- Timestamp:
- Feb 20, 2013, 7:30:02 PM (12 years ago)
- Location:
- trunk
- Files:
-
- 17 edited
Legend:
- Unmodified
- Added
- Removed
-
trunk/Makefile.in
r415 r425 356 356 CLEANFILES = encode config_xor.h depend-gen sh_ks.h sh_ks_xor.h kern_head \ 357 357 internal.h sh_MK.h trustfile sstrip samhain mkhdr encode cutest \ 358 yule samhain_setpwd samhain_stealth samhainrc yulectl samhain_hide.ko 358 yule samhain_setpwd samhain_stealth samhainrc yulectl \ 359 samhain_hide.ko samhain_kmem.ko 359 360 360 361 clean: … … 932 933 echo " A file integrity checker" >> debian/control; \ 933 934 echo "running debuild -us -uc"; \ 934 debuild - us -uc -b; \935 debuild --preserve-envvar=PASSWORD -us -uc -b; \ 935 936 DEBFILE=`find ../ -follow -maxdepth 1 -cnewer ./debian/control 2>/dev/null | grep '@install_name@_$(VERSION)' | grep '\.deb'`; \ 936 937 if test x"$$DEBFILE" = x; then \ -
trunk/configure.ac
r424 r425 12 12 dnl start 13 13 dnl 14 AM_INIT_AUTOMAKE(samhain, 3.0.1 0)14 AM_INIT_AUTOMAKE(samhain, 3.0.11) 15 15 AC_DEFINE([SAMHAIN], 1, [Application is samhain]) 16 16 AC_CANONICAL_HOST -
trunk/docs/Changelog
r424 r425 1 3.0.11: 2 * Add better logrotate handling for the GrowingLogs policy (search 3 rotated log and verify it, don't report if this succeeds) 4 * Add ability to create debian packages with preset password (use 5 env var PASSWORD) 6 * Add option KernelCheckProc (bool) to suppress kernel /proc test 7 * Add option IgnoreModified to cover transient files that 8 not only get added/deleted but also modified 9 1 10 3.0.10: 2 11 * Revert to previous logic in samhain.c because it will block -
trunk/include/sh_ignore.h
r170 r425 4 4 int sh_ignore_add_del (const char * addpath); 5 5 int sh_ignore_add_new (const char * addpath); 6 int sh_ignore_add_mod (const char * addpath); 6 7 7 8 int sh_ignore_chk_del (const char * chkpath); 8 9 int sh_ignore_chk_new (const char * chkpath); 10 int sh_ignore_chk_mod (const char * chkpath); 9 11 10 12 int sh_ignore_clean (void); -
trunk/include/sh_kern.h
r223 r425 17 17 int sh_kern_set_idt (const char * c); 18 18 int sh_kern_set_pci (const char * c); 19 int sh_kern_set_proc (const char * c); 19 20 int sh_kern_set_sct_addr (const char * c); 20 21 int sh_kern_set_sc_addr (const char * c); -
trunk/include/sh_unix.h
r411 r425 311 311 /* int sh_unix_is_secure_dir (ShErrLevel level, char * tmp); */ 312 312 313 /* check whether there's a rotated log with the correct inode and checksum 314 */ 315 int sh_check_rotated_log (const char * path, 316 UINT64 old_size, UINT64 old_inode, const char * old_hash); 317 313 318 /* obtain file info 314 319 */ -
trunk/rules.deb-light.in
r209 r425 27 27 echo '#!/bin/sh' > ./sstrip 28 28 echo 'echo "*** SSTRIP DISABLED ***"' >> ./sstrip 29 if ! test x$(PASSWORD) = x; then \ 30 if test -f samhain_setpwd; then \ 31 ./samhain_setpwd samhain new $(PASSWORD); \ 32 rm samhain; \ 33 mv samhain.new samhain; \ 34 fi; \ 35 fi 29 36 touch build-stamp 30 37 -
trunk/rules.deb.in
r209 r425 27 27 echo '#!/bin/sh' > ./sstrip 28 28 echo 'echo "*** SSTRIP DISABLED ***"' >> ./sstrip 29 if ! test x$(PASSWORD) = x; then \ 30 if test -f samhain_setpwd; then \ 31 ./samhain_setpwd samhain new $(PASSWORD); \ 32 rm samhain; \ 33 mv samhain.new samhain; \ 34 fi; \ 35 fi 29 36 touch build-stamp 30 37 -
trunk/src/sh_fInotify.c
r405 r425 525 525 { 526 526 int reported; 527 int ret = sh_files_search_file(path, &class, &check_mask, &reported); 528 529 if ((ret == 0) && (event->len > 0) && (ftype == SH_INOTIFY_FILE)) 530 { 531 ; /* do nothing, watch was for directory monitored as file only */ 532 } 533 else 534 { 535 sh_files_filecheck (class, check_mask, filename, 536 (event->len > 0) ? event->name : NULL, 537 &reported, 0); 527 int ret; 528 529 530 if (S_FALSE == sh_ignore_chk_mod(path)) 531 { 532 ret = sh_files_search_file(path, &class, &check_mask, &reported); 533 534 if ((ret == 0) && (event->len > 0) && (ftype == SH_INOTIFY_FILE)) 535 { 536 ; /* do nothing, watch was for directory monitored as file only */ 537 } 538 else 539 { 540 sh_files_filecheck (class, check_mask, filename, 541 (event->len > 0) ? event->name : NULL, 542 &reported, 0); 543 } 538 544 } 539 545 return 0; -
trunk/src/sh_files.c
r405 r425 2450 2450 char * tmpname; 2451 2451 const char * fileName; 2452 #if !defined(O_NOATIME) 2452 2453 struct utimbuf utime_buf; 2454 #endif 2453 2455 static unsigned int state = 1; 2454 2456 char sc; … … 2604 2606 /* reset the access time 2605 2607 */ 2608 #if !defined(O_NOATIME) 2606 2609 if (class == SH_LEVEL_NOIGNORE && (theFile->check_mask & MODI_ATM) != 0) 2607 2610 { 2608 2611 utime_buf.actime = (time_t) theFile->atime; 2609 2612 utime_buf.modtime = (time_t) theFile->mtime; 2610 #if !defined(O_NOATIME) 2613 2611 2614 retry_aud_utime (FIL__, __LINE__, fullpath, &utime_buf); 2612 #endif 2613 } 2615 } 2616 #endif 2614 2617 2615 2618 #if defined(HOST_IS_DARWIN) -
trunk/src/sh_hash.c
r405 r425 3035 3035 } 3036 3036 3037 /* --------- Skip if we don't want to report changes. ------------ 3038 */ 3039 3040 if (S_TRUE == sh_ignore_chk_mod(theFile->fullpath)) 3041 { 3042 goto unlock_and_return; 3043 } 3044 3037 3045 p->modi_mask = theFile->check_mask; 3038 3046 … … 3057 3065 else 3058 3066 { 3059 if (0 != strncmp (&fileHash[KEY_LEN + 1], 3060 p->theFile.checksum, KEY_LEN)) 3067 if (0 != strncmp (&fileHash[KEY_LEN + 1], p->theFile.checksum, KEY_LEN)) 3061 3068 { 3062 modi_mask |= MODI_CHK; 3063 change_code[0] = 'C'; 3064 TPT ((0, FIL__, __LINE__, _("mod=<checksum>"))); 3069 if (S_FALSE == sh_check_rotated_log (theFile->fullpath, (UINT64) p->theFile.size, 3070 (UINT64) p->theFile.ino, p->theFile.checksum)) 3071 { 3072 modi_mask |= MODI_CHK; 3073 change_code[0] = 'C'; 3074 TPT ((0, FIL__, __LINE__, _("mod=<checksum>"))); 3075 } 3076 else 3077 { 3078 /* logfile has been rotated */ 3079 p->theFile.size = theFile->size; 3080 p->theFile.ino = theFile->ino; 3081 sl_strlcpy(p->theFile.checksum, fileHash, KEY_LEN+1); 3082 } 3065 3083 } 3066 3084 else -
trunk/src/sh_ignore.c
r333 r425 53 53 static struct sh_ignore_list * sh_del_ign = NULL; 54 54 static struct sh_ignore_list * sh_new_ign = NULL; 55 static struct sh_ignore_list * sh_mod_ign = NULL; 55 56 56 57 static struct sh_ignore_list * sh_ignore_add_int(struct sh_ignore_list * list, … … 118 119 } 119 120 121 int sh_ignore_add_mod (const char * addpath) 122 { 123 if ((addpath == NULL) || (addpath[0] != '/')) 124 { 125 return -1; 126 } 127 sh_mod_ign = sh_ignore_add_int (sh_mod_ign, addpath); 128 return 0; 129 } 130 120 131 static int sh_ignore_chk_int (struct sh_ignore_list * list, 121 132 const char * chkpath) … … 159 170 } 160 171 172 int sh_ignore_chk_mod (const char * chkpath) 173 { 174 return (sh_ignore_chk_int(sh_mod_ign, chkpath)); 175 } 176 161 177 int sh_ignore_clean (void) 162 178 { … … 191 207 } 192 208 209 new = sh_mod_ign; 210 211 while (new) 212 { 213 sh_mod_ign = new->next; 214 #ifdef HAVE_REGEX_H 215 regfree (&(new->preg)); 216 #else 217 SH_FREE(new->path); 218 #endif 219 SH_FREE(new); 220 new = sh_mod_ign; 221 } 222 193 223 return 0; 194 224 } … … 205 235 CuAssertTrue(tc, NULL == sh_del_ign); 206 236 CuAssertTrue(tc, NULL == sh_new_ign); 237 CuAssertTrue(tc, NULL == sh_mod_ign); 207 238 208 239 ret = sh_ignore_add_del ("/var/log/foo/.*"); 209 240 CuAssertTrue(tc, 0 == ret); 241 210 242 CuAssertPtrNotNull(tc, sh_del_ign); 243 CuAssertTrue(tc, NULL == sh_new_ign); 244 CuAssertTrue(tc, NULL == sh_mod_ign); 211 245 212 246 ret = sh_ignore_chk_del ("/var/log/foo/test"); 213 247 CuAssertTrue(tc, S_TRUE == ret); 214 CuAssertTrue(tc, NULL == sh_new_ign);215 248 216 249 ret = sh_ignore_chk_del ("/var/log/footest"); … … 223 256 CuAssertTrue(tc, NULL == sh_del_ign); 224 257 CuAssertTrue(tc, NULL == sh_new_ign); 258 CuAssertTrue(tc, NULL == sh_mod_ign); 225 259 226 260 ret = sh_ignore_add_new ("/var/log/foo/.*"); 227 261 CuAssertTrue(tc, 0 == ret); 262 228 263 CuAssertPtrNotNull(tc, sh_new_ign); 229 264 CuAssertTrue(tc, NULL == sh_del_ign); 265 CuAssertTrue(tc, NULL == sh_mod_ign); 230 266 231 267 ret = sh_ignore_chk_new ("/var/log/foo/test"); … … 241 277 CuAssertTrue(tc, NULL == sh_new_ign); 242 278 CuAssertTrue(tc, NULL == sh_del_ign); 279 CuAssertTrue(tc, NULL == sh_mod_ign); 280 281 ret = sh_ignore_add_mod ("/var/log/foo/.*"); 282 CuAssertTrue(tc, 0 == ret); 283 284 CuAssertPtrNotNull(tc, sh_mod_ign); 285 CuAssertTrue(tc, NULL == sh_del_ign); 286 CuAssertTrue(tc, NULL == sh_new_ign); 287 288 ret = sh_ignore_chk_mod ("/var/log/foo/test"); 289 CuAssertTrue(tc, S_TRUE == ret); 290 291 ret = sh_ignore_chk_mod ("/var/log/footest"); 292 CuAssertTrue(tc, S_FALSE == ret); 293 294 ret = sh_ignore_chk_mod ("/my/var/log/footest"); 295 CuAssertTrue(tc, S_FALSE == ret); 296 297 sh_ignore_clean(); 298 CuAssertTrue(tc, NULL == sh_new_ign); 299 CuAssertTrue(tc, NULL == sh_del_ign); 300 CuAssertTrue(tc, NULL == sh_mod_ign); 243 301 244 302 #else -
trunk/src/sh_kern.c
r362 r425 90 90 N_("kernelcheckpci"), 91 91 sh_kern_set_pci 92 }, 93 { 94 N_("kernelcheckproc"), 95 sh_kern_set_proc 92 96 }, 93 97 { … … 125 129 static int ShKernIDT = S_TRUE; 126 130 static int ShKernPCI = S_TRUE; 131 static int ShKernPROC = S_TRUE; 127 132 128 133 /* The address of system_call … … 1104 1109 #if SH_KERNEL_NUMBER < KERNEL_VERSION(2,6,21) 1105 1110 struct inode_operations proc_root_inode; 1106 1111 #endif 1112 1113 if (ShKernPROC != S_TRUE) 1114 return; 1115 1116 /* 2.6.21 (((2) << 16) + ((6) << 8) + (21)) */ 1117 #if SH_KERNEL_NUMBER < KERNEL_VERSION(2,6,21) 1107 1118 memcpy (&proc_root_inode, &(kinfo->proc_root_inode), sizeof(struct inode_operations)); 1108 1119 … … 2017 2028 } 2018 2029 2030 int sh_kern_set_proc (const char * c) 2031 { 2032 int i; 2033 SL_ENTER(_("sh_kern_set_proc")); 2034 i = sh_util_flagval(c, &ShKernPROC); 2035 SL_RETURN(i, _("sh_kern_set_proc")); 2036 } 2037 2019 2038 int sh_kern_set_sc_addr (const char * c) 2020 2039 { -
trunk/src/sh_log_check.c
r415 r425 577 577 * Search rotated logfile 578 578 */ 579 #include <unistd.h> 580 #include <libgen.h> 581 #include <dirent.h> 582 583 char * sh_rotated_log_search(const char * path, struct stat * buf) 584 { 585 586 size_t size; 587 int i; 588 char * searchpath; 589 struct stat sbuf; 590 DIR * dp; 591 char * dname; 592 char * bname; 593 594 dname = sh_util_dirname(path); 595 bname = sh_util_basename(path); 596 597 size = strlen(dname) + strlen(bname) + 4; 598 searchpath = SH_ALLOC(size); 599 600 for (i = 0; i < 2; ++i) 601 { 602 snprintf(searchpath, size, "%s/%s.%1d", dname, bname, i); 603 if (0 == stat(searchpath, &sbuf) && sbuf.st_ino == buf->st_ino) 604 { 605 SH_FREE(dname); 606 SH_FREE(bname); 607 return searchpath; 608 } 609 } 610 611 SH_FREE(searchpath); 612 613 if (NULL != (dp = opendir(dname))) 614 { 615 struct dirent * de; 616 617 while (NULL != (de = readdir(dp))) 618 { 619 if (0 == strcmp(de->d_name, ".") || 0 == strcmp(de->d_name, "..")) 620 continue; 621 622 size = strlen(dname) + strlen(de->d_name) + 2; 623 searchpath = SH_ALLOC(size); 624 snprintf(searchpath, size, "%s/%s", dname, de->d_name); 625 626 if (0 == stat(searchpath, &sbuf) && sbuf.st_ino == buf->st_ino) 627 { 628 SH_FREE(dname); 629 SH_FREE(bname); 630 closedir(dp); 631 return searchpath; 632 } 633 634 SH_FREE(searchpath); 635 } 636 closedir(dp); 637 } 638 639 SH_FREE(dname); 640 SH_FREE(bname); 641 642 return NULL; 643 } 579 extern char * sh_rotated_log_search(const char * path, struct stat * buf); 580 644 581 645 582 /* Open file, position at stored offset -
trunk/src/sh_readconf.c
r411 r425 965 965 { N_("ignoremissing"), SH_SECTION_MISC, SH_SECTION_NONE, 966 966 sh_ignore_add_del }, 967 { N_("ignoremodified"), SH_SECTION_MISC, SH_SECTION_NONE, 968 sh_ignore_add_mod }, 967 969 968 970 { N_("skipchecksum"), SH_SECTION_MISC, SH_SECTION_NONE, -
trunk/src/sh_tools.c
r407 r425 2050 2050 } 2051 2051 #endif 2052 2053 /******************************************************** 2054 * Search rotated logfile 2055 */ 2056 #include <unistd.h> 2057 #include <libgen.h> 2058 #include <dirent.h> 2059 2060 char * sh_rotated_log_search(const char * path, struct stat * buf) 2061 { 2062 2063 size_t size; 2064 int i; 2065 char * searchpath; 2066 struct stat sbuf; 2067 DIR * dp; 2068 char * dname; 2069 char * bname; 2070 2071 dname = sh_util_dirname(path); 2072 bname = sh_util_basename(path); 2073 2074 size = strlen(dname) + strlen(bname) + 4; 2075 searchpath = SH_ALLOC(size); 2076 2077 for (i = 0; i < 2; ++i) 2078 { 2079 snprintf(searchpath, size, "%s/%s.%1d", dname, bname, i); 2080 if (0 == stat(searchpath, &sbuf) && sbuf.st_ino == buf->st_ino) 2081 { 2082 SH_FREE(dname); 2083 SH_FREE(bname); 2084 return searchpath; 2085 } 2086 } 2087 2088 SH_FREE(searchpath); 2089 2090 if (NULL != (dp = opendir(dname))) 2091 { 2092 struct dirent * de; 2093 2094 while (NULL != (de = readdir(dp))) 2095 { 2096 if (0 == strcmp(de->d_name, ".") || 0 == strcmp(de->d_name, "..")) 2097 continue; 2098 2099 size = strlen(dname) + strlen(de->d_name) + 2; 2100 searchpath = SH_ALLOC(size); 2101 snprintf(searchpath, size, "%s/%s", dname, de->d_name); 2102 2103 if (0 == stat(searchpath, &sbuf) && sbuf.st_ino == buf->st_ino) 2104 { 2105 SH_FREE(dname); 2106 SH_FREE(bname); 2107 closedir(dp); 2108 return searchpath; 2109 } 2110 2111 SH_FREE(searchpath); 2112 } 2113 closedir(dp); 2114 } 2115 2116 SH_FREE(dname); 2117 SH_FREE(bname); 2118 2119 return NULL; 2120 } 2121 -
trunk/src/sh_unix.c
r415 r425 3428 3428 #include "sh_ignore.h" 3429 3429 3430 int sh_unix_checksum_size (char * filename, struct stat * fbuf,3430 int sh_unix_checksum_size (char * filename, off_t size, int is_max_size, 3431 3431 char * fileHash, int alert_timeout, SL_TICKET fd) 3432 3432 { … … 3442 3442 { 3443 3443 /* lookup file in database */ 3444 status = sh_hash_get_it (filename, tmpFile, NULL); 3445 if (status != 0) { 3446 goto out; 3444 if (is_max_size == S_TRUE) { 3445 status = sh_hash_get_it (filename, tmpFile, NULL); 3446 if ((status != 0) || (tmpFile->size > size)) { 3447 goto out; 3448 } 3449 } else { 3450 tmpFile->size = size; 3447 3451 } 3448 3452 } 3449 3453 else 3450 3454 { 3451 tmpFile->size = fbuf->st_size;3452 } 3453 3454 /* if last < current get checksum */3455 if (tmpFile->size < fbuf->st_size)3455 tmpFile->size = size; 3456 } 3457 3458 /* if last <= current get checksum */ 3459 if (tmpFile->size <= size) 3456 3460 { 3457 3461 char hashbuf[KEYBUF_SIZE]; … … 3474 3478 SL_RETURN( -1, _("sh_unix_checksum_size")); 3475 3479 } 3480 3481 /******************************************************** 3482 * Search rotated logfile 3483 */ 3484 extern char * sh_rotated_log_search(const char * path, struct stat * buf); 3485 3486 int sh_check_rotated_log (const char * path, 3487 UINT64 old_size, UINT64 old_inode, const char * old_hash) 3488 { 3489 struct stat obuf; 3490 UINT64 length_nolim = TIGER_NOLIM; 3491 int retval = S_FALSE; 3492 3493 if (old_size != length_nolim) 3494 { 3495 char hashbuf[KEYBUF_SIZE]; 3496 char * rotated_file; 3497 3498 obuf.st_ino = old_inode; 3499 rotated_file = sh_rotated_log_search(path, &obuf); 3500 3501 if (rotated_file && (0 != strcmp(path, rotated_file))) 3502 { 3503 SL_TICKET fd = sl_open_fastread (FIL__, __LINE__, rotated_file, SL_YESPRIV); 3504 if (!SL_ISERROR(fd)) 3505 { 3506 sh_unix_checksum_size (rotated_file, old_size, S_FALSE, hashbuf, 120 /* alert_timeout */, fd); 3507 3508 sl_close(fd); 3509 3510 if (strncmp (old_hash, hashbuf, KEY_LEN) == 0) { 3511 retval = S_TRUE; 3512 } 3513 } 3514 SH_FREE(rotated_file); 3515 } 3516 } 3517 return retval; 3518 } 3519 3476 3520 3477 3521 int sh_unix_check_selinux = S_FALSE; … … 3901 3945 { 3902 3946 char hashbuf[KEYBUF_SIZE]; 3903 UINT64 length_ nolim= TIGER_NOLIM;3947 UINT64 length_current = TIGER_NOLIM; 3904 3948 3905 3949 if (MODI_TXT_ENABLED(theFile->check_mask) && fbuf.st_size < (10 * SH_TXT_MAX)) … … 3910 3954 sl_strlcpy(fileHash, 3911 3955 sh_tiger_generic_hash (theFile->fullpath, 3912 rval_open, &length_ nolim,3956 rval_open, &length_current, 3913 3957 alert_timeout, 3914 3958 hashbuf, sizeof(hashbuf)), … … 3920 3964 if ((theFile->check_mask & MODI_SGROW) != 0) 3921 3965 { 3922 fbuf.st_size = (off_t) length_nolim;3923 3966 buf.st_size = fbuf.st_size; 3924 3967 sl_rewind(rval_open); 3925 sh_unix_checksum_size (theFile->fullpath, &fbuf,3968 sh_unix_checksum_size (theFile->fullpath, length_current, S_TRUE, 3926 3969 &fileHash[KEY_LEN + 1], 3927 3970 alert_timeout, rval_open); … … 3956 3999 { 3957 4000 char hashbuf[KEYBUF_SIZE]; 3958 UINT64 length_ nolim= TIGER_NOLIM;4001 UINT64 length_current = TIGER_NOLIM; 3959 4002 3960 4003 if (MODI_TXT_ENABLED(theFile->check_mask) && fbuf.st_size < (10 * SH_TXT_MAX)) … … 3965 4008 sl_strlcpy(fileHash, 3966 4009 sh_tiger_generic_hash (theFile->fullpath, rval_open, 3967 &length_ nolim,4010 &length_current, 3968 4011 alert_timeout, 3969 4012 hashbuf, sizeof(hashbuf)), … … 3975 4018 if ((theFile->check_mask & MODI_SGROW) != 0) 3976 4019 { 3977 fbuf.st_size = (off_t) length_nolim;3978 4020 buf.st_size = fbuf.st_size; 3979 4021 sl_rewind(rval_open); 3980 sh_unix_checksum_size (theFile->fullpath, &fbuf,4022 sh_unix_checksum_size (theFile->fullpath, length_current, S_TRUE, 3981 4023 &fileHash[KEY_LEN + 1], 3982 4024 alert_timeout, rval_open);
Note:
See TracChangeset
for help on using the changeset viewer.