Changeset 425

Timestamp:

Feb 20, 2013, 7:30:02 PM (12 years ago)

Author:

katerina

Message:

Fix for tickets #329, #330, #331, #332

Location:

trunk

Files:

• Makefile.in (modified) (2 diffs)
• configure.ac (modified) (1 diff)
• docs/Changelog (modified) (1 diff)
• include/sh_ignore.h (modified) (1 diff)
• include/sh_kern.h (modified) (1 diff)
• include/sh_unix.h (modified) (1 diff)
• rules.deb-light.in (modified) (1 diff)
• rules.deb.in (modified) (1 diff)
• src/sh_fInotify.c (modified) (1 diff)
• src/sh_files.c (modified) (2 diffs)
• src/sh_hash.c (modified) (2 diffs)
• src/sh_ignore.c (modified) (7 diffs)
• src/sh_kern.c (modified) (4 diffs)
• src/sh_log_check.c (modified) (1 diff)
• src/sh_readconf.c (modified) (1 diff)
• src/sh_tools.c (modified) (1 diff)
• src/sh_unix.c (modified) (9 diffs)

trunk/Makefile.in

@@ -356 +356 @@
 CLEANFILES = encode config_xor.h depend-gen sh_ks.h sh_ks_xor.h kern_head \
         internal.h sh_MK.h trustfile sstrip samhain mkhdr encode cutest \
-        yule samhain_setpwd samhain_stealth samhainrc yulectl samhain_hide.ko 
+        yule samhain_setpwd samhain_stealth samhainrc yulectl \
+        samhain_hide.ko samhain_kmem.ko 
 
 clean:
@@ -932 +933 @@
         echo " A file integrity checker"  >> debian/control; \
         echo "running debuild -us -uc"; \
-        debuild -us -uc -b; \
+        debuild --preserve-envvar=PASSWORD -us -uc -b; \
         DEBFILE=`find ../ -follow -maxdepth 1 -cnewer ./debian/control 2>/dev/null | grep '@install_name@_$(VERSION)' | grep '\.deb'`; \
         if test x"$$DEBFILE" = x; then \

trunk/configure.ac

@@ -12 +12 @@
 dnl start
 dnl
-AM_INIT_AUTOMAKE(samhain, 3.0.10)
+AM_INIT_AUTOMAKE(samhain, 3.0.11)
 AC_DEFINE([SAMHAIN], 1, [Application is samhain])
 AC_CANONICAL_HOST

trunk/docs/Changelog

@@ +1 @@
+3.0.11:
+        * Add better logrotate handling for the GrowingLogs policy (search
+          rotated log and verify it, don't report if this succeeds)
+        * Add ability to create debian packages with preset password (use
+          env var PASSWORD)
+        * Add option KernelCheckProc (bool) to suppress kernel /proc test
+        * Add option IgnoreModified to cover transient files that
+          not only get added/deleted but also modified
+
 3.0.10:
         * Revert to previous logic in samhain.c because it will block

trunk/include/sh_ignore.h

@@ -4 +4 @@
 int sh_ignore_add_del (const char * addpath);
 int sh_ignore_add_new (const char * addpath);
+int sh_ignore_add_mod (const char * addpath);
 
 int sh_ignore_chk_del (const char * chkpath);
 int sh_ignore_chk_new (const char * chkpath);
+int sh_ignore_chk_mod (const char * chkpath);
 
 int sh_ignore_clean (void);

trunk/include/sh_kern.h

@@ -17 +17 @@
 int sh_kern_set_idt      (const char * c);
 int sh_kern_set_pci      (const char * c);
+int sh_kern_set_proc     (const char * c);
 int sh_kern_set_sct_addr (const char * c);
 int sh_kern_set_sc_addr  (const char * c);

trunk/include/sh_unix.h

@@ -311 +311 @@
 /* int sh_unix_is_secure_dir (ShErrLevel level, char * tmp); */
 
+/* check whether there's a rotated log with the correct inode and checksum 
+ */
+int sh_check_rotated_log (const char * path,  
+                          UINT64 old_size, UINT64 old_inode, const char * old_hash);
+
 /* obtain file info
  */

