* 019 */
+    "sys_writev",                    /* 020 */
+    "sys_access",                    /* 021 */
+    "sys_pipe",                      /* 022 */
+    "sys_select",                    /* 023 */
+    "sys_sched_yield",               /* 024 */
+    "sys_mremap",                    /* 025 */
+    "sys_msync",                     /* 026 */
+    "sys_mincore",                   /* 027 */
+    "sys_madvise",                   /* 028 */
+    "sys_shmget",                    /* 029 */
+    "sys_shmat",                     /* 030 */
+    "sys_shmctl",                    /* 031 */
+    "sys_dup",                       /* 032 */
+    "sys_dup2",                      /* 033 */
+    "sys_pause",                     /* 034 */
+    "sys_nanosleep",                 /* 035 */
+    "sys_getitimer",                 /* 036 */
+    "sys_alarm",                     /* 037 */
+    "sys_setitimer",                 /* 038 */
+    "sys_getpid",                    /* 039 */
+    "sys_sendfile64",                /* 040 */
+    "sys_socket",                    /* 041 */
+    "sys_connect",                   /* 042 */
+    "sys_accept",                    /* 043 */
+    "sys_sendto",                    /* 044 */
+    "sys_recvfrom",                  /* 045 */
+    "sys_sendmsg",                   /* 046 */
+    "sys_recvmsg",                   /* 047 */
+    "sys_shutdown",                  /* 048 */
+    "sys_bind",                      /* 049 */
+    "sys_listen",                    /* 050 */
+    "sys_getsockname",               /* 051 */
+    "sys_getpeername",               /* 052 */
+    "sys_socketpair",                /* 053 */
+    "sys_setsockopt",                /* 054 */
+    "sys_getsockopt",                /* 055 */
+    "stub_clone",                    /* 056 */
+    "stub_fork",                     /* 057 */
+    "stub_vfork",                    /* 058 */
+    "stub_execve",                   /* 059 */
+    "sys_exit",                      /* 060 */
+    "sys_wait4",                     /* 061 */
+    "sys_kill",                      /* 062 */
+    "sys_uname",                     /* 063 */
+    "sys_semget",                    /* 064 */
+    "sys_semop",                     /* 065 */
+    "sys_semctl",                    /* 066 */
+    "sys_shmdt",                     /* 067 */
+    "sys_msgget",                    /* 068 */
+    "sys_msgsnd",                    /* 069 */
+    "sys_msgrcv",                    /* 070 */
+    "sys_msgctl",                    /* 071 */
+    "sys_fcntl",                     /* 072 */
+    "sys_flock",                     /* 073 */
+    "sys_fsync",                     /* 074 */
+    "sys_fdatasync",                 /* 075 */
+    "sys_truncate",                  /* 076 */
+    "sys_ftruncate",                 /* 077 */
+    "sys_getdents",                  /* 078 */
+    "sys_getcwd",                    /* 079 */
+    "sys_chdir",                     /* 080 */
+    "sys_fchdir",                    /* 081 */
+    "sys_rename",                    /* 082 */
+    "sys_mkdir",                     /* 083 */
+    "sys_rmdir",                     /* 084 */
+    "sys_creat",                     /* 085 */
+    "sys_link",                      /* 086 */
+    "sys_unlink",                    /* 087 */
+    "sys_symlink",                   /* 088 */
+    "sys_readlink",                  /* 089 */
+    "sys_chmod",                     /* 090 */
+    "sys_fchmod",                    /* 091 */
+    "sys_chown",                     /* 092 */
+    "sys_fchown",                    /* 093 */
+    "sys_lchown",                    /* 094 */
+    "sys_umask",                     /* 095 */
+    "sys_gettimeofday",              /* 096 */
+    "sys_getrlimit",                 /* 097 */
+    "sys_getrusage",                 /* 098 */
+    "sys_sysinfo",                   /* 099 */
+    "sys_times",                     /* 100 */
+    "sys_ptrace",                    /* 101 */
+    "sys_getuid",                    /* 102 */
+    "sys_syslog",                    /* 103 */
+    "sys_getgid",                    /* 104 */
+    "sys_setuid",                    /* 105 */
+    "sys_setgid",                    /* 106 */
+    "sys_geteuid",                   /* 107 */
+    "sys_getegid",                   /* 108 */
+    "sys_setpgid",                   /* 109 */
+    "sys_getppid",                   /* 110 */
+    "sys_getpgrp",                   /* 111 */
+    "sys_setsid",                    /* 112 */
+    "sys_setreuid",                  /* 113 */
+    "sys_setregid",                  /* 114 */
+    "sys_getgroups",                 /* 115 */
+    "sys_setgroups",                 /* 116 */
+    "sys_setresuid",                 /* 117 */
+    "sys_getresuid",                 /* 118 */
+    "sys_setresgid",                 /* 119 */
+    "sys_getresgid",                 /* 120 */
+    "sys_getpgid",                   /* 121 */
+    "sys_setfsuid",                  /* 122 */
+    "sys_setfsgid",                  /* 123 */
+    "sys_getsid",                    /* 124 */
+    "sys_capget",                    /* 125 */
+    "sys_capset",                    /* 126 */
+    "sys_rt_sigpending",             /* 127 */
+    "sys_rt_sigtimedwait",           /* 128 */
+    "sys_rt_sigqueueinfo",           /* 129 */
+    "sys_rt_sigsuspend",             /* 130 */
+    "stub_sigaltstack",              /* 131 */
+    "sys_utime",                     /* 132 */
+    "sys_mknod",                     /* 133 */
+    "sys_ni_syscall",                /* 134 */
+    "sys_personality",               /* 135 */
+    "sys_ustat",                     /* 136 */
+    "sys_statfs",                    /* 137 */
+    "sys_fstatfs",                   /* 138 */
+    "sys_sysfs",                     /* 139 */
+    "sys_getpriority",               /* 140 */
+    "sys_setpriority",               /* 141 */
+    "sys_sched_setparam",            /* 142 */
+    "sys_sched_getparam",            /* 143 */
+    "sys_sched_setscheduler",        /* 144 */
+    "sys_sched_getscheduler",        /* 145 */
+    "sys_sched_get_priority_max",    /* 146 */
+    "sys_sched_get_priority_min",    /* 147 */
+    "sys_sched_rr_get_interval",     /* 148 */
+    "sys_mlock",                     /* 149 */
+    "sys_munlock",                   /* 150 */
+    "sys_mlockall",                  /* 151 */
+    "sys_munlockall",                /* 152 */
+    "sys_vhangup",                   /* 153 */
+    "sys_modify_ldt",                /* 154 */
+    "sys_pivot_root",                /* 155 */
+    "sys_sysctl",                    /* 156 */
+    "sys_prctl",                     /* 157 */
+    "sys_arch_prctl",                /* 158 */
+    "sys_adjtimex",                  /* 159 */
+    "sys_setrlimit",                 /* 160 */
+    "sys_chroot",                    /* 161 */
+    "sys_sync",                      /* 162 */
+    "sys_acct",                      /* 163 */
+    "sys_settimeofday",              /* 164 */
+    "sys_mount",                     /* 165 */
+    "sys_umount",                    /* 166 */
+    "sys_swapon",                    /* 167 */
+    "sys_swapoff",                   /* 168 */
+    "sys_reboot",                    /* 169 */
+    "sys_sethostname",               /* 170 */
+    "sys_setdomainname",             /* 171 */
+    "stub_iopl",                     /* 172 */
+    "sys_ioperm",                    /* 173 */
+    "sys_ni_syscall",                /* 174 */
+    "sys_init_module",               /* 175 */
+    "sys_delete_module",             /* 176 */
+    "sys_ni_syscall",                /* 177 */
+    "sys_ni_syscall",                /* 178 */
+    "sys_quotactl",                  /* 179 */
+    "sys_nfsservctl",                /* 180 */
+    "sys_ni_syscall",                /* 181 */
+    "sys_ni_syscall",                /* 182 */
+    "sys_ni_syscall",                /* 183 */
+    "sys_ni_syscall",                /* 184 */
+    "sys_ni_syscall",                /* 185 */
+    "sys_gettid",                    /* 186 */
+    "sys_readahead",                 /* 187 */
+    "sys_setxattr",                  /* 188 */
+    "sys_lsetxattr",                 /* 189 */
+    "sys_fsetxattr",                 /* 190 */
+    "sys_getxattr",                  /* 191 */
+    "sys_lgetxattr",                 /* 192 */
+    "sys_fgetxattr",                 /* 193 */
+    "sys_listxattr",                 /* 194 */
+    "sys_llistxattr",                /* 195 */
+    "sys_flistxattr",                /* 196 */
+    "sys_removexattr",               /* 197 */
+    "sys_lremovexattr",              /* 198 */
+    "sys_fremovexattr",              /* 199 */
+    "sys_tkill",                     /* 200 */
+    "sys_time",                      /* 201 */
+    "sys_futex",                     /* 202 */
+    "sys_sched_setaffinity",         /* 203 */
+    "sys_sched_getaffinity",         /* 204 */
+    "sys_ni_syscall",                /* 205 */
+    "sys_io_setup",                  /* 206 */
+    "sys_io_destroy",                /* 207 */
+    "sys_io_getevents",              /* 208 */
+    "sys_io_submit",                 /* 209 */
+    "sys_io_cancel",                 /* 210 */
+    "sys_ni_syscall",                /* 211 */
+    "sys_lookup_dcookie",            /* 212 */
+    "sys_epoll_create",              /* 213 */
+    "sys_ni_syscall",                /* 214 */
+    "sys_ni_syscall",                /* 215 */
+    "sys_remap_file_pages",          /* 216 */
+    "sys_getdents64",                /* 217 */
+    "sys_set_tid_address",           /* 218 */
+    "sys_restart_syscall",           /* 219 */
+    "sys_semtimedop",                /* 220 */
+    "sys_fadvise64",                 /* 221 */
+    "sys_timer_create",              /* 222 */
+    "sys_timer_settime",             /* 223 */
+    "sys_timer_gettime",             /* 224 */
+    "sys_timer_getoverrun",          /* 225 */
+    "sys_timer_delete",              /* 226 */
+    "sys_clock_settime",             /* 227 */
+    "sys_clock_gettime",             /* 228 */
+    "sys_clock_getres",              /* 229 */
+    "sys_clock_nanosleep",           /* 230 */
+    "sys_exit_group",                /* 231 */
+    "sys_epoll_wait",                /* 232 */
+    "sys_epoll_ctl",                 /* 233 */
+    "sys_tgkill",                    /* 234 */
+    "sys_utimes",                    /* 235 */
+    "sys_ni_syscall",                /* 236 */
+    "sys_mbind",                     /* 237 */
+    "sys_set_mempolicy",             /* 238 */
+    "sys_get_mempolicy",             /* 239 */
+    "sys_mq_open",                   /* 240 */
+    "sys_mq_unlink",                 /* 241 */
+    "sys_mq_timedsend",              /* 242 */
+    "sys_mq_timedreceive",           /* 243 */
+    "sys_mq_notify",                 /* 244 */
+    "sys_mq_getsetattr",             /* 245 */
+    "sys_kexec_load",                /* 246 */
+    "sys_waitid",                    /* 247 */
+    "sys_add_key",                   /* 248 */
+    "sys_request_key",               /* 249 */
+    "sys_keyctl",                    /* 250 */
+    "sys_ioprio_set",                /* 251 */
+    "sys_ioprio_get",                /* 252 */
+    "sys_inotify_init",              /* 253 */
+    "sys_inotify_add_watch",         /* 254 */
+    "sys_inotify_rm_watch",          /* 255 */
+    "sys_migrate_pages",             /* 256 */
+    "sys_openat",                    /* 257 */
+    "sys_mkdirat",                   /* 258 */
+    "sys_mknodat",                   /* 259 */
+    "sys_fchownat",                  /* 260 */
+    "sys_futimesat",                 /* 261 */
+    "sys_newfstatat",                /* 262 */
+    "sys_unlinkat",                  /* 263 */
+    "sys_renameat",                  /* 264 */
+    "sys_linkat",                    /* 265 */
+    "sys_symlinkat",                 /* 266 */
+    "sys_readlinkat",                /* 267 */
+    "sys_fchmodat",                  /* 268 */
+    "sys_faccessat",                 /* 269 */
+    "sys_pselect6",                  /* 270 */
+    "sys_ppoll",                     /* 271 */
+    "sys_unshare",                   /* 272 */
+    "sys_set_robust_list",           /* 273 */
+    "sys_get_robust_list",           /* 274 */
+    "sys_splice",                    /* 275 */
+    "sys_tee",                       /* 276 */
+    "sys_sync_file_range",           /* 277 */
+    "sys_vmsplice",                  /* 278 */
+    "sys_move_pages",                /* 279 */
+    "sys_utimensat",                 /* 280 */
+    "sys_epoll_pwait",               /* 281 */
+    "sys_signalfd",                  /* 282 */
+    "sys_timerfd_create",            /* 283 */
+    "sys_eventfd",                   /* 284 */
+    "sys_fallocate",                 /* 285 */
+    "sys_timerfd_settime",           /* 286 */
+    "sys_timerfd_gettime",           /* 287 */
+    "sys_accept4",                   /* 288 */
+    "sys_signalfd4",                 /* 289 */
+    "sys_eventfd2",                  /* 290 */
+    "sys_epoll_create1",             /* 291 */
+    "sys_dup3",                      /* 292 */
+    "sys_pipe2",                     /* 293 */
+    "sys_inotify_init1",             /* 294 */
+    "sys_preadv",                    /* 295 */
+    "sys_pwritev",                   /* 296 */
+    "sys_rt_tgsigqueueinfo",         /* 297 */
+    "sys_perf_event_open",           /* 298 */
+    "sys_recvmmsg",                  /* 299 */
+    NULL
+};
 
