Context Navigation

← Previous Change
Next Change →

Changeset 294 for trunk/src

Timestamp:

Oct 31, 2010, 10:26:42 AM (14 years ago)

Author:

katerina

Message:

Tikets #213 and #214 (Use auditd to determine who changed a file, Windows registry check).

Location:

Files:

: 2 added
: 10 edited

samhain.c (modified) (2 diffs)
sh_audit.c (added)
sh_cat.c (modified) (2 diffs)
sh_extern.c (modified) (1 diff)
sh_files.c (modified) (3 diffs)
sh_getopt.c (modified) (1 diff)
sh_hash.c (modified) (20 diffs)
sh_kern.c (modified) (2 diffs)
sh_modules.c (modified) (2 diffs)
sh_registry.c (added)
sh_unix.c (modified) (1 diff)
sh_utils.c (modified) (1 diff)

Legend:

: Unmodified
: Added
: Removed

trunk/src/samhain.c

-              r265
+              r294
   sh_hash_hashdelete();
   sh_files_hle_reg (NULL);
+  /*
+   * Only flush on exit if running as deamon.
+   * Otherwise we couldn't run another instance
+   * while the deamon is running (would leave the
+   * deamon with flushed ruleset).
+   */
+  if (sh.flag.isdaemon == S_TRUE)
+    {
+      sh_audit_delete_all ();
+    }
 #endif
 #if defined(SH_WITH_SERVER)
 …
               (void) sh_ignore_clean ();
               (void) hash_full_tree ();
+              sh_audit_delete_all ();
 #if defined(SH_WITH_CLIENT)

trunk/src/sh_cat.c

-              r279
+              r294
   { MSG_LOGMON_MARK, SH_ERR_SEVERE,  EVENT, N_("msg=\"POLICY [Logfile] Event %s missing for %lu seconds\"") },
   { MSG_LOGMON_BURST, SH_ERR_SEVERE, EVENT, N_("msg=\"POLICY [Logfile] Repeated %d times: %s\" host=\"%s\"") },
+#endif
+#ifdef USE_REGISTRY_CHECK
+  { MSG_REG_MISS,   SH_ERR_SEVERE,  EVENT, N_("msg=\"POLICY [RegistryKeyMissing]\" path=\"%s\" %s")},
+  { MSG_REG_NEW,    SH_ERR_SEVERE,  EVENT, N_("msg=\"POLICY [RegistryKeyNew]\" path=\"%s\" %s")},
+  { MSG_REG_CHANGE, SH_ERR_SEVERE,  EVENT, N_("msg=\"POLICY [RegistryKeyChanged]\" path=\"%s\" %s")},
 #endif
 …
 #endif
+#ifdef USE_REGISTRY_CHECK
+  { MSG_REG_MISS,   SH_ERR_SEVERE,  EVENT, N_("msg=<POLICY [RegistryKeyMissing] %s>, path=<%s>, %s")},
+  { MSG_REG_NEW,    SH_ERR_SEVERE,  EVENT, N_("msg=<POLICY [RegistryKeyNew] %s>, path=<%s>, %s")},
+  { MSG_REG_CHANGE, SH_ERR_SEVERE,  EVENT, N_("msg=<POLICY [RegistryKeyChanged] %s>, path=<%s>, %s")},
+#endif
 #if defined(SH_WITH_CLIENT) || defined(SH_STANDALONE)

trunk/src/sh_extern.c

-              r289
+              r294
   return status;
+}
+/* Execute a system command */
+int sh_ext_system (char * command)
+{
+  sh_tas_t task;
+  int    status;
+  SL_ENTER(_("sh_ext_system"));
+  status = sh_ext_popen_init (&task, command);
+  if (status != 0)
+    {
+      sh_error_handle(SH_ERR_ERR, FIL__, __LINE__, status, MSG_E_SUBGEN,
+                      _("Could not execute command"), _("sh_ext_system"));
+      SL_RETURN ((-1), _("sh_ext_system"));
+    }
+  /* close pipe and return exit status
+   */
+  (void) sh_ext_pclose(&task);
+  sh_ext_tas_free (&task);
+  SL_RETURN ((status), _("sh_ext_system"));
+}

