Changeset 294


Ignore:
Timestamp:
Oct 31, 2010, 10:26:42 AM (14 years ago)
Author:
katerina
Message:

Tikets #213 and #214 (Use auditd to determine who changed a file, Windows registry check).

Location:
trunk
Files:
3 added
20 edited

Legend:

Unmodified
Added
Removed
  • trunk/Makefile.in

    r292 r294  
    124124        sh_processcheck.h sh_portcheck.h sh_pthread.h sh_string.h \
    125125        sh_log_check.h sh_log_evalrule.h sh_log_correlate.h \
    126         sh_log_mark.h sh_log_repeat.h sh_inotify.h
     126        sh_log_mark.h sh_log_repeat.h sh_inotify.h sh_registry.h
    127127
    128128
     
    165165        $(srcsrc)/sh_log_check.c $(srcsrc)/dnmalloc.c \
    166166        $(srcsrc)/sh_inotify.c $(srcsrc)/sh_log_repeat.c \
     167        $(srcsrc)/sh_audit.c $(srcsrc)/sh_registry.c \
    167168        $(srcsrc)/t-test1.c
    168169
     
    183184        sh_log_parse_generic.o \
    184185        sh_log_correlate.o sh_log_mark.o sh_log_repeat.o \
    185         sh_pthread.o sh_string.o sh_inotify.o dnmalloc.o
     186        sh_pthread.o sh_string.o sh_inotify.o dnmalloc.o \
     187        sh_audit.o sh_registry.o
    186188
    187189KERN = kern_head.h kern_head.c
     
    17031705sh_entropy.o: $(srcsrc)/sh_entropy.c Makefile config_xor.h $(srcinc)/samhain.h $(srcinc)/sh_utils.h $(srcinc)/sh_unix.h $(srcinc)/sh_tiger.h $(srcinc)/sh_calls.h $(srcinc)/sh_pthread.h $(srcinc)/sh_static.h $(srcinc)/sh_pthread.h $(srcinc)/CuTest.h
    17041706sh_forward.o: $(srcsrc)/sh_forward.c Makefile config_xor.h $(srcinc)/samhain.h $(srcinc)/sh_tiger.h $(srcinc)/sh_utils.h $(srcinc)/sh_unix.h $(srcinc)/sh_forward.h $(srcinc)/sh_srp.h $(srcinc)/sh_fifo.h $(srcinc)/sh_tools.h $(srcinc)/sh_entropy.h $(srcinc)/sh_html.h $(srcinc)/sh_nmail.h $(srcinc)/sh_socket.h $(srcinc)/sh_static.h $(srcinc)/rijndael-api-fst.h $(srcinc)/sh_readconf.h $(srcinc)/zAVLTree.h $(srcinc)/sh_extern.h
    1705 sh_modules.o: $(srcsrc)/sh_modules.c Makefile config_xor.h $(srcinc)/sh_modules.h $(srcinc)/sh_pthread.h $(srcinc)/sh_utmp.h $(srcinc)/sh_mounts.h $(srcinc)/sh_userfiles.h $(srcinc)/sh_kern.h $(srcinc)/sh_suidchk.h $(srcinc)/sh_processcheck.h $(srcinc)/sh_portcheck.h $(srcinc)/sh_logmon.h
     1707sh_modules.o: $(srcsrc)/sh_modules.c Makefile config_xor.h $(srcinc)/sh_modules.h $(srcinc)/sh_pthread.h $(srcinc)/sh_utmp.h $(srcinc)/sh_mounts.h $(srcinc)/sh_userfiles.h $(srcinc)/sh_kern.h $(srcinc)/sh_suidchk.h $(srcinc)/sh_processcheck.h $(srcinc)/sh_portcheck.h $(srcinc)/sh_logmon.h $(srcinc)/sh_registry.h
    17061708sh_utmp.o: $(srcsrc)/sh_utmp.c Makefile config_xor.h $(srcinc)/samhain.h $(srcinc)/sh_utils.h $(srcinc)/sh_error.h $(srcinc)/sh_modules.h $(srcinc)/sh_utmp.h $(srcinc)/sh_pthread.h $(srcinc)/sh_inotify.h
    17071709sh_kern.o: $(srcsrc)/sh_kern.c Makefile config_xor.h $(srcinc)/samhain.h $(srcinc)/sh_pthread.h $(srcinc)/sh_utils.h $(srcinc)/sh_error.h $(srcinc)/sh_modules.h $(srcinc)/sh_kern.h sh_ks_xor.h $(srcinc)/sh_unix.h $(srcinc)/sh_hash.h
     