 /* i386 sys_call_table for kernel 2.4.x
  */
-char * callz_2p4[] = {
-    "sys_ni_syscall",    /* 0 - old setup() system call*/
+char * syscalls_32[] = {
+    "sys_restart_syscall",    /* 0 - old setup() system call*/
     "sys_exit",
     "sys_fork",
@@ -21 +333 @@
     "sys_chmod",        /* 15 */
     "sys_lchown16",
-    "sys_ni_syscall",                /* old break syscall holder */
+    "sys_break",
     "sys_stat",
     "sys_lseek",
@@ -35 +347 @@
     "sys_pause",
     "sys_utime",        /* 30 */
-    "sys_ni_syscall",                /* old stty syscall holder */
-    "sys_ni_syscall",                /* old gtty syscall holder */
+    "sys_stty",
+    "sys_gtty",
     "sys_access",
     "sys_nice",
-    "sys_ni_syscall",    /* 35 */        /* old ftime syscall holder */
+    "sys_ftime",        /* 35 */
     "sys_sync",
     "sys_kill",
@@ -48 +360 @@
     "sys_pipe",
     "sys_times",
-    "sys_ni_syscall",                /* old prof syscall holder */
+    "sys_prof",
     "sys_brk",        /* 45 */
     "sys_setgid16",
@@ -56 +368 @@
     "sys_getegid16",    /* 50 */
     "sys_acct",
-    "sys_umount",                    /* recycled never used  phys() */
-    "sys_ni_syscall",                /* old lock syscall holder */
+    "sys_umount2",
+    "sys_lock",
     "sys_ioctl",
     "sys_fcntl",        /* 55 */
-    "sys_ni_syscall",                /* old mpx syscall holder */
+    "sys_mpx",
     "sys_setpgid",
-    "sys_ni_syscall",                /* old ulimit syscall holder */
+    "sys_ulimit",
     "sys_olduname",
     "sys_umask",        /* 60 */
@@ -80 +392 @@
     "sys_sethostname",
     "sys_setrlimit",    /* 75 */
-    "sys_old_getrlimit",
+    "sys_getrlimit",
     "sys_getrusage",
     "sys_gettimeofday",
@@ -102 +414 @@
     "sys_getpriority",
     "sys_setpriority",
-    "sys_ni_syscall",                /* old profil syscall holder */
+    "sys_profil",
     "sys_statfs",
     "sys_fstatfs",        /* 100 */
@@ -113 +425 @@
     "sys_newlstat",
     "sys_newfstat",
-    "sys_uname",
+    "sys_olduname",
     "sys_iopl",        /* 110 */
     "sys_vhangup",
-    "sys_ni_syscall",    /* old idle system call */
+    "sys_idle",
     "sys_vm86old",
     "sys_wait4",
@@ -141 +453 @@
     "sys_sysfs",        /* 135 */
     "sys_personality",
-    "sys_ni_syscall",    /* for afs_syscall */
+    "sys_afs_syscall",
     "sys_setfsuid16",
     "sys_setfsgid16",
@@ -153 +465 @@
     "sys_getsid",
     "sys_fdatasync",
-    "sys_sysctl",
+    "sys__sysctl",
     "sys_mlock",        /* 150 */
     "sys_munlock",
@@ -168 +480 @@
     "sys_nanosleep",
     "sys_mremap",
-    "sys_setresuid16",
-    "sys_getresuid16",    /* 165 */
+    "sys_setresuid",
+    "sys_getresuid",    /* 165 */
     "sys_vm86",
     "sys_query_module",
     "sys_poll",
     "sys_nfsservctl",
-    "sys_setresgid16",    /* 170 */
-    "sys_getresgid16",
+    "sys_setresgid",    /* 170 */
+    "sys_getresgid",
     "sys_prctl",
     "sys_rt_sigreturn",
@@ -195 +507 @@
     "sys_putpmsg",        /* streams2 */
     "sys_vfork",      /* 190 */
-    "sys_getrlimit",
+    "sys_ugetrlimit",
     "sys_mmap2",
     "sys_truncate64",
@@ -202 +514 @@
     "sys_lstat64",
     "sys_fstat64",
-    "sys_lchown",
-    "sys_getuid",
-    "sys_getgid",        /* 200 */
-    "sys_geteuid",
-    "sys_getegid",
-    "sys_setreuid",
-    "sys_setregid",
-    "sys_getgroups",    /* 205 */
-    "sys_setgroups",
-    "sys_fchown",
-    "sys_setresuid",
-    "sys_getresuid",
-    "sys_setresgid",    /* 210 */
-    "sys_getresgid",
-    "sys_chown",
-    "sys_setuid",
-    "sys_setgid",
-    "sys_setfsuid",        /* 215 */
-    "sys_setfsgid",
+    "sys_lchown32",
+    "sys_getuid32",
+    "sys_getgid32",        /* 200 */
+    "sys_geteuid32",
+    "sys_getegid32",
+    "sys_setreuid32",
+    "sys_setregid32",
+    "sys_getgroups32",    /* 205 */
+    "sys_setgroups32",
+    "sys_fchown32",
+    "sys_setresuid32",
+    "sys_getresuid32",
+    "sys_setresgid32",    /* 210 */
+    "sys_getresgid32",
+    "sys_chown32",
+    "sys_setuid32",
+    "sys_setgid32",
+    "sys_setfsuid32",        /* 215 */
+    "sys_setfsgid32",
     "sys_pivot_root",
     "sys_mincore",
@@ -226 +538 @@
     "sys_getdents64",    /* 220 */
     "sys_fcntl64",
-    "sys_tux",     /* reserved for TUX */
+    "sys_tux",     /* reserved for TUX, unused */
     "sys_security",
     "sys_gettid",
@@ -277 +589 @@
     "sys_utimes",
     "sys_fadvise64_64",
-    "sys_vserver",
+    "sys_vserver",            /* last 2.4 */
+    "sys_mbind",
+    "sys_get_mempolicy",      /* 275 */
+    "sys_set_mempolicy",
+    "sys_mq_open",
+    "sys_mq_unlink",
+    "sys_mq_timedsend",
+    "sys_mq_timedreceive",    /* 280 */
+    "sys_mq_notify",
+    "sys_mq_getsetattr",
+    "sys_kexec_load",
+    "sys_waitid",
+    "sys_sys_setaltroot",     /* 285 */
+    "sys_add_key",
+    "sys_request_key",
+    "sys_keyctl",
+    "sys_ioprio_set",
+    "sys_ioprio_get",         /* 290 */
+    "sys_inotify_init",
+    "sys_inotify_add_watch",
+    "sys_inotify_rm_watch",
+    "sys_migrate_pages",
+    "sys_openat",             /* 295 */
+    "sys_mkdirat",
+    "sys_mknodat",
+    "sys_fchownat",
+    "sys_futimesat",
+    "sys_fstatat64",          /* 300 */
+    "sys_unlinkat",
+    "sys_renameat",
+    "sys_linkat",
+    "sys_symlinkat",
+    "sys_readlinkat",         /* 305 */
+    "sys_fchmodat",
+    "sys_faccessat",
+    "sys_pselect6",
+    "sys_ppoll",
+    "sys_unshare",            /* 310 */
+    "sys_set_robust_list",
+    "sys_get_robust_list",
+    "sys_splice",
+    "sys_sync_file_range",
+    "sys_tee",                /* 315 */
+    "sys_vmsplice",
+    "sys_move_pages",
+    "sys_getcpu",
+    "sys_epoll_pwait",
+    "sys_utimensat",          /* 320 */
+    "sys_signalfd",
+    "sys_timerfd_create",
+    "sys_eventfd",
+    "sys_fallocate",          /* last 2.6.24 */
+    "sys_timerfd_settime",    /* 325 */
+    "sys_timerfd_gettime",
+    "sys_signalfd4",
+    "sys_eventfd2",
+    "sys_epoll_create1",
+    "sys_dup3",               /* 330 */
+    "sys_pipe2",
+    "sys_inotify_init1",      /* end 2.6.27 */
+    "sys_preadv",
+    "sys_pwritev",            /* end 2.6.30 */
+    "sys_rt_tgsigqueueinfo",  /* 335 */
+    "sys_perf_event_open",    /* end 2.6.31 */
+    "sys_recvmmsg",
     NULL
 };
 
 
-
-/* i386 sys_call_table for kernel 2.2.x
- */
-char * callz_2p2[]={
-  "sys_ni_syscall",        /* 0 */
-  "sys_exit",
-  "sys_fork",
-  "sys_read",
-  "sys_write",
-  "sys_open",              /* 5 */
-  "sys_close",
-  "sys_waitpid", 
-  "sys_creat",
-  "sys_link",
-  "sys_unlink",              /* 10 */
-  "sys_execve",
-  "sys_chdir",
-  "sys_time",
-  "sys_mknod",
-  "sys_chmod",              /* 15 */
-  "sys_lchown",
-  "sys_ni_syscall",
-  "sys_stat",
-  "sys_lseek",
-  "sys_getpid",              /* 20 */
-  "sys_mount",
-  "sys_oldumount", 
-  "sys_setuid",
-  "sys_getuid",
-  "sys_stime",              /* 25 */
-  "sys_ptrace",
-  "sys_alarm",
-  "sys_fstat",
-  "sys_pause",
-  "sys_utime",              /* 30 */
-  "sys_ni_syscall",
-  "sys_ni_syscall",
-  "sys_access",
-  "sys_nice",
-  "sys_ni_syscall",              /* 35 */
-  "sys_sync",
-  "sys_kill",
-  "sys_rename",
-  "sys_mkdir",
-  "sys_rmdir",              /* 40 */
-  "sys_dup",
-  "sys_pipe",
-  "sys_times",
-  "sys_ni_syscall",
-  "sys_brk",              /* 45 */
-  "sys_setgid",
-  "sys_getgid",
-  "sys_signal",
-  "sys_geteuid",
-  "sys_getegid",              /* 50 */
-  "sys_acct",
-  "sys_umount",
-  "sys_ni_syscall",
-  "sys_ioctl",
-  "sys_fcntl",              /* 55 */
-  "sys_ni_syscall",
-  "sys_setpgid",
-  "sys_ni_syscall",
-  "sys_olduname",
-  "sys_umask",              /* 60 */
-  "sys_chroot",
-  "sys_ustat",
-  "sys_dup2",
-  "sys_getppid",
-  "sys_getpgrp",              /* 65 */
-  "sys_setsid",
-  "sys_sigaction",
-  "sys_sgetmask",
-  "sys_ssetmask",
-  "sys_setreuid",              /* 70 */
-  "sys_setregid",
-  "sys_sigsuspend",
-  "sys_sigpending",
-  "sys_sethostname",
-  "sys_setrlimit",              /* 75 */
-  "sys_getrlimit",
-  "sys_getrusage",
-  "sys_gettimeofday",
-  "sys_settimeofday",
-  "sys_getgroups",              /* 80 */
-  "sys_setgroups",
-  "old_select",
-  "sys_symlink",
-  "sys_lstat",
-  "sys_readlink",              /* 85 */
-  "sys_uselib",
-  "sys_swapon",
-  "sys_reboot",
-  "old_readdir",
-  "old_mmap",              /* 90 */
-  "sys_munmap",
-  "sys_truncate",
-  "sys_ftruncate",
-  "sys_fchmod",
-  "sys_fchown",              /* 95 */
-  "sys_getpriority",
-  "sys_setpriority",
-  "sys_ni_syscall",
-  "sys_statfs",
-  "sys_fstatfs",              /* 100 */
-  "sys_ioperm",
-  "sys_socketcall",
-  "sys_syslog",
-  "sys_setitimer",
-  "sys_getitimer",              /* 105 */
-  "sys_newstat",
-  "sys_newlstat",
-  "sys_newfstat",
-  "sys_uname",
-  "sys_iopl",              /* 110 */
-  "sys_vhangup",
-  "sys_idle",
-  "sys_vm86old",
-  "sys_wait4",
-  "sys_swapoff",              /* 115 */
-  "sys_sysinfo",
-  "sys_ipc",
-  "sys_fsync",
-  "sys_sigreturn",
-  "sys_clone",              /* 120 */
-  "sys_setdomainname",
-  "sys_newuname",
-  "sys_modify_ldt",
-  "sys_adjtimex",
-  "sys_mprotect",              /* 125 */
-  "sys_sigprocmask",
-  "sys_create_module",
-  "sys_init_module",
-  "sys_delete_module",
-  "sys_get_kernel_syms", /* 130 */
-  "sys_quotactl",
-  "sys_getpgid",
-  "sys_fchdir",
-  "sys_bdflush",
-  "sys_sysfs",              /* 135 */
-  "sys_personality",
-  "sys_ni_syscall",
-  "sys_setfsuid",
-  "sys_setfsgid",
-  "sys_llseek",              /* 140 */
-  "sys_getdents",
-  "sys_select",
-  "sys_flock",
-  "sys_msync",
-  "sys_readv",              /* 145 */
-  "sys_writev",
-  "sys_getsid",
-  "sys_fdatasync",
-  "sys_sysctl",
-  "sys_mlock",              /* 150 */
-  "sys_munlock",
-  "sys_mlockall",
-  "sys_munlockall",
-  "sys_sched_setparam", 
-  "sys_sched_getparam",  /* 155 */
-  "sys_sched_setscheduler",
-  "sys_sched_getscheduler",
-  "sys_sched_yield",
-  "sys_sched_get_priority_max",
-  "sys_sched_get_priority_min", /* 160 */
-  "sys_sched_rr_get_interval",
-  "sys_nanosleep",
-  "sys_mremap",
-  "sys_setresuid",
-  "sys_getresuid",              /* 165 */
-  "sys_vm86",
-  "sys_query_module",
-  "sys_poll",
-  "sys_nfsservctl", 
-  "sys_setresgid",              /* 170 */
-  "sys_getresgid",
-  "sys_prctl",
-  "sys_rt_sigreturn",
-  "sys_rt_sigaction",
-  "sys_rt_sigprocmask", /* 175 */
-  "sys_rt_sigpending",
-  "sys_rt_sigtimedwait",
-  "sys_rt_sigqueueinfo",
-  "sys_rt_sigsuspend",
-  "sys_pread",              /* 180 */
-  "sys_pwrite",
-  "sys_chown",
-  "sys_getcwd",
-  "sys_capget",
-  "sys_capset",              /* 185 */
-  "sys_sigaltstack",
-  "sys_sendfile",
-  "sys_ni_syscall",
-  "sys_ni_syscall",
-  "sys_vfork",              /* 190 */
-  NULL
-};
 
 /* i386 sys_call_table for openbsd

trunk/include/sh_cat.h

@@ -130 +130 @@
  MSG_UT_ROT,      
 
+ MSG_UT_BAD,
+ MSG_UT_FIRST,
+ MSG_UT_OUTLIER,
 #endif
 

trunk/include/sh_error.h

@@ -121 +121 @@
 int  sh_log_set_facility (const char * c);
 
+/* map heartbeat messages 
+ */
+int sh_log_set_stamp_priority (const char * c);
+
 /* define message header
  */

trunk/include/sh_utmp.h

@@ -19 +19 @@
 
 extern sh_rconf sh_utmp_table[];
+
+/* >>           Login tracking             << */
+
+/* 'yes', 'no', 'paranoid'                    */
+int sh_login_set_siglevel      (const char * c);
+
+/* 'yes', 'no', 'domain'                      */
+int sh_login_set_checklevel    (const char * c);
+
+/* 'always' 'never' workdays(..) sunday(..)   */
+int sh_login_set_def_allow     (const char * c);
+
+/* user:'always' 'never' workdays(..)         */
+int sh_login_set_user_allow    (const char * c);
+
+/* Reset everything to defaults.              */
+void sh_login_reset (void);
+
 #endif
 

trunk/init/samhain.startLSB.in

@@ -89 +89 @@
         ${DAEMON} start
         ERRNUM=$?
+        #
+        # The hiding kernel module
+        #
+        if [ $ERRNUM -eq 0 ]; then
+                @sh_insmod_cmd@
+        fi
+        #
         SH_ACT="started"
         ;;

trunk/scripts/redhat_i386.client.spec.in

@@ -78 +78 @@
 # after the package is installed
 install -m 700 samhain-install.sh init/samhain.startLinux init/samhain.startLSB ${RPM_BUILD_ROOT}/etc
-install -m 640 -o 0 -g 0 samhain_hide.o         ${RPM_BUILD_ROOT}/lib/modules/`uname -r`/samhain_hide.o
-install -m 640 -o 0 -g 0 samhain_erase.o        ${RPM_BUILD_ROOT}/lib/modules/`uname -r`/samhain_erase.o
+install -m 640 -o 0 -g 0 samhain_kmem.ko        ${RPM_BUILD_ROOT}/lib/modules/`uname -r`/samhain_kmem.ko
+install -m 640 -o 0 -g 0 samhain_hide.ko        ${RPM_BUILD_ROOT}/lib/modules/`uname -r`/samhain_hide.ko
 install -m 700 -o 0 -g 0 samhain_setpwd         ${RPM_BUILD_ROOT}/usr/local/sbin/samhain_setpwd
 

trunk/src/dnmalloc.c

@@ -309 +309 @@
   char * i3 = "): ";
   char * i5 = "\n";
+  int   res = 0;
 
   iov[0].iov_base = i1;               iov[0].iov_len = strlen(i1); 
@@ -314 +315 @@
   iov[2].iov_base = i3;               iov[2].iov_len = strlen(i3); 
   iov[3].iov_base = (char*) error;    iov[3].iov_len = strlen(error); 
-  iov[4].iov_base = i5;               iov[4].iov_len = strlen(i5); 
-  writev(STDERR_FILENO, iov, 5);
+  iov[4].iov_base = i5;               iov[4].iov_len = strlen(i5);
+  do {
+    res = writev(STDERR_FILENO, iov, 5);
+  } while (res < 0 && errno == EINTR);  
 #else
   fputs("assertion failed (", stderr);

trunk/src/kern_head.c

@@ -7 +7 @@
 #include "config.h"
 
-#ifdef HOST_IS_I86LINUX
+#if defined(HOST_IS_I86LINUX) || defined(HOST_IS_64LINUX)
 #define SH_IDT_TABLE
 #endif
@@ -73 +73 @@
 static unsigned char system_call_code[SYS_CODE_SIZE];
 
+#define KERNEL_VERSION(a,b,c) (((a) << 16) + ((b) << 8) + (c))
+
 static int kmem_read (int fd, unsigned long addr, unsigned char * buf, int len)
 {
@@ -105 +107 @@
 
   if (verbose)
-    fprintf(stderr, 
-            "kmem_mmap: read() from /dev/kmem failed, now trying mmap()\n");
+    fprintf(stderr, "kmem_mmap: read() failed, now trying mmap()\n");
 
   sz = getpagesize(); /* unistd.h */
@@ -141 +142 @@
 
   fd = open ("/dev/kmem", O_RDONLY);
+
   if (fd < 0)
     {
-      perror("read_kcode: open /dev/kmem");
-      return -1;
-    }
+      if (0 != access("/proc/kmem", R_OK)) 
+        {
+          perror("read_kcode: access /proc/kmem");
+
+          fprintf(stderr, "\n");
+      
+          fprintf(stderr, "NOTE:  kern_head: apparently you have no /dev/kmem, and the samhain_kmem module is not loaded\n");
+          fprintf(stderr, "       If you get this message, then proceed as follows:\n");
+          fprintf(stderr, "       $ make samhain_kmem.ko\n");
+          fprintf(stderr, "       $ sudo insmod samhain_kmem.ko; sudo ./kern_head > sh_ks.h; sudo rmmod samhain_kmem\n");
+          fprintf(stderr, "       $ make\n\n");
+          exit (EXIT_FAILURE);
+        }
+      fd = open ("/proc/kmem", O_RDONLY);
+    }
+
+  if (fd < 0)
+    {
+      perror("read_kcode: open /dev/kmem and /proc/kmem");
+      return -1;
+    }
+
   if (kmem_mmap(fd, addr, buf, len) < 0)
     {
@@ -151 +172 @@
       return -1;
     }
+
   close (fd);
+
   return 0;
 }
@@ -203 +226 @@
 {
   FILE * fp;
-  char buf[512], addr[16], * p;
+  char buf[512], addr[32], * p;
   unsigned long retval = 0;
+#if defined(__x86_64__) || defined(__amd64__)
+  int off = 8;
+#else
+  int off = 0;
+#endif
 
   fp = fopen (systemmap, "r");
@@ -216 +244 @@
   while (fgets(buf, 512, fp) != NULL)
     {
-      if (buf[9] != flag)
+      if (buf[9+off] != flag)
         continue;
 
@@ -223 +251 @@
         *p = '\0';
 
-      if (0 != strcmp(&buf[11], symbol))
+      if (0 != strcmp(&buf[11+off], symbol))
         continue;
 
       addr[0] = '0'; addr[1] = 'x'; addr[2] = '\0';
-      strncat(&addr[2], buf, 8);
+      strncat(&addr[2], buf, 8+off);
 
       retval = strtoul(addr, NULL, 0);
@@ -247 +275 @@
 {
   FILE * fp;
-  char buf[512], addr[16], name[128];
+  char buf[512], addr[32], name[128];
   int  i, j, count = 0, maxcall = 0;
+#if defined(__x86_64__) || defined(__amd64__)
+  int off = 8;
+#else
+  int off = 0;
+#endif
 
   fp = fopen (SYSTEMMAP, "r");
@@ -266 +299 @@
     {
       
-      if ( ( (buf[9] == 'D') || (buf[9] == 'd') || 
-             (buf[9] == 'R') || (buf[9] == 'r')) && 
-           0 == strncmp("sys_call_table", &buf[11], 14))
+      if ( ( (buf[9+off] == 'D') || (buf[9+off] == 'd') || 
+             (buf[9+off] == 'R') || (buf[9+off] == 'r')) && 
+           0 == strncmp("sys_call_table", &buf[11+off], 14))
         {
           printf("/* found sys_call_table */\n");
@@ -274 +307 @@
            */
           addr[0] = '0'; addr[1] = 'x'; addr[2] = '\0';
-          strncat(&addr[2], buf, 8);
-          addr[10] = '\0';
+          strncat(&addr[2], buf, 8+off);
+          addr[10+off] = '\0';
+
           sh_sys_call.addr_sys_call_table = strtoul(addr, NULL, 0);
           if (sh_sys_call.addr_sys_call_table == ULONG_MAX)
@@ -288 +322 @@
         }
 
-      if (buf[9] != 'T')
+      if (buf[9+off] != 'T')
         continue;
 
-      if (0 == strncmp("system_call", &buf[11], 11))
+      if (0 == strncmp("system_call", &buf[11+off], 11))
         {
           printf("/* found system_call */\n");
@@ -297 +331 @@
            */
           addr[0] = '0'; addr[1] = 'x'; addr[2] = '\0';
-          strncat(&addr[2], buf, 8);
-          addr[10] = '\0';
+          strncat(&addr[2], buf, 8+off);
+          addr[10+off] = '\0';
           addr_system_call = strtoul(addr, NULL, 0);
           if (addr_system_call == ULONG_MAX)
@@ -308 +342 @@
 
 
-      if ( (buf[11]!='s' || buf[12]!='y' || buf[13]!='s' || buf[14]!='_') &&
-           (buf[11]!='o' || buf[12]!='l' || buf[13]!='d' || buf[14]!='_'))
+      if ( (buf[11+off]!='s' || buf[12+off]!='y' || 
+            buf[13+off]!='s' || buf[14+off]!='_') &&
+           (buf[11+off]!='o' || buf[12+off]!='l' || 
+            buf[13+off]!='d' || buf[14+off]!='_'))
         continue;
 
       for (i = 0; i < num; ++i)
         {
-          for (j = 0; j < 128; ++j)
+          for (j = 0; j < 127; ++j)
             {
-              if (buf[11+j] == '\n' || buf[11+j] == '\0')
+              if (buf[11+off+j] == '\n' || buf[11+off+j] == '\0')
                 {
                   name[j] = '\0';
                   break;
                 }
-              name[j] = buf[11+j];
+              name[j] = buf[11+off+j];
             }
 
@@ -331 +367 @@
                */
               addr[0] = '0'; addr[1] = 'x'; addr[2] = '\0';
-              strncat(&addr[2], buf, 8);
-              addr[10] = '\0';
+              strncat(&addr[2], buf, 8+off);
+              addr[10+off] = '\0';
               sh_smap[i].addr = strtoul(addr, NULL, 0);
               if (sh_smap[i].addr == ULONG_MAX)
@@ -347 +383 @@
     }
   fclose(fp);
+
   if ((count > 0) && (maxcall > 0))
     return maxcall+1;
@@ -357 +394 @@
 {
   int i, count, maxcall, qq;
-  int which = 4;
-  int two_six_seventeen_plus = 0;
   smap_entry sh_smap[SH_MAXCALLS];
   struct utsname utbuf;
@@ -368 +403 @@
 
   unsigned long addr_ni_syscall = 0;
+
+  int major, minor, micro, is64 = 0;
 
   if (argc > 1)
@@ -396 +433 @@
     }
 
-  if      (strncmp(p, "2.2", 3) == 0)
-    which = 2;
-  else if (strncmp(p, "2.4", 3) == 0)
-    which = 4;
-  else if (strncmp(p, "2.6", 3) == 0)
-    {
-      which = 6;
-      if (17 >= atoi (&p[4]))
-        {
-          two_six_seventeen_plus = 1;
-        }
-    }
-  else
+  if (3 != sscanf(p, "%d.%d.%d", &major, &minor, &micro))
+    {
+      perror("kern_head: sscanf");
+      exit (EXIT_FAILURE);
+    }
+
+  if (minor != 4 && minor != 6)
     {
       fprintf(stderr, "kern_head: kernel %s not supported\n", p);
@@ -418 +449 @@
       utbuf.machine[3] != '6')
     {
-      fprintf(stderr, "kern_head: machine %s not supported\n", utbuf.machine);
-      exit (EXIT_FAILURE);
+      if (0 != strcmp(utbuf.machine, "x86_64"))
+        {
+          fprintf(stderr, "kern_head: machine %s not supported\n", utbuf.machine);
+          exit (EXIT_FAILURE);
+        }
+      else
+        {
+          is64 = 1;
+        }
     }
 
@@ -428 +466 @@
       fprintf(stderr, "NOTE:  kern_head: must run as 'root' (need to read from /dev/kmem)\n");
       fprintf(stderr, "       If you get this message, then proceed as follows:\n");
-      fprintf(stderr, "       $ su\n");
-      fprintf(stderr, "       $ ./kern_head > sh_ks.h\n");
-      fprintf(stderr, "       $ exit\n");
+      fprintf(stderr, "       $ sudo ./kern_head > sh_ks.h\n");
       fprintf(stderr, "       $ make\n\n");
       exit (EXIT_FAILURE);
@@ -438 +474 @@
   printf("#define SH_KERN_CALLS_H\n\n");
 
-  printf("\n/* Kernel %s, machine %s -- use table %s */\n\n", 
+  printf("\n/* Kernel %s, machine %s, %d bit -- use table callz_2p4 */\n\n", 
          p, utbuf.machine,
-         (which == 2) ? "callz_2p2" : "callz_2p4");
-      
+         (is64 == 0) ? 32 : 64,
+         (is64 == 0) ? "syscalls_32" : "syscalls_64");
 
   /* initiate the system call table 
    */
-  for (i = 0; i < SH_MAXCALLS; ++i)
-    {
-      if (which == 2)
-        {
-          if (callz_2p2[i] == NULL)
+  if (is64 == 0)
+    {
+      for (i = 0; i < SH_MAXCALLS; ++i)
+        {
+          if (syscalls_32[i] == NULL)
             break;
-          strcpy(sh_smap[i].name, callz_2p2[i]);
-        }
-      else
-        {
-          if (callz_2p4[i] == NULL)
+          strcpy(sh_smap[i].name, syscalls_32[i]);
+          sh_smap[i].addr    = 0UL;
+        }
+      if (minor == 6) /* fix syscall map for 2.6 */
+        {
+          strcpy(sh_smap[0].name,   "sys_restart_syscall");
+          strcpy(sh_smap[180].name, "sys_pread64");
+          strcpy(sh_smap[181].name, "sys_pwrite64");
+        }
+    }
+  else /* x86_64 */
+    {
+      for (i = 0; i < SH_MAXCALLS; ++i)
+        {
+          if (syscalls_64[i] == NULL)
             break;
-          strcpy(sh_smap[i].name, callz_2p4[i]);
-        }
-      sh_smap[i].addr    = 0UL;
-    }
-
-  if (which == 6) /* fix syscall map for 2.6 */
-    {
-      strcpy(sh_smap[0].name,   "sys_restart_syscall");
-      strcpy(sh_smap[180].name, "sys_pread64");
-      strcpy(sh_smap[181].name, "sys_pwrite64");
-    }
+          strcpy(sh_smap[i].name, syscalls_64[i]);
+          sh_smap[i].addr    = 0UL;
+        }
+    }
+
   count = i;
 
-  /* get the actual number of the highest syscalls and use no more.
+  /* get the actual number of the highest syscall and use no more.
    * get sys_call_table and system_call
    */
@@ -480 +520 @@
       exit (EXIT_FAILURE);
     }
+
   if (addr_system_call == 0L) 
     {
@@ -502 +543 @@
         }
     }
-  if (which < 6)
+
+  if (minor < 6)
     {
       maxcall = (maxcall > 256) ? 256 : maxcall;
@@ -622 +664 @@
   }
 
-  if (two_six_seventeen_plus == 1) {
-    printf("#define TWO_SIX_SEVENTEEN_PLUS 1\n\n");
-  }
+  if (KERNEL_VERSION(major,minor,micro) >= KERNEL_VERSION(2,6,17)) 
+    {
+      printf("#define TWO_SIX_SEVENTEEN_PLUS 1\n\n");
+    }
 
   printf("#endif\n");

trunk/src/sh_cat.c

@@ -121 +121 @@
   { MSG_UT_LG3C,     SH_ERR_INFO,    EVENT, N_("msg=\"Logout\" tty=\"%s\" time=\"%s\" status=\"%d\"")},
   { MSG_UT_ROT,      SH_ERR_WARN,    RUN,   N_("msg=\"Logfile size decreased\" path=\"%s\"")},
+
+  { MSG_UT_BAD,      SH_ERR_SEVERE,  EVENT, N_("msg=\"Login at disallowed time\" userid=\"%s\" host=\"%s\" time=\"%s\"")},
+  { MSG_UT_FIRST,    SH_ERR_SEVERE,  EVENT, N_("msg=\"First login from this host\" userid=\"%s\" host=\"%s\" time=\"%s\"")},
+  { MSG_UT_OUTLIER,  SH_ERR_SEVERE,  EVENT, N_("msg=\"Login time outlier\" userid=\"%s\" host=\"%s\" time=\"%s\"")},
 
 #endif
@@ -454 +458 @@
   { MSG_UT_ROT,      SH_ERR_WARN,    RUN,   N_("msg=<Logfile size decreased>, path=<%s>")},
 
+  { MSG_UT_BAD,      SH_ERR_SEVERE,  EVENT, N_("msg=<Login at disallowed time> userid=<%s> host=<%s> time=<%s>")},
+  { MSG_UT_FIRST,    SH_ERR_SEVERE,  EVENT, N_("msg=<First login from this host> userid=<%s> host=<%s> time=<%s>")},
+  { MSG_UT_OUTLIER,  SH_ERR_SEVERE,  EVENT, N_("msg=<Login time outlier> userid=<%s> host=<%s> time=<%s>")},
 #endif
 

trunk/src/sh_err_log.c

@@ -377 +377 @@
               key[0] = '\0';
               
-              while (sl_strlen(key) < KEY_LEN ) 
+              while (strlen(key) < KEY_LEN ) 
                 { 
                   if (key[0] != '\n' && key[0] != '\0')

trunk/src/sh_err_syslog.c

@@ -131 +131 @@
 }
   
-  
+static int sh_stamp_priority = LOG_ERR;
+
+/* set priority for heartbeat messages
+ */
+int  sh_log_set_stamp_priority (const char * c)
+{
+  int retval = 0;
+
+  if      (0 == strcmp(c, _("LOG_DEBUG")))   { sh_stamp_priority = LOG_DEBUG; }
+  else if (0 == strcmp(c, _("LOG_INFO")))    { sh_stamp_priority = LOG_INFO;  }
+  else if (0 == strcmp(c, _("LOG_NOTICE")))  { sh_stamp_priority = LOG_NOTICE;}
+  else if (0 == strcmp(c, _("LOG_WARNING"))) { sh_stamp_priority = LOG_WARNING;}
+  else if (0 == strcmp(c, _("LOG_ERR")))     { sh_stamp_priority = LOG_ERR;   }
+  else if (0 == strcmp(c, _("LOG_CRIT")))    { sh_stamp_priority = LOG_CRIT;  }
+  else if (0 == strcmp(c, _("LOG_ALERT")))   { sh_stamp_priority = LOG_ALERT; }
+#ifdef LOG_EMERG
+  else if (0 == strcmp(c, _("LOG_EMERG")))   { sh_stamp_priority = LOG_EMERG; }
+#endif
+  else { retval = -1; }
+
+  return retval;
+}  
 
 /* syslog error message
@@ -154 +175 @@
   else if (severity == SH_ERR_NOTICE) priority = LOG_NOTICE;
   else if (severity == SH_ERR_WARN)   priority = LOG_WARNING;
-  else if (severity == SH_ERR_STAMP)  priority = LOG_ERR;
+  else if (severity == SH_ERR_STAMP)  priority = sh_stamp_priority;
   else if (severity == SH_ERR_ERR)    priority = LOG_ERR;
   else if (severity == SH_ERR_SEVERE) priority = LOG_CRIT;

trunk/src/sh_hash.c

@@ -1805 +1805 @@
                   sl_write (pushdata_fd, _(" Date "), 6);
                   (void) sh_unix_time(0, timestring, sizeof(timestring));
-                  sl_write (pushdata_fd, timestring, sl_strlen(timestring));
+                  sl_write (pushdata_fd, timestring, strlen(timestring));
                   sl_write (pushdata_fd,        "\n", 1);
                 } else {

trunk/src/sh_kern.c

@@ -137 +137 @@
  */
 #ifdef SH_SYS_CALL_TABLE
-static unsigned int  kaddr = SH_SYS_CALL_TABLE;
+static unsigned long  kaddr = SH_SYS_CALL_TABLE;
 #else
-static unsigned int  kaddr = 0;
+static unsigned long  kaddr = 0;
 #endif
 
@@ -268 +268 @@
 #ifdef HOST_IS_LINUX
 
+#ifndef KERNEL_VERSION
+#define KERNEL_VERSION(a,b,c) (((a) << 16) + ((b) << 8) + (c))
+#endif
+
 /*
  * Interrupt Descriptor Table
@@ -281 +285 @@
 static char * sh_strseg(unsigned short segment)
 {
+  static int flip = 0;
+  static char one[32];
+  static char two[32];
+
   switch (segment) {
 #ifdef __KERNEL_CS
@@ -299 +307 @@
 #endif
   default:
-    return _("unknown");
+    if (flip == 0)
+      {
+        snprintf(one, sizeof(one), "%hX", segment);
+        flip = 1;
+        return one;
+      }
+    else
+      {
+        snprintf(two, sizeof(two), "%hX", segment);
+        flip = 0;
+        return two;
+      }
   }
 }
@@ -550 +569 @@
   unsigned int  kmem_code_table[SH_KERN_SIZ][2];
 
-  unsigned char  buf[6];
-  unsigned short idt_size;
-  unsigned long  idt_addr;
-
   unsigned char new_system_call_code[SH_KERN_SCC];
 
@@ -620 +635 @@
        * and read the content into the global array sh_idt_table[]
        */
-      __asm__ volatile ("sidt %0": "=m" (buf));
-      idt_size = *((unsigned short *) &buf[0]);
-      idt_addr = *((unsigned long *)  &buf[2]);
-      idt_size = (idt_size + 1)/8;
+      struct {
+        char pad[6];
+        unsigned short size;
+        unsigned long  addr;
+      } idt;
+
+      __asm__ volatile ("sidt %0": "=m" (idt.size));
+
+      idt.size = (idt.size + 1)/8;
       
-      if (idt_size > SH_MAXIDT)
-        idt_size = SH_MAXIDT;
+      if (idt.size > SH_MAXIDT)
+        idt.size = SH_MAXIDT;
       
       memset(sh_idt_table, '\0', SH_MAXIDT*8);
-      if (sh_kern_read_data (kd, idt_addr, 
-                             (unsigned char *) sh_idt_table, idt_size*8))
+      if (sh_kern_read_data (kd, idt.addr, 
+                             (unsigned char *) sh_idt_table, idt.size*8))
         status = -5;
     }
@@ -660 +680 @@
     }
 /* 2.6.21 (((2) << 16) + ((6) << 8) + (21)) */
-#if SH_KERNEL_NUMBER < 132629
+#if SH_KERNEL_NUMBER < KERNEL_VERSION(2,6,21)
   if(status == 0)
     {
@@ -669 +689 @@
     }
 #else
-  memset(&proc_root_inode, '\0', sizeof(proc_root_inode));
+    memset(&proc_root_inode, '\0', sizeof(proc_root_inode));
 #endif
   
@@ -1062 +1082 @@
 static void check_proc_root (struct sh_kernel_info * kinfo)
 {
-  struct proc_dir_entry   proc_root_dir;
+  struct proc_dir_entry     proc_root_dir;
+  struct inode_operations * proc_root_inode_op = NULL;
 
 /* 2.6.21 (((2) << 16) + ((6) << 8) + (21)) */
-#if SH_KERNEL_NUMBER < 132629
+#if SH_KERNEL_NUMBER < KERNEL_VERSION(2,6,21)
   struct inode_operations proc_root_inode;
 
@@ -1080 +1101 @@
 
   memcpy (&proc_root_dir,   &(kinfo->proc_root_dir),   sizeof(struct proc_dir_entry));
-  if (    (((unsigned int) * &proc_root_dir.proc_iops) != proc_root_iops)
-            && (proc_root_dir.size != proc_root_iops)
-            && (((unsigned int) * &proc_root_dir.proc_fops) != proc_root_iops)
-            )
+
+  if (((unsigned long) * &proc_root_dir.proc_iops) == proc_root_iops)
+    {
+      proc_root_inode_op = (struct inode_operations *) &(proc_root_dir.proc_iops);
+    }
+  else if (proc_root_dir.size == proc_root_iops)
+    {
+      proc_root_inode_op = (struct inode_operations *) &(proc_root_dir.size);
+    }
+  else if ((unsigned long) * &proc_root_dir.proc_fops == proc_root_iops)
+    {
+      proc_root_inode_op = (struct inode_operations *) &(proc_root_dir.proc_fops);
+    }
+
+  if (!proc_root_inode_op)
     {
       sh_error_handle ((-1), FIL__, __LINE__, 0, MSG_KERN_PROC,
@@ -1365 +1397 @@
   if (kd < 0)
     {
+      kd = aud_open(FIL__, __LINE__, SL_YESPRIV, _("/proc/kmem"), O_RDONLY, 0);
+    }
+
+  if (kd < 0)
+    {
       status = errno;
       sh_error_handle ((-1), FIL__, __LINE__, status, MSG_E_SUBGEN,

trunk/src/sh_port2proc.c

@@ -322 +322 @@
 /* returns the command and fills the 'user' array 
  */
-static char * port2proc_query(char * file, int proto, struct in_addr * saddr, int sport, 
+static char * port2proc_query(char * file, int proto, 
+                              struct in_addr * saddr, int sport, 
                               unsigned long * pid, char * user, size_t userlen)
 {

trunk/src/sh_readconf.c

@@ -255 +255 @@
                   sh.host.release, sh.host.machine);
       
-      if  (sl_strncmp (p,  myident, sl_strlen(myident)) == 0
+      if  (sl_strncmp (p,  myident, strlen(myident)) == 0
 #ifdef HAVE_REGEX_H
            || sh_util_regcmp (p, myident) == 0
@@ -1202 +1202 @@
     sh_log_set_facility },
 
+  { N_("syslogmapstampto"),    SH_SECTION_LOG,   SH_SECTION_MISC, 
+    sh_log_set_stamp_priority },
+
   { N_("mactype"),     SH_SECTION_MISC,  SH_SECTION_NONE, 
     sh_util_sigtype },

trunk/src/sh_unix.c

@@ -670 +670 @@
     sig_force_check = 1;
 #endif
+#ifdef SIGTTIN
+  if (mysignal == SIGTTIN)
+    sig_fresh_trail = 1;
+#endif
 #ifdef SIGABRT
   if (mysignal == SIGABRT)
@@ -837 +841 @@
   retry_sigaction(FIL__, __LINE__, SIGTSTP,   &ignact, &oldact);
 #endif
-#ifdef SIGTTIN
-  retry_sigaction(FIL__, __LINE__, SIGTTIN,   &ignact, &oldact);
-#endif
+
 #if defined (SH_WITH_CLIENT) || defined (SH_STANDALONE)
 #ifdef SIGTTOU
@@ -847 +849 @@
     retry_sigaction(FIL__, __LINE__, SIGTTOU,   &ignact, &oldact);
 #endif
+#ifdef SIGTTIN
+  if (goDaemon == 1)
+    retry_sigaction(FIL__, __LINE__, SIGTTIN,     &act2, &oldact);
+  else
+    retry_sigaction(FIL__, __LINE__, SIGTTIN,   &ignact, &oldact);
+#endif
 #else
 #ifdef SIGTTOU
   retry_sigaction(FIL__, __LINE__, SIGTTOU,   &ignact, &oldact);
+#endif
+#ifdef SIGTTIN
+  retry_sigaction(FIL__, __LINE__, SIGTTIN,   &ignact, &oldact);
 #endif
 #endif
@@ -3128 +3139 @@
   SL_RETURN(0, _("sh_unix_getinfo_attr"));
 }
-#else
-static 
-int sh_unix_getinfo_attr (char * name, 
-                          unsigned long * flags, 
-                          char * c_attr,
-                          int fd, struct stat * buf)
-{
-  return 0;
-}
 
 /* defined(__linux__) || defined(HAVE_STAT_FLAGS) */
@@ -3905 +3907 @@
   theFile->attributes      =    0;
 
+#if (defined(__linux__) && (defined(HAVE_LINUX_EXT2_FS_H) || defined(HAVE_EXT2FS_EXT2_FS_H))) || defined(HAVE_STAT_FLAGS)
   if (theFile->c_mode[0] != 'c' && theFile->c_mode[0] != 'b' &&
       theFile->c_mode[0] != 'l' )
@@ -3910 +3913 @@
                          &theFile->attributes, theFile->c_attributes, 
                          fd, &buf);
+#endif
 #endif
 

trunk/src/sh_utmp.c

@@ -225 +225 @@
   },
   {
+    N_("logincheckfirst"),
+    sh_login_set_checklevel
+  },
+  {
+    N_("logincheckoutlier"),
+    sh_login_set_siglevel
+  },
+  {
+    N_("logincheckdate"),
+    sh_login_set_def_allow
+  },
+  {
+    N_("logincheckuserdate"),
+    sh_login_set_user_allow
+  },
+  {
     NULL,
     NULL
@@ -237 +253 @@
   ShUtmpActive       = S_TRUE;
   ShUtmpInterval     = 300;
+
+  sh_login_reset();
   return;
 }
@@ -498 +516 @@
 int sh_utmp_init (struct mod_type * arg)
 {
+#if !defined(HAVE_PTHREAD)
+  (void) arg;
+#endif
   if (ShUtmpActive == BAD)
     return SH_MOD_FAILED;
@@ -548 +569 @@
   init_done          = 0;
 
+#if defined(HAVE_PTHREAD)
   sh_inotify_remove(&inotify_watch);
+#endif
 
   SL_RETURN( (0), _("sh_utmp_end"));
@@ -557 +580 @@
 {
   set_defaults();
+#if defined(HAVE_PTHREAD)
   sh_inotify_remove(&inotify_watch);
+#endif
   return 0;
 }
@@ -1206 +1231 @@
 }
 
+extern void sh_ltrack_check(struct SH_UTMP_S * ut);
 
 static void sh_utmp_login_morechecks(struct SH_UTMP_S * ut)
 {
-  if (ut)
-    return;
+  sh_ltrack_check(ut);
   return;
 }
@@ -1216 +1241 @@
 static void sh_utmp_logout_morechecks(struct log_user * user)
 {
-  if (user)
-    return;
+  (void) user;
   return;
 }

trunk/src/slib.c

@@ -16 +16 @@
 #endif
 
+#include <sys/types.h>
+#include <sys/stat.h>
 #include <unistd.h>
-#include <sys/stat.h>
-#include <sys/types.h>
 #include <fcntl.h>
 #include <signal.h>
@@ -259 +259 @@
   else
     sl_strlcpy(tmp, fmt, 256);
-  retval = sl_strlen(tmp);
+  retval = strlen(tmp);
   if (retval > 0 && tmp[retval-1] == '\n')
     tmp[retval-1] = '\0';
@@ -274 +274 @@
       sprintf      (val, _("[%2d] "), trace_level);
       sl_strlcat   (msg,     val,   256);
-      sl_vsnprintf (&msg[sl_strlen(msg)], 255, tmp, ap);
+      sl_vsnprintf (&msg[strlen(msg)], 255, tmp, ap);
       sl_snprintf  (tmp, 255, _(" \t - File %c%s%c at line %d"), 
                     0x22, file, 0x22, line);

trunk/test/testcompile.sh

@@ -378 +378 @@
         fi
         #
+        [ -z "${SMATCH}" ] || { CC="${SAVE_CC}"; export CC; SMATCH=""; export SMATCH; }
+        #
         ${TOP_SRCDIR}/configure --quiet  --prefix=$PW_DIR --localstatedir=$PW_DIR --with-config-file=$PW_DIR/samhainrc.test  --enable-process-check --enable-port-check --enable-static > /dev/null 2>> test_log
         #
@@ -386 +388 @@
         let "num = num + 1" >/dev/null
         run_uno $? $num || let "numfail = numfail + 1"  >/dev/null
-
+        #
+        [ -z "${SMATCH_CC}" ] || { CC="${SMATCH_CC}"; export CC; SMATCH="${SAVE_SMATCH}"; export SMATCH; }
         #
         # test standalone compilation