trunk/src/sh_files.c

-              r286
+              r294
         if (0 == strncmp(myword, _("TXT"), 3))
           sh_files_set_mask (mask, MODI_TXT, act);
+/* get content */
+        if (0 == strncmp(myword, _("AUDIT"), 3))
+          sh_files_set_mask (mask, MODI_AUDIT, act);
+      }
+  }
 …
       SH_FREE(fileName);
       SH_FREE(new_item_ptr);
+    }
+      new_item_ptr = NULL;
+    }
+  if (new_item_ptr && MODI_AUDIT_ENABLED(new_item_ptr->check_mask))
+    {
+      sh_audit_mark(new_item_ptr->name);
+    }
   SL_RETURN(0, _("sh_files_push_file_int"));
+}
 …
       SH_FREE(dirName);
       SH_FREE(new_item_ptr);
+      new_item_ptr = NULL;
+    }
+  if (new_item_ptr && MODI_AUDIT_ENABLED(new_item_ptr->check_mask))
+    {
+      sh_audit_mark(new_item_ptr->name);
+    }

trunk/src/sh_getopt.c

-              r272
+              r294
   if (num > 0) fputc ('\n', stdout);
   fputs (_(" optionally store full text for files"), stdout); ++num;
+#endif
+#if !defined(SH_COMPILE_STATIC) && defined(__linux__) && defined(HAVE_AUPARSE_H) && defined(HAVE_AUPARSE_LIB)
+  if (num > 0) fputc ('\n', stdout);
+  fputs (_(" optionally report auditd record of changed file"), stdout); ++num;
 #endif
 #if defined(USE_XATTR)