    17511753dnmalloc.o: $(srcsrc)/dnmalloc.c Makefile config.h
    17521754t-test1.o: $(srcsrc)/t-test1.c Makefile config.h $(srcinc)/malloc.h
    1753 sh_port2proc.o: $(srcsrc)/sh_port2proc.c Makefile config_xor.h $(srcinc)/samhain.h $(srcinc)/sh_utils.h $(srcinc)/sh_error_min.h $(srcinc)/sh_pthread.h $(srcinc)/samhain.h $(srcinc)/sh_utils.h
     1755sh_port2proc.o: $(srcsrc)/sh_port2proc.c Makefile config_xor.h $(srcinc)/samhain.h $(srcinc)/sh_utils.h $(srcinc)/sh_error_min.h $(srcinc)/sh_pthread.h
    17541756sh_log_parse_syslog.o: $(srcsrc)/sh_log_parse_syslog.c Makefile config_xor.h $(srcinc)/samhain.h $(srcinc)/sh_pthread.h $(srcinc)/sh_log_check.h $(srcinc)/sh_utils.h $(srcinc)/sh_string.h
    17551757sh_log_parse_pacct.o: $(srcsrc)/sh_log_parse_pacct.c Makefile config_xor.h $(srcinc)/samhain.h $(srcinc)/sh_pthread.h $(srcinc)/sh_log_check.h $(srcinc)/sh_utils.h $(srcinc)/sh_string.h
     
    17661768sh_log_parse_generic.o: $(srcsrc)/sh_log_parse_generic.c Makefile config_xor.h $(srcinc)/samhain.h $(srcinc)/sh_log_check.h $(srcinc)/sh_string.h
    17671769sh_login_track.o: $(srcsrc)/sh_login_track.c Makefile config_xor.h $(srcinc)/samhain.h $(srcinc)/sh_pthread.h $(srcinc)/sh_utils.h $(srcinc)/sh_unix.h $(srcinc)/sh_string.h $(srcinc)/sh_tools.h $(srcinc)/sh_error_min.h $(srcinc)/CuTest.h $(srcinc)/CuTest.h
     1770sh_audit.o: $(srcsrc)/sh_audit.c Makefile config_xor.h $(srcinc)/samhain.h $(srcinc)/sh_error.h $(srcinc)/sh_extern.h $(srcinc)/sh_utils.h
     1771sh_registry.o: $(srcsrc)/sh_registry.c Makefile config_xor.h $(srcinc)/samhain.h $(srcinc)/sh_pthread.h $(srcinc)/sh_utils.h $(srcinc)/sh_unix.h $(srcinc)/sh_modules.h $(srcinc)/sh_hash.h $(srcinc)/sh_tiger.h
  • trunk/configure.ac

    r293 r294  
    1212dnl start
    1313dnl
    14 AM_INIT_AUTOMAKE(samhain, 2.7.2c)
     14AM_INIT_AUTOMAKE(samhain, 2.8.0)
    1515AC_DEFINE([SAMHAIN], 1, [Application is samhain])
    1616AC_CANONICAL_HOST
     
    8686        *cygwin*)
    8787        AC_DEFINE(HOST_IS_CYGWIN)
     88        AC_DEFINE([USE_REGISTRY_CHECK], 1, [Define for registry check])
    8889        dnmalloc_ok=no
    8990        AC_MSG_RESULT([no trusted paths and no dnmalloc])
     
    230231        regex.h glob.h \
    231232        linux/ext2_fs.h linux/fs.h ext2fs/ext2_fs.h asm/segment.h \
    232         elf.h linux/elf.h \
     233        elf.h linux/elf.h auparse.h \
    233234        paths.h arpa/nameser.h arpa/nameser_compat.h \
    234235        rpc/rpcent.h rpc/rpc.h sys/statvfs.h,
     
    442443  ])
    443444
     445sh_auparse=no
     446
     447if test "x$ac_cv_header_auparse_h" = "xyes"
     448then
     449   AC_CHECK_LIB(auparse, auparse_find_field, [
     450                         LIBS="$LIBS -lauparse"
     451                         sh_auparse=yes
     452                         AC_DEFINE(HAVE_AUPARSE_LIB, 1, [Define if you have the auparse lib])
     453                         ])
     454fi
     455
    444456dnl arguments for accept
    445457
     
    952964                then
    953965                  tmp_LIBS=`echo $LIBS | sed 's%\-lresolv%%' `
     966                  LIBS="${tmp_LIBS}"
     967                fi
     968                if test x"${sh_auparse}" = xyes
     969                then
     970                  tmp_LIBS=`echo $LIBS | sed 's%\-lauparse%%' `
    954971                  LIBS="${tmp_LIBS}"
    955972                fi
  • trunk/depend.dep