trunk/rules.deb-light.in

@@ -27 +27 @@
         echo '#!/bin/sh' > ./sstrip
         echo 'echo "*** SSTRIP DISABLED ***"' >> ./sstrip
+        if ! test x$(PASSWORD) = x; then \
+                if test -f samhain_setpwd; then \
+                        ./samhain_setpwd samhain new $(PASSWORD); \
+                        rm samhain; \
+                        mv samhain.new samhain; \
+                fi; \
+        fi
         touch build-stamp
 

trunk/rules.deb.in

@@ -27 +27 @@
         echo '#!/bin/sh' > ./sstrip
         echo 'echo "*** SSTRIP DISABLED ***"' >> ./sstrip
+        if ! test x$(PASSWORD) = x; then \
+                if test -f samhain_setpwd; then \
+                        ./samhain_setpwd samhain new $(PASSWORD); \
+                        rm samhain; \
+                        mv samhain.new samhain; \
+                fi; \
+        fi
         touch build-stamp
 

trunk/src/sh_fInotify.c

@@ -525 +525 @@
 {
   int    reported;
-  int ret = sh_files_search_file(path, &class, &check_mask, &reported);
-
-  if ((ret == 0) && (event->len > 0) && (ftype == SH_INOTIFY_FILE))
-    {
-      ; /* do nothing, watch was for directory monitored as file only */
-    }
-  else
-    {
-      sh_files_filecheck (class, check_mask, filename,
-                          (event->len > 0) ? event->name : NULL,
-                          &reported, 0);
+  int ret;
+
+
+  if (S_FALSE == sh_ignore_chk_mod(path))
+    {
+      ret  = sh_files_search_file(path, &class, &check_mask, &reported);
+
+      if ((ret == 0) && (event->len > 0) && (ftype == SH_INOTIFY_FILE))
+        {
+          ; /* do nothing, watch was for directory monitored as file only */
+        }
+      else
+        {
+          sh_files_filecheck (class, check_mask, filename,
+                              (event->len > 0) ? event->name : NULL,
+                              &reported, 0);
+        }
     }
   return 0;

trunk/src/sh_files.c

@@ -2450 +2450 @@
   char          * tmpname;
   const char    * fileName;
+#if !defined(O_NOATIME)
   struct utimbuf  utime_buf;
+#endif
   static unsigned int state = 1;
   char            sc;
@@ -2604 +2606 @@
   /* reset the access time 
    */
+#if !defined(O_NOATIME)
   if (class == SH_LEVEL_NOIGNORE && (theFile->check_mask & MODI_ATM) != 0)
     {
       utime_buf.actime   = (time_t) theFile->atime;
       utime_buf.modtime  = (time_t) theFile->mtime;
-#if !defined(O_NOATIME)
+
       retry_aud_utime (FIL__, __LINE__, fullpath, &utime_buf);
-#endif
-    }
+    }
+#endif
   
 #if defined(HOST_IS_DARWIN)

trunk/src/sh_hash.c

@@ -3035 +3035 @@
     }
 
+  /* ---------  Skip if we don't want to report changes. ------------
+   */
+  
+  if (S_TRUE == sh_ignore_chk_mod(theFile->fullpath))
+    {
+      goto unlock_and_return;
+    }
+
   p->modi_mask = theFile->check_mask;
 
@@ -3057 +3065 @@
       else
         {
-          if (0 != strncmp (&fileHash[KEY_LEN + 1], 
-                            p->theFile.checksum, KEY_LEN))
+          if (0 != strncmp (&fileHash[KEY_LEN + 1], p->theFile.checksum, KEY_LEN))
             {
-              modi_mask |= MODI_CHK;
-              change_code[0] = 'C';
-              TPT ((0, FIL__, __LINE__, _("mod=<checksum>")));
+              if (S_FALSE == sh_check_rotated_log (theFile->fullpath, (UINT64) p->theFile.size, 
+                                                   (UINT64) p->theFile.ino, p->theFile.checksum))
+                {
+                  modi_mask |= MODI_CHK;
+                  change_code[0] = 'C';
+                  TPT ((0, FIL__, __LINE__, _("mod=<checksum>")));
+                }
+              else
+                {
+                  /* logfile has been rotated */
+                  p->theFile.size  = theFile->size;
+                  p->theFile.ino   = theFile->ino;
+                  sl_strlcpy(p->theFile.checksum, fileHash, KEY_LEN+1);
+                }
             }
           else

trunk/src/sh_ignore.c

@@ -53 +53 @@
 static struct sh_ignore_list * sh_del_ign = NULL;
 static struct sh_ignore_list * sh_new_ign = NULL;
+static struct sh_ignore_list * sh_mod_ign = NULL;
 
 static struct sh_ignore_list * sh_ignore_add_int(struct sh_ignore_list * list, 
@@ -118 +119 @@
 }
 
+int sh_ignore_add_mod (const char * addpath)
+{
+  if ((addpath == NULL) || (addpath[0] != '/'))
+    {
+      return -1;
+    }
+  sh_mod_ign = sh_ignore_add_int (sh_mod_ign, addpath);
+  return 0;
+}
+
 static int sh_ignore_chk_int (struct sh_ignore_list * list, 
                               const char * chkpath)
@@ -159 +170 @@
 }
 
+int sh_ignore_chk_mod (const char * chkpath)
+{
+  return (sh_ignore_chk_int(sh_mod_ign, chkpath));
+}
+
 int sh_ignore_clean (void)
 {
@@ -191 +207 @@
     }
 
+  new = sh_mod_ign;
+
+  while (new)
+    {
+      sh_mod_ign = new->next;
+#ifdef HAVE_REGEX_H
+      regfree (&(new->preg));
+#else
+      SH_FREE(new->path);
+#endif
+      SH_FREE(new);
+      new        = sh_mod_ign;
+    }
+
   return 0;
 }
@@ -205 +235 @@
   CuAssertTrue(tc, NULL == sh_del_ign);
   CuAssertTrue(tc, NULL == sh_new_ign);
+  CuAssertTrue(tc, NULL == sh_mod_ign);
  
   ret = sh_ignore_add_del ("/var/log/foo/.*");
   CuAssertTrue(tc, 0 == ret);
+
   CuAssertPtrNotNull(tc, sh_del_ign);
+  CuAssertTrue(tc, NULL == sh_new_ign);
+  CuAssertTrue(tc, NULL == sh_mod_ign);
 
   ret = sh_ignore_chk_del ("/var/log/foo/test");
   CuAssertTrue(tc, S_TRUE == ret);
-  CuAssertTrue(tc, NULL == sh_new_ign);
   
   ret = sh_ignore_chk_del ("/var/log/footest");
@@ -223 +256 @@
   CuAssertTrue(tc, NULL == sh_del_ign);
   CuAssertTrue(tc, NULL == sh_new_ign);
+  CuAssertTrue(tc, NULL == sh_mod_ign);
  
   ret = sh_ignore_add_new ("/var/log/foo/.*");
   CuAssertTrue(tc, 0 == ret);
+
   CuAssertPtrNotNull(tc, sh_new_ign);
   CuAssertTrue(tc, NULL == sh_del_ign);
+  CuAssertTrue(tc, NULL == sh_mod_ign);
 
   ret = sh_ignore_chk_new ("/var/log/foo/test");
@@ -241 +277 @@
   CuAssertTrue(tc, NULL == sh_new_ign);
   CuAssertTrue(tc, NULL == sh_del_ign);
+  CuAssertTrue(tc, NULL == sh_mod_ign);
+
+  ret = sh_ignore_add_mod ("/var/log/foo/.*");
+  CuAssertTrue(tc, 0 == ret);
+
+  CuAssertPtrNotNull(tc, sh_mod_ign);
+  CuAssertTrue(tc, NULL == sh_del_ign);
+  CuAssertTrue(tc, NULL == sh_new_ign);
+
+  ret = sh_ignore_chk_mod ("/var/log/foo/test");
+  CuAssertTrue(tc, S_TRUE == ret);
+  
+  ret = sh_ignore_chk_mod ("/var/log/footest");
+  CuAssertTrue(tc, S_FALSE == ret);
+
+  ret = sh_ignore_chk_mod ("/my/var/log/footest");
+  CuAssertTrue(tc, S_FALSE == ret);
+
+  sh_ignore_clean();
+  CuAssertTrue(tc, NULL == sh_new_ign);
+  CuAssertTrue(tc, NULL == sh_del_ign);
+  CuAssertTrue(tc, NULL == sh_mod_ign);
 
 #else

trunk/src/sh_kern.c

@@ -90 +90 @@
     N_("kernelcheckpci"),
     sh_kern_set_pci
+  },
+  {
+    N_("kernelcheckproc"),
+    sh_kern_set_proc
   },
   {
@@ -125 +129 @@
 static int     ShKernIDT      = S_TRUE;
 static int     ShKernPCI      = S_TRUE;
+static int     ShKernPROC     = S_TRUE;
 
 /* The address of system_call
@@ -1104 +1109 @@
 #if SH_KERNEL_NUMBER < KERNEL_VERSION(2,6,21)
   struct inode_operations proc_root_inode;
-
+#endif
+
+  if (ShKernPROC != S_TRUE)
+    return;
+
+/* 2.6.21 (((2) << 16) + ((6) << 8) + (21)) */
+#if SH_KERNEL_NUMBER < KERNEL_VERSION(2,6,21)
   memcpy (&proc_root_inode, &(kinfo->proc_root_inode), sizeof(struct inode_operations));
 
@@ -2017 +2028 @@
 }
 
+int sh_kern_set_proc (const char * c)
+{
+  int i;
+  SL_ENTER(_("sh_kern_set_proc"));
+  i = sh_util_flagval(c, &ShKernPROC);
+  SL_RETURN(i, _("sh_kern_set_proc"));
+}
+
 int sh_kern_set_sc_addr (const char * c)
 {

trunk/src/sh_log_check.c

@@ -577 +577 @@
  * Search rotated logfile
  */
-#include <unistd.h>
-#include <libgen.h>
-#include <dirent.h>
-
-char * sh_rotated_log_search(const char * path, struct stat * buf)
-{
-
-  size_t size;
-  int    i;
-  char * searchpath;
-  struct stat sbuf;
-  DIR  * dp;
-  char * dname;
-  char * bname;
-
-  dname  = sh_util_dirname(path);
-  bname  = sh_util_basename(path);
-
-  size = strlen(dname) + strlen(bname) + 4;
-  searchpath = SH_ALLOC(size);
-
-  for (i = 0; i < 2; ++i)
-    {
-      snprintf(searchpath, size, "%s/%s.%1d", dname, bname, i);
-      if (0 == stat(searchpath, &sbuf) && sbuf.st_ino == buf->st_ino)
-        {
-          SH_FREE(dname);
-          SH_FREE(bname);
-          return searchpath;
-        }
-    }
-
-  SH_FREE(searchpath);
-
-  if (NULL != (dp = opendir(dname)))
-    {
-      struct dirent * de;
-
-      while (NULL != (de = readdir(dp)))
-        {
-          if (0 == strcmp(de->d_name, ".") || 0 == strcmp(de->d_name, ".."))
-            continue;
-
-          size = strlen(dname) + strlen(de->d_name) + 2;
-          searchpath = SH_ALLOC(size);
-          snprintf(searchpath, size, "%s/%s", dname, de->d_name);
-
-          if (0 == stat(searchpath, &sbuf) && sbuf.st_ino == buf->st_ino)
-            {
-              SH_FREE(dname);
-              SH_FREE(bname);
-              closedir(dp);
-              return searchpath;
-            }
-          
-          SH_FREE(searchpath);
-        }
-      closedir(dp);
-    }
-
-  SH_FREE(dname);
-  SH_FREE(bname);
-
-  return NULL;
-}
+extern char * sh_rotated_log_search(const char * path, struct stat * buf);
+
 
 /* Open file, position at stored offset

trunk/src/sh_readconf.c

@@ -965 +965 @@
   { N_("ignoremissing"), SH_SECTION_MISC,   SH_SECTION_NONE, 
     sh_ignore_add_del },
+  { N_("ignoremodified"), SH_SECTION_MISC,   SH_SECTION_NONE, 
+    sh_ignore_add_mod },
 
   { N_("skipchecksum"),  SH_SECTION_MISC,   SH_SECTION_NONE, 

trunk/src/sh_tools.c

@@ -2050 +2050 @@
 }
 #endif
+
+/********************************************************
+ * Search rotated logfile
+ */
+#include <unistd.h>
+#include <libgen.h>
+#include <dirent.h>
+
+char * sh_rotated_log_search(const char * path, struct stat * buf)
+{
+
+  size_t size;
+  int    i;
+  char * searchpath;
+  struct stat sbuf;
+  DIR  * dp;
+  char * dname;
+  char * bname;
+
+  dname  = sh_util_dirname(path);
+  bname  = sh_util_basename(path);
+
+  size = strlen(dname) + strlen(bname) + 4;
+  searchpath = SH_ALLOC(size);
+
+  for (i = 0; i < 2; ++i)
+    {
+      snprintf(searchpath, size, "%s/%s.%1d", dname, bname, i);
+      if (0 == stat(searchpath, &sbuf) && sbuf.st_ino == buf->st_ino)
+        {
+          SH_FREE(dname);
+          SH_FREE(bname);
+          return searchpath;
+        }
+    }
+
+  SH_FREE(searchpath);
+
+  if (NULL != (dp = opendir(dname)))
+    {
+      struct dirent * de;
+
+      while (NULL != (de = readdir(dp)))
+        {
+          if (0 == strcmp(de->d_name, ".") || 0 == strcmp(de->d_name, ".."))
+            continue;
+
+          size = strlen(dname) + strlen(de->d_name) + 2;
+          searchpath = SH_ALLOC(size);
+          snprintf(searchpath, size, "%s/%s", dname, de->d_name);
+
+          if (0 == stat(searchpath, &sbuf) && sbuf.st_ino == buf->st_ino)
+            {
+              SH_FREE(dname);
+              SH_FREE(bname);
+              closedir(dp);
+              return searchpath;
+            }
+          
+          SH_FREE(searchpath);
+        }
+      closedir(dp);
+    }
+
+  SH_FREE(dname);
+  SH_FREE(bname);
+
+  return NULL;
+}
+

trunk/src/sh_unix.c

@@ -3428 +3428 @@
 #include "sh_ignore.h"
 
-int sh_unix_checksum_size (char * filename, struct stat * fbuf, 
+int sh_unix_checksum_size (char * filename, off_t size, int is_max_size, 
                            char * fileHash, int alert_timeout, SL_TICKET fd)
 {
@@ -3442 +3442 @@
     {
       /* lookup file in database */
-      status = sh_hash_get_it (filename, tmpFile, NULL);
-      if (status != 0) {
-        goto out;
+      if (is_max_size == S_TRUE) {
+        status = sh_hash_get_it (filename, tmpFile, NULL);
+        if ((status != 0) || (tmpFile->size > size)) {
+          goto out;
+        }
+      } else {
+        tmpFile->size = size;
       }
     }
   else
     {
-      tmpFile->size = fbuf->st_size;
-    }
-
-  /* if last < current get checksum */
-  if (tmpFile->size < fbuf->st_size)
+      tmpFile->size = size;
+    }
+
+  /* if last <= current get checksum */
+  if (tmpFile->size <= size)
     {
       char hashbuf[KEYBUF_SIZE];
@@ -3474 +3478 @@
   SL_RETURN( -1, _("sh_unix_checksum_size"));
 }
+
+/********************************************************
+ * Search rotated logfile
+ */
+extern char * sh_rotated_log_search(const char * path, struct stat * buf);
+
+int sh_check_rotated_log (const char * path,  
+                          UINT64 old_size, UINT64 old_inode, const char * old_hash)
+{
+  struct stat obuf;
+  UINT64 length_nolim = TIGER_NOLIM;
+  int retval = S_FALSE;
+
+  if (old_size != length_nolim)
+    {
+      char hashbuf[KEYBUF_SIZE];
+      char * rotated_file;
+
+      obuf.st_ino = old_inode;
+      rotated_file = sh_rotated_log_search(path, &obuf);
+
+      if (rotated_file && (0 != strcmp(path, rotated_file)))
+        {
+          SL_TICKET fd = sl_open_fastread (FIL__, __LINE__, rotated_file, SL_YESPRIV);
+          if (!SL_ISERROR(fd))
+            {
+              sh_unix_checksum_size (rotated_file, old_size, S_FALSE, hashbuf, 120 /* alert_timeout */, fd);
+              
+              sl_close(fd);
+              
+              if (strncmp (old_hash, hashbuf, KEY_LEN) == 0) {
+                retval = S_TRUE;
+              }
+            }
+          SH_FREE(rotated_file);
+        }
+    }
+  return retval;
+}
+
 
 int sh_unix_check_selinux = S_FALSE;
@@ -3901 +3945 @@
             {
               char hashbuf[KEYBUF_SIZE];
-              UINT64 length_nolim = TIGER_NOLIM;
+              UINT64 length_current = TIGER_NOLIM;
 
               if (MODI_TXT_ENABLED(theFile->check_mask) && fbuf.st_size < (10 * SH_TXT_MAX))
@@ -3910 +3954 @@
               sl_strlcpy(fileHash,
                          sh_tiger_generic_hash (theFile->fullpath, 
-                                                rval_open, &length_nolim, 
+                                                rval_open, &length_current, 
                                                 alert_timeout, 
                                                 hashbuf, sizeof(hashbuf)),
@@ -3920 +3964 @@
               if ((theFile->check_mask & MODI_SGROW) != 0)
                 {
-                  fbuf.st_size = (off_t) length_nolim;
                   buf.st_size  = fbuf.st_size;
                   sl_rewind(rval_open);
-                  sh_unix_checksum_size (theFile->fullpath, &fbuf, 
+                  sh_unix_checksum_size (theFile->fullpath, length_current, S_TRUE,
                                          &fileHash[KEY_LEN + 1], 
                                          alert_timeout, rval_open);
@@ -3956 +3999 @@
             {
               char hashbuf[KEYBUF_SIZE];
-              UINT64 length_nolim = TIGER_NOLIM;
+              UINT64 length_current = TIGER_NOLIM;
 
               if (MODI_TXT_ENABLED(theFile->check_mask) && fbuf.st_size < (10 * SH_TXT_MAX))
@@ -3965 +4008 @@
               sl_strlcpy(fileHash, 
                          sh_tiger_generic_hash (theFile->fullpath, rval_open, 
-                                                &length_nolim,
+                                                &length_current,
                                                 alert_timeout,
                                                 hashbuf, sizeof(hashbuf)),
@@ -3975 +4018 @@
               if ((theFile->check_mask & MODI_SGROW) != 0) 
                 {
-                  fbuf.st_size = (off_t) length_nolim;
                   buf.st_size  = fbuf.st_size;
                   sl_rewind(rval_open);
-                  sh_unix_checksum_size (theFile->fullpath, &fbuf, 
+                  sh_unix_checksum_size (theFile->fullpath, length_current, S_TRUE,
                                          &fileHash[KEY_LEN + 1], 
                                          alert_timeout, rval_open);