trunk/src/sh_hash.c

-              r279
+              r294
+}
 static sh_file_t * hashsearch (char * s);
+static sh_file_t * hashsearch (const char * s);
 static sh_file_t * tab[TABSIZE];
 …
  **************************************************************/
 static int hashfunc(char *s)
+static int hashfunc(const char *s)
+{
   unsigned int n = 0;
 …
+ *
  **************************************************************/
+static sh_file_t * delete_db_entry(sh_file_t *p)
+{
+  if (p->fullpath)
+    {
+      SH_FREE(p->fullpath);
+      p->fullpath = NULL;
+    }
+  if (p->linkpath)
+    {
+      if (p->linkpath != notalink)
+        SH_FREE(p->linkpath);
+      p->linkpath = NULL;
+    }
+  if (p->attr_string)
+    {
+      SH_FREE(p->attr_string);
+      p->attr_string = NULL;
+    }
+  SH_FREE(p);
+  return NULL;
+}
 static void hash_unvisited (int j,
                             sh_file_t *prev, sh_file_t *p, ShErrLevel level)
 …
               else
                 prev->next = p->next;
+              if (p->fullpath)
+                {
+                  SH_FREE(p->fullpath);
+                  p->fullpath = NULL;
+                }
+              if (p->linkpath)
+                {
+                  if (p->linkpath != notalink)
+                    SH_FREE(p->linkpath);
+                  p->linkpath = NULL;
+                }
+              if (p->attr_string)
+                {
+                  SH_FREE(p->attr_string);
+                  p->attr_string = NULL;
+                }
+              SH_FREE(p);
+              p = NULL;
+              p = delete_db_entry(p);
               SL_RET0(_("hash_unvisited"));
 #else
 …
+}
+/*********************************************************************
+ *
+ * Search for unvisited entries in the database, custom error handler.
+ *
+ *********************************************************************/
+void sh_hash_unvisited_custom (char prefix, void(*handler)(const char * key))
+{
+  int i;
+  sh_file_t *p    = NULL;
+  sh_file_t *prev = NULL;
+  sh_file_t *next = NULL;
+  SL_ENTER(_("sh_hash_unvisited_custom"));
+  SH_MUTEX_LOCK(mutex_hash);
+  for (i = 0; i < TABSIZE; ++i)
+    {
+      if (tab[i] != NULL)
+        {
+          p = tab[i]; prev = p;
+          do
+            {
+              next = p->next;
+              if (p->fullpath &&
+                  prefix == p->fullpath[0])
+                {
+                  if ((!SH_FFLAG_VISITED_SET(p->fflags))
+                      && (!SH_FFLAG_REPORTED_SET(p->fflags)))
+                    {
+                      handler(p->fullpath);
+                      if (!SH_FFLAG_CHECKED_SET(p->fflags))
+                        {
+                          /* delete */
+                          if (tab[i] == p)
+                            {
+                              tab[i] = p->next;
+                              prev   = tab[i];
+                              next   = prev;
+                            }
+                          else
+                            {
+                              prev->next = p->next;
+                              next       = prev->next;
+                            }
+                          p = delete_db_entry(p);
+                        }
+                    }
+                  if (p)
+                    {
+                      CLEAR_SH_FFLAG_VISITED(p->fflags);
+                      CLEAR_SH_FFLAG_CHECKED(p->fflags);
+                    }
+                }
+              if (p)
+                prev = p;
+              p    = next;
+            }
+          while (p);
+        }
+    }
+  SH_MUTEX_UNLOCK(mutex_hash);
+  SL_RET0(_("hash_unvisited_custom"));
+}
 /**********************************************************************
 …
+ *
  ***********************************************************************/
 static sh_file_t * hashsearch (char * s)
+static sh_file_t * hashsearch (const char * s)
+{
   sh_file_t * p;
 …
+ *
  *********************************************************************/
 static sh_file_t *  sh_hash_have_it_int (char * newname)
+static sh_file_t *  sh_hash_have_it_int (const char * newname)
+{
   sh_file_t * p;
 …
+}
 int sh_hash_have_it (char * newname)
+int sh_hash_have_it (const char * newname)
+{
   sh_file_t * p;
 …
+}
 int sh_hash_get_it (char * newname, file_type * tmpFile)
+int sh_hash_get_it (const char * newname, file_type * tmpFile, char * fileHash)
+{
   sh_file_t * p;
 …
       tmpFile->mtime = p->theFile.mtime;
       tmpFile->ctime = p->theFile.ctime;
+      tmpFile->atime = p->theFile.atime;
+      if (NULL != fileHash)
+        sl_strlcpy(fileHash, p->theFile.checksum, KEY_LEN+1);
       tmpFile->attr_string = NULL;
       retval = 0;
 …
+{
   int i;
   SL_ENTER(_("sh_hash_set_visited"));
+  SL_ENTER(_("sh_hash_set_missing"));
   i = sh_hash_set_visited_int(newname, SH_FFLAG_CHECKED);
   SL_RETURN(i, _("sh_hash_set_visited"));
+  SL_RETURN(i, _("sh_hash_set_missing"));
+}
 …
  ******************************************************************/
+void sh_hash_push2db (char * key, unsigned long val1,
+                      unsigned long val2, unsigned long val3,
+                      unsigned char * str, int size)
+void sh_hash_push2db (const char * key, struct store2db * save)
+{
   int         i = 0;
 …
   file_type * tmpFile = SH_ALLOC(sizeof(file_type));
+  int size            = save->size;
+  unsigned char * str = save->str;
   tmpFile->attr_string = NULL;
   tmpFile->link_path   = NULL;
   sl_strlcpy(tmpFile->fullpath, key, PATH_MAX);
   tmpFile->size  = val1;
   tmpFile->mtime = val2;
   tmpFile->ctime = val3;
+  tmpFile->atime = 0;
+  tmpFile->size  = save->val0;
+  tmpFile->mtime = save->val1;
+  tmpFile->ctime = save->val2;
+  tmpFile->atime = save->val3;
   tmpFile->mode  = 0;
   tmpFile->owner = 0;
 …
+    }
   if (sh.flag.checkSum == SH_CHECK_CHECK &&
       sh.flag.update == S_TRUE)
     sh_hash_pushdata_memory (tmpFile, SH_KEY_NULL);
+  if (sh.flag.checkSum == SH_CHECK_INIT)
+    sh_hash_pushdata (tmpFile,
+                      (save->checksum[0] == '\0') ? SH_KEY_NULL : save->checksum);
   else
+    sh_hash_pushdata (tmpFile, SH_KEY_NULL);
+    sh_hash_pushdata_memory (tmpFile,
+                             (save->checksum[0] == '\0') ? SH_KEY_NULL : save->checksum);
   if (tmpFile->link_path) SH_FREE(tmpFile->link_path);
 …
 extern int sh_util_hextobinary (char * binary, char * hex, int bytes);
+char * sh_hash_db2pop (char * key, unsigned long * val1,
+                       unsigned long * val2, unsigned long * val3,
+                       int * size)
+char * sh_hash_db2pop (const char * key, struct store2db * save)
+{
   size_t      len;
 …
   int         i;
   char      * retval = NULL;
+  char        fileHash[KEY_LEN+1];
   file_type * tmpFile = SH_ALLOC(sizeof(file_type));
+  *size = 0;
+  if (0 == sh_hash_get_it (key, tmpFile))
+    {
+      *val1 = tmpFile->size;
+      *val2 = tmpFile->mtime;
+      *val3 = tmpFile->ctime;
+  save->size = 0;
+  if (0 == sh_hash_get_it (key, tmpFile, fileHash))
+    {
+      save->val0 = tmpFile->size;
+      save->val1 = tmpFile->mtime;
+      save->val2 = tmpFile->ctime;
+      save->val3 = tmpFile->atime;
+      sl_strlcpy(save->checksum, fileHash, KEY_LEN+1);
       if (tmpFile->link_path && tmpFile->link_path[0] != '-')
 …
           if (i == 0)
+            {
               *size = (len/2);
               p[*size] = '\0';
+              save->size = (len/2);
+              p[save->size] = '\0';
               retval = p;
+            }
 …
+            {
               SH_FREE(p);
               *size = 0;
+              save->size = 0;
+            }
+        }
       else
+        {
           *size = 0;
+          save->size = 0;
+        }
+    }
   else
+    {
+      *size = -1;
+      *val1 =  0;
+      *val2 =  0;
+      *val3 =  0;
+      save->size = -1;
+      save->val0 = 0;
+      save->val1 = 0;
+      save->val2 = 0;
+      save->val3 = 0;
+    }
   if (tmpFile->link_path) SH_FREE(tmpFile->link_path);
 …
                       tmp_lnk_old, tmp_lnk);
 #else
           sl_snprintf(tmp, SH_MSG_BUF, _("link_old=<%s>, link_new=<%s>"),
+          sl_snprintf(tmp, SH_MSG_BUF, _("link_old=<%s>, link_new=<%s>, "),
                       tmp_lnk_old, tmp_lnk);
 #endif
 …
+        }
+      if (MODI_AUDIT_ENABLED(theFile->check_mask))
+        {
+          char result[256];
+          if (NULL != sh_audit_fetch (theFile->fullpath, theFile->mtime, result, sizeof(result)))
+            {
+#ifdef SH_USE_XML
+              sl_strlcat(msg, _("obj=\""), SH_MSG_BUF);
+#else
+              sl_strlcat(msg, _("obj=<"), SH_MSG_BUF);
+#endif
+              sl_strlcat(msg, result, SH_MSG_BUF);
+#ifdef SH_USE_XML
+              sl_strlcat(msg, _("\" "), SH_MSG_BUF);
+#else
+              sl_strlcat(msg, _(">"), SH_MSG_BUF);
+#endif
+            }
+        }
       tmp_path = sh_util_safe_name(theFile->fullpath);