    r292 r294  
    1818sh_entropy.o: $(srcsrc)/sh_entropy.c Makefile config_xor.h $(srcinc)/samhain.h $(srcinc)/sh_utils.h $(srcinc)/sh_unix.h $(srcinc)/sh_tiger.h $(srcinc)/sh_calls.h $(srcinc)/sh_pthread.h $(srcinc)/sh_static.h $(srcinc)/sh_pthread.h $(srcinc)/CuTest.h
    1919sh_forward.o: $(srcsrc)/sh_forward.c Makefile config_xor.h $(srcinc)/samhain.h $(srcinc)/sh_tiger.h $(srcinc)/sh_utils.h $(srcinc)/sh_unix.h $(srcinc)/sh_forward.h $(srcinc)/sh_srp.h $(srcinc)/sh_fifo.h $(srcinc)/sh_tools.h $(srcinc)/sh_entropy.h $(srcinc)/sh_html.h $(srcinc)/sh_nmail.h $(srcinc)/sh_socket.h $(srcinc)/sh_static.h $(srcinc)/rijndael-api-fst.h $(srcinc)/sh_readconf.h $(srcinc)/zAVLTree.h $(srcinc)/sh_extern.h
    20 sh_modules.o: $(srcsrc)/sh_modules.c Makefile config_xor.h $(srcinc)/sh_modules.h $(srcinc)/sh_pthread.h $(srcinc)/sh_utmp.h $(srcinc)/sh_mounts.h $(srcinc)/sh_userfiles.h $(srcinc)/sh_kern.h $(srcinc)/sh_suidchk.h $(srcinc)/sh_processcheck.h $(srcinc)/sh_portcheck.h $(srcinc)/sh_logmon.h
     20sh_modules.o: $(srcsrc)/sh_modules.c Makefile config_xor.h $(srcinc)/sh_modules.h $(srcinc)/sh_pthread.h $(srcinc)/sh_utmp.h $(srcinc)/sh_mounts.h $(srcinc)/sh_userfiles.h $(srcinc)/sh_kern.h $(srcinc)/sh_suidchk.h $(srcinc)/sh_processcheck.h $(srcinc)/sh_portcheck.h $(srcinc)/sh_logmon.h $(srcinc)/sh_registry.h
    2121sh_utmp.o: $(srcsrc)/sh_utmp.c Makefile config_xor.h $(srcinc)/samhain.h $(srcinc)/sh_utils.h $(srcinc)/sh_error.h $(srcinc)/sh_modules.h $(srcinc)/sh_utmp.h $(srcinc)/sh_pthread.h $(srcinc)/sh_inotify.h
    2222sh_kern.o: $(srcsrc)/sh_kern.c Makefile config_xor.h $(srcinc)/samhain.h $(srcinc)/sh_pthread.h $(srcinc)/sh_utils.h $(srcinc)/sh_error.h $(srcinc)/sh_modules.h $(srcinc)/sh_kern.h sh_ks_xor.h $(srcinc)/sh_unix.h $(srcinc)/sh_hash.h
     
    6868dnmalloc-portable.o: $(srcsrc)/dnmalloc-portable.c Makefile config.h
    6969dnmalloc.o: $(srcsrc)/dnmalloc.c Makefile config.h
    70 sh_port2proc.o: $(srcsrc)/sh_port2proc.c Makefile config_xor.h $(srcinc)/samhain.h $(srcinc)/sh_utils.h $(srcinc)/sh_error_min.h $(srcinc)/sh_pthread.h $(srcinc)/samhain.h $(srcinc)/sh_utils.h
     70sh_port2proc.o: $(srcsrc)/sh_port2proc.c Makefile config_xor.h $(srcinc)/samhain.h $(srcinc)/sh_utils.h $(srcinc)/sh_error_min.h $(srcinc)/sh_pthread.h
    7171sh_log_parse_syslog.o: $(srcsrc)/sh_log_parse_syslog.c Makefile config_xor.h $(srcinc)/samhain.h $(srcinc)/sh_pthread.h $(srcinc)/sh_log_check.h $(srcinc)/sh_utils.h $(srcinc)/sh_string.h
    7272sh_log_parse_pacct.o: $(srcsrc)/sh_log_parse_pacct.c Makefile config_xor.h $(srcinc)/samhain.h $(srcinc)/sh_pthread.h $(srcinc)/sh_log_check.h $(srcinc)/sh_utils.h $(srcinc)/sh_string.h
     
    8383sh_log_parse_generic.o: $(srcsrc)/sh_log_parse_generic.c Makefile config_xor.h $(srcinc)/samhain.h $(srcinc)/sh_log_check.h $(srcinc)/sh_string.h
    8484sh_login_track.o: $(srcsrc)/sh_login_track.c Makefile config_xor.h $(srcinc)/samhain.h $(srcinc)/sh_pthread.h $(srcinc)/sh_utils.h $(srcinc)/sh_unix.h $(srcinc)/sh_string.h $(srcinc)/sh_tools.h $(srcinc)/sh_error_min.h $(srcinc)/CuTest.h $(srcinc)/CuTest.h
     85sh_audit.o: $(srcsrc)/sh_audit.c Makefile config_xor.h $(srcinc)/samhain.h $(srcinc)/sh_error.h $(srcinc)/sh_extern.h $(srcinc)/sh_utils.h
     86sh_registry.o: $(srcsrc)/sh_registry.c Makefile config_xor.h $(srcinc)/samhain.h $(srcinc)/sh_pthread.h $(srcinc)/sh_utils.h $(srcinc)/sh_unix.h $(srcinc)/sh_modules.h $(srcinc)/sh_hash.h $(srcinc)/sh_tiger.h
  • trunk/depend.sum

    r292 r294  
    1 2431182974
     12205834486
  • trunk/docs/Changelog

    r293 r294  
     12.8.0:
     2        * Add registry checking
     3        * Use auditd records to find out who did it
     4
    152.7.2c:
    2         * Fix uppercase hostname problem in client/server communication
     6        * Fix uppercase hostname problem in client/server communication
     7
    38
    492.7.2b:
     
    1217        * sh_utils.c: fixed an endianess issue that prevented cross-verification
    1318          of email signatures (reported by A. Zangerl)
    14         * sh_login_track.c: fix compiler warning (ignored return value
    15           of fwrite)
    16         * sh_readconf.c: fix comparison of SeverityUserX string
     19        * sh_login_track.c: fix compiler warning (ignored return value
     20          of fwrite)
     21        * sh_readconf.c: fix comparison of SeverityUserX string 
    1722          (reported by max__)
    1823        * sh_processcheck.c: sh_prochk_set_maxpid: set retval on success
  • trunk/include/sh_cat.h

    r279 r294  
    173173 MSG_LOGMON_MARK,
    174174 MSG_LOGMON_BURST,
     175#endif
     176
     177#ifdef USE_REGISTRY_CHECK
     178 MSG_REG_MISS,
     179 MSG_REG_NEW,
     180 MSG_REG_CHANGE,
    175181#endif
    176182
  • trunk/include/sh_extern.h

    r275 r294  
    4141 */
    4242int sh_ext_popen_init (sh_tas_t * task, char * command);
     43
     44/*
     45 * -- Execute command, return first line of output
     46 */
     47int sh_ext_system (char * command);
    4348
    4449/*
  • trunk/include/sh_files.h

    r256 r294  
    2121#define SH_FILES_H
    2222
     23void sh_audit_mark (char * file);
     24void sh_audit_delete_all ();
     25char * sh_audit_fetch (char * file, time_t time, char * result, size_t rsize);
     26
    2327struct sh_dirent {
    2428  char             * sh_d_name;
    2529  struct sh_dirent * next;
    2630};
     31
    2732
    2833/* free a directory listing
  • trunk/include/sh_hash.h

    r205 r294  
    7070/* Check whether a file is present in the database.
    7171 */
    72 int sh_hash_have_it (char * newname);
     72int sh_hash_have_it (const char * newname);
    7373
    7474/* Get a file if it is present in the database.
     75 * If fileHash != NULL also return checksum.
    7576 */
    76 int sh_hash_get_it (char * newname, file_type * tmpFile);
     77int sh_hash_get_it (const char * newname, file_type * tmpFile, char * fileHash);
    7778
    7879/* Delete the database from memory.
     
    113114void sh_hash_unvisited (ShErrLevel level);
    114115
     116/* Search for unvisited entries in the database, custom error handler.
     117 */
     118void sh_hash_unvisited_custom (char prefix, void(*handler)(const char * key));
     119
    115120/* Set a file's status to 'visited'. This is required for
    116121 * files that should be ignored, and may be present in the
     
    135140int hash_full_tree (void);
    136141
    137 /* Insert data
     142/* Insert data.
     143 * 'key' -> path
     144 * 'str' -> binary with size 'size'
    138145 */
    139 void sh_hash_push2db (char * key, unsigned long val1,
    140                       unsigned long val2, unsigned long val3,
    141                       unsigned char * str, int size);
     146struct store2db {
     147  UINT64 val0;
     148  UINT64 val1;
     149  UINT64 val2;
     150  UINT64 val3;
     151  char   checksum[KEY_LEN+1];
     152  unsigned char * str;
     153  int size;
     154};
     155
     156void sh_hash_push2db (const char * key, struct store2db * save);
     157
    142158
    143159/* Retrieve data
    144160 */
    145 char * sh_hash_db2pop (char * key, unsigned long * val1,
    146                        unsigned long * val2, unsigned long * val3,
    147                        int * size);
     161char * sh_hash_db2pop (const char * key,  struct store2db * get);
     162
    148163
    149164/* Write out database
  • trunk/include/sh_unix.h

    r265 r294  
    9090/* use prelink     */
    9191#define MODI_PREL (1 << 13)
     92
    9293/* get content     */
    9394#define MODI_TXT ((1 << 14)|MODI_CHK)
    94 
    9595#define MODI_TXT_ENABLED(a) (((a)&(1 << 14))!=0)
     96
     97/* get audit record  */
     98#define MODI_AUDIT (1 << 15)
     99#define MODI_AUDIT_ENABLED(a) (((a)&(1 << 15))!=0)
     100
    96101
    97102#define SH_TXT_MAX 9200
  • trunk/src/samhain.c

    r265 r294  
    745745  sh_hash_hashdelete();
    746746  sh_files_hle_reg (NULL);
     747  /*
     748   * Only flush on exit if running as deamon.
     749   * Otherwise we couldn't run another instance
     750   * while the deamon is running (would leave the
     751   * deamon with flushed ruleset).
     752   */
     753  if (sh.flag.isdaemon == S_TRUE)
     754    {
     755      sh_audit_delete_all ();
     756    }
    747757#endif
    748758#if defined(SH_WITH_SERVER)
     
    17691779              (void) sh_ignore_clean ();
    17701780              (void) hash_full_tree ();
     1781              sh_audit_delete_all ();
     1782
    17711783
    17721784#if defined(SH_WITH_CLIENT)
  • trunk/src/sh_cat.c

    r279 r294  
    166166  { MSG_LOGMON_MARK, SH_ERR_SEVERE,  EVENT, N_("msg=\"POLICY [Logfile] Event %s missing for %lu seconds\"") },
    167167  { MSG_LOGMON_BURST, SH_ERR_SEVERE, EVENT, N_("msg=\"POLICY [Logfile] Repeated %d times: %s\" host=\"%s\"") },
     168#endif
     169
     170#ifdef USE_REGISTRY_CHECK
     171  { MSG_REG_MISS,   SH_ERR_SEVERE,  EVENT, N_("msg=\"POLICY [RegistryKeyMissing]\" path=\"%s\" %s")},
     172  { MSG_REG_NEW,    SH_ERR_SEVERE,  EVENT, N_("msg=\"POLICY [RegistryKeyNew]\" path=\"%s\" %s")},
     173  { MSG_REG_CHANGE, SH_ERR_SEVERE,  EVENT, N_("msg=\"POLICY [RegistryKeyChanged]\" path=\"%s\" %s")},
    168174#endif
    169175
     
    503509#endif
    504510
     511#ifdef USE_REGISTRY_CHECK
     512  { MSG_REG_MISS,   SH_ERR_SEVERE,  EVENT, N_("msg=<POLICY [RegistryKeyMissing] %s>, path=<%s>, %s")},
     513  { MSG_REG_NEW,    SH_ERR_SEVERE,  EVENT, N_("msg=<POLICY [RegistryKeyNew] %s>, path=<%s>, %s")},
     514  { MSG_REG_CHANGE, SH_ERR_SEVERE,  EVENT, N_("msg=<POLICY [RegistryKeyChanged] %s>, path=<%s>, %s")},
     515#endif
     516
    505517#if defined(SH_WITH_CLIENT) || defined(SH_STANDALONE)
    506518 
  • trunk/src/sh_extern.c

    r289 r294  
    839839
    840840  return status;
     841}
     842
     843/* Execute a system command */
     844
     845int sh_ext_system (char * command)
     846{
     847  sh_tas_t task;
     848  int    status;
     849
     850  SL_ENTER(_("sh_ext_system"));
     851
     852  status = sh_ext_popen_init (&task, command);
     853
     854  if (status != 0)
     855    {
     856      sh_error_handle(SH_ERR_ERR, FIL__, __LINE__, status, MSG_E_SUBGEN,
     857                      _("Could not execute command"), _("sh_ext_system"));
     858      SL_RETURN ((-1), _("sh_ext_system"));
     859    }
     860
     861  /* close pipe and return exit status
     862   */
     863  (void) sh_ext_pclose(&task);
     864  sh_ext_tas_free (&task);
     865  SL_RETURN ((status), _("sh_ext_system"));
    841866}
    842867
  • trunk/src/sh_files.c

    r286 r294  
    742742        if (0 == strncmp(myword, _("TXT"), 3))
    743743          sh_files_set_mask (mask, MODI_TXT, act);
    744        
     744/* get content */
     745        if (0 == strncmp(myword, _("AUDIT"), 3))
     746          sh_files_set_mask (mask, MODI_AUDIT, act);
    745747      }
    746748  }
     
    915917      SH_FREE(fileName);
    916918      SH_FREE(new_item_ptr);
    917     }
    918 
     919      new_item_ptr = NULL;
     920    }
     921
     922  if (new_item_ptr && MODI_AUDIT_ENABLED(new_item_ptr->check_mask))
     923    {
     924      sh_audit_mark(new_item_ptr->name);
     925    }
    919926  SL_RETURN(0, _("sh_files_push_file_int"));
    920927}
     
    14721479      SH_FREE(dirName);
    14731480      SH_FREE(new_item_ptr);
     1481      new_item_ptr = NULL;
     1482    }
     1483
     1484  if (new_item_ptr && MODI_AUDIT_ENABLED(new_item_ptr->check_mask))
     1485    {
     1486      sh_audit_mark(new_item_ptr->name);
    14741487    }
    14751488
  • trunk/src/sh_getopt.c

    r272 r294  
    464464  if (num > 0) fputc ('\n', stdout);
    465465  fputs (_(" optionally store full text for files"), stdout); ++num;
     466#endif
     467#if !defined(SH_COMPILE_STATIC) && defined(__linux__) && defined(HAVE_AUPARSE_H) && defined(HAVE_AUPARSE_LIB)
     468  if (num > 0) fputc ('\n', stdout);
     469  fputs (_(" optionally report auditd record of changed file"), stdout); ++num;
    466470#endif
    467471#if defined(USE_XATTR)
  • trunk/src/sh_hash.c

    r279 r294  
    393393}
    394394
    395 static sh_file_t * hashsearch (char * s);
     395static sh_file_t * hashsearch (const char * s);
    396396
    397397static sh_file_t * tab[TABSIZE];
     
    403403 **************************************************************/
    404404
    405 static int hashfunc(char *s)
     405static int hashfunc(const char *s)
    406406{
    407407  unsigned int n = 0;
     
    467467 *
    468468 **************************************************************/
     469static sh_file_t * delete_db_entry(sh_file_t *p)
     470{
     471  if (p->fullpath)
     472    {
     473      SH_FREE(p->fullpath);
     474      p->fullpath = NULL;
     475    }
     476  if (p->linkpath)
     477    {
     478      if (p->linkpath != notalink)
     479        SH_FREE(p->linkpath);
     480      p->linkpath = NULL;
     481    }
     482  if (p->attr_string)
     483    {
     484      SH_FREE(p->attr_string);
     485      p->attr_string = NULL;
     486    }
     487  SH_FREE(p);
     488  return NULL;
     489}
     490
    469491static void hash_unvisited (int j,
    470492                            sh_file_t *prev, sh_file_t *p, ShErrLevel level)
     
    560582              else
    561583                prev->next = p->next;
    562               if (p->fullpath)
    563                 {
    564                   SH_FREE(p->fullpath);
    565                   p->fullpath = NULL;
    566                 }
    567               if (p->linkpath)
    568                 {
    569                   if (p->linkpath != notalink)
    570                     SH_FREE(p->linkpath);
    571                   p->linkpath = NULL;
    572                 }
    573               if (p->attr_string)
    574                 {
    575                   SH_FREE(p->attr_string);
    576                   p->attr_string = NULL;
    577                 }
    578               SH_FREE(p);
    579               p = NULL;
     584
     585              p = delete_db_entry(p);
     586
    580587              SL_RET0(_("hash_unvisited"));
    581588#else
     
    640647}
    641648
     649/*********************************************************************
     650 *
     651 * Search for unvisited entries in the database, custom error handler.
     652 *
     653 *********************************************************************/
     654void sh_hash_unvisited_custom (char prefix, void(*handler)(const char * key))
     655{
     656  int i;
     657  sh_file_t *p    = NULL;
     658  sh_file_t *prev = NULL;
     659  sh_file_t *next = NULL;
     660
     661  SL_ENTER(_("sh_hash_unvisited_custom"));
     662
     663  SH_MUTEX_LOCK(mutex_hash);
     664  for (i = 0; i < TABSIZE; ++i)
     665    {
     666      if (tab[i] != NULL)
     667        {
     668          p = tab[i]; prev = p;
     669
     670          do
     671            {
     672              next = p->next;
     673
     674              if (p->fullpath &&
     675                  prefix == p->fullpath[0])
     676                {
     677                  if ((!SH_FFLAG_VISITED_SET(p->fflags))
     678                      && (!SH_FFLAG_REPORTED_SET(p->fflags)))
     679                    {
     680                      handler(p->fullpath);
     681
     682                      if (!SH_FFLAG_CHECKED_SET(p->fflags))
     683                        {
     684                          /* delete */
     685                          if (tab[i] == p)
     686                            {
     687                              tab[i] = p->next;
     688                              prev   = tab[i];
     689                              next   = prev;
     690                            }
     691                          else
     692                            {
     693                              prev->next = p->next;
     694                              next       = prev->next;
     695                            }
     696
     697                          p = delete_db_entry(p);
     698                        }
     699                    }
     700                  if (p)
     701                    {
     702                      CLEAR_SH_FFLAG_VISITED(p->fflags);
     703                      CLEAR_SH_FFLAG_CHECKED(p->fflags);
     704                    }
     705                }
     706              if (p)
     707                prev = p;
     708              p    = next;
     709            }
     710          while (p);
     711        }
     712    }
     713  SH_MUTEX_UNLOCK(mutex_hash);
     714
     715  SL_RET0(_("hash_unvisited_custom"));
     716}
     717
    642718
    643719/**********************************************************************
     
    683759 *
    684760 ***********************************************************************/
    685 static sh_file_t * hashsearch (char * s)
     761static sh_file_t * hashsearch (const char * s)
    686762{
    687763  sh_file_t * p;
     
    19472023 *
    19482024 *********************************************************************/
    1949 static sh_file_t *  sh_hash_have_it_int (char * newname)
     2025static sh_file_t *  sh_hash_have_it_int (const char * newname)
    19502026{
    19512027  sh_file_t * p;
     
    19682044}
    19692045
    1970 int sh_hash_have_it (char * newname)
     2046int sh_hash_have_it (const char * newname)
    19712047{
    19722048  sh_file_t * p;
     
    19932069}
    19942070
    1995 int sh_hash_get_it (char * newname, file_type * tmpFile)
     2071int sh_hash_get_it (const char * newname, file_type * tmpFile, char * fileHash)
    19962072{
    19972073  sh_file_t * p;
     
    20172093      tmpFile->mtime = p->theFile.mtime;
    20182094      tmpFile->ctime = p->theFile.ctime;
     2095      tmpFile->atime = p->theFile.atime;
     2096
     2097      if (NULL != fileHash)
     2098        sl_strlcpy(fileHash, p->theFile.checksum, KEY_LEN+1);
     2099
    20192100      tmpFile->attr_string = NULL;
    20202101      retval = 0;
     
    21442225{
    21452226  int i;
    2146   SL_ENTER(_("sh_hash_set_visited"));
     2227  SL_ENTER(_("sh_hash_set_missing"));
    21472228  i = sh_hash_set_visited_int(newname, SH_FFLAG_CHECKED);
    2148   SL_RETURN(i, _("sh_hash_set_visited"));
     2229  SL_RETURN(i, _("sh_hash_set_missing"));
    21492230}
    21502231
     
    21772258 ******************************************************************/
    21782259
    2179 void sh_hash_push2db (char * key, unsigned long val1,
    2180                       unsigned long val2, unsigned long val3,
    2181                       unsigned char * str, int size)
     2260void sh_hash_push2db (const char * key, struct store2db * save)
    21822261{
    21832262  int         i = 0;
     
    21862265  file_type * tmpFile = SH_ALLOC(sizeof(file_type));
    21872266
     2267  int size            = save->size;
     2268  unsigned char * str = save->str;
     2269
     2270
    21882271  tmpFile->attr_string = NULL;
    21892272  tmpFile->link_path   = NULL;
    21902273
    21912274  sl_strlcpy(tmpFile->fullpath, key, PATH_MAX);
    2192   tmpFile->size  = val1;
    2193   tmpFile->mtime = val2;
    2194   tmpFile->ctime = val3;
    2195 
    2196   tmpFile->atime = 0;
     2275  tmpFile->size  = save->val0;
     2276  tmpFile->mtime = save->val1;
     2277  tmpFile->ctime = save->val2;
     2278  tmpFile->atime = save->val3;
     2279
    21972280  tmpFile->mode  = 0;
    21982281  tmpFile->owner = 0;
     
    22262309    }
    22272310
    2228   if (sh.flag.checkSum == SH_CHECK_CHECK &&
    2229       sh.flag.update == S_TRUE)
    2230     sh_hash_pushdata_memory (tmpFile, SH_KEY_NULL);
     2311  if (sh.flag.checkSum == SH_CHECK_INIT)
     2312    sh_hash_pushdata (tmpFile,
     2313                      (save->checksum[0] == '\0') ? SH_KEY_NULL : save->checksum);
    22312314  else
    2232     sh_hash_pushdata (tmpFile, SH_KEY_NULL);
     2315    sh_hash_pushdata_memory (tmpFile,
     2316                             (save->checksum[0] == '\0') ? SH_KEY_NULL : save->checksum);
    22332317
    22342318  if (tmpFile->link_path) SH_FREE(tmpFile->link_path);
     
    22392323extern int sh_util_hextobinary (char * binary, char * hex, int bytes);
    22402324
    2241 char * sh_hash_db2pop (char * key, unsigned long * val1,
    2242                        unsigned long * val2, unsigned long * val3,
    2243                        int * size)
     2325char * sh_hash_db2pop (const char * key, struct store2db * save)
    22442326{
    22452327  size_t      len;
     
    22472329  int         i;
    22482330  char      * retval = NULL;
     2331  char        fileHash[KEY_LEN+1];
    22492332  file_type * tmpFile = SH_ALLOC(sizeof(file_type));
    22502333 
    2251   *size = 0;
    2252 
    2253   if (0 == sh_hash_get_it (key, tmpFile))
    2254     {
    2255       *val1 = tmpFile->size;
    2256       *val2 = tmpFile->mtime;
    2257       *val3 = tmpFile->ctime;
     2334  save->size = 0;
     2335
     2336  if (0 == sh_hash_get_it (key, tmpFile, fileHash))
     2337    {
     2338      save->val0 = tmpFile->size;
     2339      save->val1 = tmpFile->mtime;
     2340      save->val2 = tmpFile->ctime;
     2341      save->val3 = tmpFile->atime;
     2342
     2343      sl_strlcpy(save->checksum, fileHash, KEY_LEN+1);
    22582344
    22592345      if (tmpFile->link_path && tmpFile->link_path[0] != '-')
     
    22662352          if (i == 0)
    22672353            {
    2268               *size = (len/2);
    2269               p[*size] = '\0';
     2354              save->size = (len/2);
     2355              p[save->size] = '\0';
    22702356              retval = p;
    22712357            }
     
    22732359            {
    22742360              SH_FREE(p);
    2275               *size = 0;
     2361              save->size = 0;
    22762362            }
    22772363        }
    22782364      else
    22792365        {
    2280           *size = 0;
     2366          save->size = 0;
    22812367        }
    22822368    }
    22832369  else
    22842370    {
    2285       *size = -1;
    2286       *val1 =  0;
    2287       *val2 =  0;
    2288       *val3 =  0;
     2371      save->size = -1;
     2372      save->val0 = 0;
     2373      save->val1 = 0;
     2374      save->val2 = 0;
     2375      save->val3 = 0;
    22892376    }
    22902377  if (tmpFile->link_path) SH_FREE(tmpFile->link_path);
     
    34593546                      tmp_lnk_old, tmp_lnk);
    34603547#else
    3461           sl_snprintf(tmp, SH_MSG_BUF, _("link_old=<%s>, link_new=<%s>"),
     3548          sl_snprintf(tmp, SH_MSG_BUF, _("link_old=<%s>, link_new=<%s>, "),
    34623549                      tmp_lnk_old, tmp_lnk);
    34633550#endif
     
    34793566        }
    34803567
     3568      if (MODI_AUDIT_ENABLED(theFile->check_mask))
     3569        {
     3570          char result[256];
     3571
     3572          if (NULL != sh_audit_fetch (theFile->fullpath, theFile->mtime, result, sizeof(result)))
     3573            {
     3574#ifdef SH_USE_XML
     3575              sl_strlcat(msg, _("obj=\""), SH_MSG_BUF);
     3576#else
     3577              sl_strlcat(msg, _("obj=<"), SH_MSG_BUF);
     3578#endif
     3579
     3580              sl_strlcat(msg, result, SH_MSG_BUF);
     3581
     3582#ifdef SH_USE_XML
     3583              sl_strlcat(msg, _("\" "), SH_MSG_BUF);
     3584#else
     3585              sl_strlcat(msg, _(">"), SH_MSG_BUF);
     3586#endif
     3587            }
     3588        }
    34813589
    34823590      tmp_path = sh_util_safe_name(theFile->fullpath);
  • trunk/src/sh_kern.c

    r286 r294  
    169169
    170170char * sh_kern_db_syscall (int num, char * prefix,
    171                    void * in_name, unsigned long * addr,
     171                           void * in_name, unsigned long * addr,
    172172                           unsigned int * code1, unsigned int * code2,
    173173                           int * size, int direction)
     
    177177  unsigned long   x1 = 0, x2 = 0;
    178178  unsigned char * name = (unsigned char *) in_name;
     179  struct store2db save;
    179180
    180181  sl_snprintf(path, 128, "K_%s_%04d", prefix, num);
    181182
     183  memset(save, '\0', sizeof(struct store2db));
     184
    182185  if (direction == SH_KERN_DBPUSH)
    183186    {
    184       x1 = *code1;
    185       x2 = *code2;
    186 
    187       sh_hash_push2db (path, *addr, x1, x2,
    188                        name, (name == NULL) ? 0 : (*size));
     187      save.val0 = *addr;
     188      save.val1 = *code1;
     189      save.val2 = *code2;
     190      save.str  = name;
     191      save.size = (name == NULL) ? 0 : (*size);
     192
     193      sh_hash_push2db (path, &save);
    189194    }
    190195  else
    191196    {
    192       p = sh_hash_db2pop (path, addr,  &x1, &x2, size);
    193       *code1 = (unsigned int) x1;
    194       *code2 = (unsigned int) x2;
     197      p = sh_hash_db2pop (path, &save);
     198
     199      *addr  = (unsigned long) save.val0;
     200      *code1 = (unsigned int)  save.val1;
     201      *code2 = (unsigned int)  save.val2;
     202
     203      *size  = (int)           save.size;
    195204    }
    196205  return p;
  • trunk/src/sh_modules.c

    r259 r294  
    1717#include "sh_portcheck.h"
    1818#include "sh_logmon.h"
     19#include "sh_registry.h"
    1920
    2021sh_mtype modList[] = {
     
    155156#endif
    156157
     158#ifdef USE_REGISTRY_CHECK
     159  {
     160    N_("REGISTRY"),
     161    -1,
     162    0,
     163    sh_reg_check_init,
     164    sh_reg_check_timer,
     165    sh_reg_check_run,
     166    sh_reg_check_cleanup,
     167    sh_reg_check_reconf,
     168
     169    N_("[Registry]"),
     170    sh_reg_check_table,
     171    PTHREAD_MUTEX_INITIALIZER,
     172  },
     173#endif
     174
    157175  {
    158176    NULL,
  • trunk/src/sh_unix.c

    r293 r294  
    33533353    {
    33543354      /* lookup file in database */
    3355       status = sh_hash_get_it (filename, tmpFile);
     3355      status = sh_hash_get_it (filename, tmpFile, NULL);
    33563356      if (status != 0) {
    33573357        goto out;
  • trunk/src/sh_utils.c

    r293 r294  
    796796  SL_RETURN( 0, _("sh_util_sigtype"));
    797797}
    798 
    799798
    800799char * sh_util_siggen (char * hexkey, 
Note: See TracChangeset for help on using the changeset viewer.