trunk/src/sh_kern.c

-              r286
+              r294
 char * sh_kern_db_syscall (int num, char * prefix,
                    void * in_name, unsigned long * addr,
+                           void * in_name, unsigned long * addr,
                            unsigned int * code1, unsigned int * code2,
                            int * size, int direction)
 …
   unsigned long   x1 = 0, x2 = 0;
   unsigned char * name = (unsigned char *) in_name;
+  struct store2db save;
   sl_snprintf(path, 128, "K_%s_%04d", prefix, num);
+  memset(save, '\0', sizeof(struct store2db));
   if (direction == SH_KERN_DBPUSH)
+    {
+      x1 = *code1;
+      x2 = *code2;
+      sh_hash_push2db (path, *addr, x1, x2,
+                       name, (name == NULL) ? 0 : (*size));
+      save.val0 = *addr;
+      save.val1 = *code1;
+      save.val2 = *code2;
+      save.str  = name;
+      save.size = (name == NULL) ? 0 : (*size);
+      sh_hash_push2db (path, &save);
+    }
   else
+    {
+      p = sh_hash_db2pop (path, addr,  &x1, &x2, size);
+      *code1 = (unsigned int) x1;
+      *code2 = (unsigned int) x2;
+      p = sh_hash_db2pop (path, &save);
+      *addr  = (unsigned long) save.val0;
+      *code1 = (unsigned int)  save.val1;
+      *code2 = (unsigned int)  save.val2;
+      *size  = (int)           save.size;
+    }
   return p;

trunk/src/sh_modules.c

-              r259
+              r294
 #include "sh_portcheck.h"
 #include "sh_logmon.h"
+#include "sh_registry.h"
 sh_mtype modList[] = {
 …
 #endif
+#ifdef USE_REGISTRY_CHECK
+  {
+    N_("REGISTRY"),
+    -1,
+,
+    sh_reg_check_init,
+    sh_reg_check_timer,
+    sh_reg_check_run,
+    sh_reg_check_cleanup,
+    sh_reg_check_reconf,
+    N_("[Registry]"),
+    sh_reg_check_table,
+    PTHREAD_MUTEX_INITIALIZER,
+  },
+#endif
+  {
     NULL,

trunk/src/sh_unix.c

r293	r294
3353	3353	{
3354	3354	/* lookup file in database */
3355		status = sh_hash_get_it (filename, tmpFile);
	3355	status = sh_hash_get_it (filename, tmpFile, NULL);
3356	3356	if (status != 0) {
3357	3357	goto out;

trunk/src/sh_utils.c

r293	r294
796	796	SL_RETURN( 0, _("sh_util_sigtype"));
797	797	}
798
799	798
800	799	char * sh_util_siggen (char * hexkey,

Note: See TracChangeset for help on using the changeset viewer.

Download in other formats: