- Timestamp:
- Aug 5, 2014, 12:26:42 PM (10 years ago)
- Location:
- trunk
- Files:
-
- 9 edited
Legend:
- Unmodified
- Added
- Removed
-
trunk/docs/Changelog
r457 r458 12 12 * Fixed incorrect logic in setting the ALLIGNORE flag (more specific 13 13 directory / file directives were ignored) 14 * Fix for tickets #358 (repetitive lstat warning about deleted 15 directory) and #359 (reporting of deleted/added top level directory) 14 16 15 17 3.1.1 (01-0-2014): -
trunk/include/samhain.h
r444 r458 188 188 #define SH_FFLAG_REPORTED (1<<3) 189 189 #define SH_FFLAG_SUIDCHK (1<<4) 190 #define SH_FFLAG_ENOENT (1<<5) 190 191 191 192 #define SH_FFLAG_ALLIGNORE_SET(a) (((a) & SH_FFLAG_ALLIGNORE) != 0) … … 208 209 #define SET_SH_FFLAG_SUIDCHK(a) ((a) |= SH_FFLAG_SUIDCHK) 209 210 #define CLEAR_SH_FFLAG_SUIDCHK(a) ((a) &= ~SH_FFLAG_SUIDCHK) 211 212 #define SH_FFLAG_ENOENT_SET(a) (((a) & SH_FFLAG_ENOENT) != 0) 213 #define SET_SH_FFLAG_ENOENT(a) ((a) |= SH_FFLAG_ENOENT) 214 #define CLEAR_SH_FFLAG_ENOENT(a) ((a) &= ~SH_FFLAG_ENOENT) 210 215 211 216 /* Flags for inotify -
trunk/include/sh_hash.h
r356 r458 111 111 /* Set a file flag in in-memory database 112 112 */ 113 void sh_hash_addflag (char * filename, int flag); 113 void sh_hash_set_flag (char * filename, int flag); 114 115 /* Unset a file flag in in-memory database 116 */ 117 void sh_hash_clear_flag (char * filename, int flag_to_set); 114 118 115 119 /* Compare a file with its status in the database. -
trunk/include/zAVLTree.h
r457 r458 78 78 extern int zAVL_string_set (zAVLTree ** tree, const char * key); 79 79 extern void zAVL_string_reset (zAVLTree * tree); 80 extern void zAVL_string_del (zAVLTree * tree, const char * key); 80 81 81 82 #endif -
trunk/src/sh_files.c
r457 r458 336 336 } 337 337 338 static int handle_filecheck_ret(dirstack_t * ptr, char * tmp_in, int status) 339 { 340 int fcount = 0; 341 char * tmp; 342 343 if (!tmp_in) 344 tmp = sh_util_safe_name (ptr->name); 345 else 346 tmp = tmp_in; 347 348 if (status == SH_FILE_UNKNOWN && (!SH_FFLAG_REPORTED_SET(ptr->is_reported))) 349 { 350 TPT(( 0, FIL__, __LINE__, _("msg=<file: %s> status=<%d>\n"), 351 tmp, status)); 352 353 if ( sh.flag.checkSum == SH_CHECK_INIT || 354 sh_hash_have_it (ptr->name) >= 0) 355 { 356 if (S_FALSE == sh_ignore_chk_del(ptr->name)) 357 { 358 if (0 != hashreport_missing(ptr->name, 359 (ptr->class == SH_LEVEL_ALLIGNORE) ? 360 ShDFLevel[ptr->class] : 361 ShDFLevel[SH_ERR_T_FILE])) { 362 if (tmp == NULL) 363 tmp = sh_util_safe_name (ptr->name); 364 sh_error_handle ((ptr->class == SH_LEVEL_ALLIGNORE) ? 365 ShDFLevel[ptr->class] : 366 ShDFLevel[SH_ERR_T_FILE], 367 FIL__, __LINE__, 0, MSG_FI_MISS, 368 tmp); 369 ++sh.statistics.files_report; 370 } 371 } 372 } 373 else /* not there at init, and still missing */ 374 { 375 if (tmp == NULL) 376 tmp = sh_util_safe_name (ptr->name); 377 sh_error_handle (SH_ERR_NOTICE, 378 FIL__, __LINE__, 0, 379 MSG_FI_FAIL, 380 tmp); 381 } 382 #ifndef REPLACE_OLD 383 /* this will tell that we have seen the file, and thus prevent 384 * deletion from the database, resulting in an incomplete 385 * message when the file reappears 386 */ 387 if (sh.flag.checkSum != SH_CHECK_INIT) 388 sh_hash_set_visited_true(ptr->name); 389 #else 390 if (sh.flag.checkSum != SH_CHECK_INIT) 391 sh_hash_set_missing(ptr->name); 392 #endif 393 if (sh.flag.reportonce == S_TRUE) 394 SET_SH_FFLAG_REPORTED(ptr->is_reported); 395 } 396 else 397 { 398 /* exists (status >= 0), but was missing (reported == TRUE) 399 */ 400 if (status != SH_FILE_UNKNOWN && SH_FFLAG_REPORTED_SET(ptr->is_reported)) 401 { 402 CLEAR_SH_FFLAG_REPORTED(ptr->is_reported); 403 sh_hash_clear_flag(ptr->name, SH_FFLAG_ENOENT); 404 } 405 406 /* Catchall 407 */ 408 else if (status == SH_FILE_UNKNOWN) 409 { 410 /* Thu Mar 7 15:09:40 CET 2002 Make sure missing file 411 * is reported if ptr->reported == S_TRUE because the 412 * file has been added. 413 */ 414 if (sh_hash_have_it (ptr->name) >= 0 && 415 !SH_FFLAG_REPORTED_SET(ptr->is_reported)) 416 { 417 if (S_FALSE == sh_ignore_chk_del(ptr->name)) 418 { 419 if (0 != hashreport_missing(ptr->name, 420 (ptr->class == SH_LEVEL_ALLIGNORE) ? 421 ShDFLevel[ptr->class] : 422 ShDFLevel[SH_ERR_T_FILE])) { 423 if (tmp == NULL) 424 tmp = sh_util_safe_name (ptr->name); 425 sh_error_handle ((ptr->class == SH_LEVEL_ALLIGNORE)? 426 ShDFLevel[ptr->class] : 427 ShDFLevel[SH_ERR_T_FILE], 428 FIL__, __LINE__, 0, MSG_FI_MISS, 429 tmp); 430 ++sh.statistics.files_report; 431 } 432 } 433 #ifndef REPLACE_OLD 434 if (sh.flag.checkSum != SH_CHECK_INIT) 435 sh_hash_set_visited_true(ptr->name); 436 #else 437 /* delete from database 438 */ 439 if (sh.flag.checkSum != SH_CHECK_INIT) 440 sh_hash_set_missing(ptr->name); 441 #endif 442 } 443 else 444 { 445 if (tmp == NULL) 446 tmp = sh_util_safe_name (ptr->name); 447 sh_error_handle (SH_ERR_INFO, FIL__, __LINE__, 0, 448 MSG_FI_FAIL, 449 tmp); 450 if (sh.flag.checkSum != SH_CHECK_INIT) 451 sh_hash_set_visited_true(ptr->name); 452 } 453 } 454 455 ++fcount; 456 } 457 if (!tmp_in) 458 SH_FREE(tmp); 459 460 return fcount; 461 } 462 463 338 464 unsigned long sh_files_chk () 339 465 { … … 396 522 tmp, status, ptr->is_reported)); 397 523 398 if (status == SH_FILE_UNKNOWN && (!SH_FFLAG_REPORTED_SET(ptr->is_reported))) 399 { 400 TPT(( 0, FIL__, __LINE__, _("msg=<file: %s> status=<%d>\n"), 401 tmp, status)); 402 403 if ( sh.flag.checkSum == SH_CHECK_INIT || 404 sh_hash_have_it (ptr->name) >= 0) 405 { 406 if (S_FALSE == sh_ignore_chk_del(ptr->name)) 407 { 408 if (0 != hashreport_missing(ptr->name, 409 (ptr->class == SH_LEVEL_ALLIGNORE) ? 410 ShDFLevel[ptr->class] : 411 ShDFLevel[SH_ERR_T_FILE])) { 412 if (tmp == NULL) 413 tmp = sh_util_safe_name (ptr->name); 414 sh_error_handle ((ptr->class == SH_LEVEL_ALLIGNORE) ? 415 ShDFLevel[ptr->class] : 416 ShDFLevel[SH_ERR_T_FILE], 417 FIL__, __LINE__, 0, MSG_FI_MISS, 418 tmp); 419 ++sh.statistics.files_report; 420 } 421 } 422 } 423 else /* not there at init, and still missing */ 424 { 425 if (tmp == NULL) 426 tmp = sh_util_safe_name (ptr->name); 427 sh_error_handle (SH_ERR_NOTICE, 428 FIL__, __LINE__, 0, 429 MSG_FI_FAIL, 430 tmp); 431 } 432 #ifndef REPLACE_OLD 433 /* this will tell that we have seen the file, and thus prevent 434 * deletion from the database, resulting in an incomplete 435 * message when the file reappears 436 */ 437 if (sh.flag.checkSum != SH_CHECK_INIT) 438 sh_hash_set_visited_true(ptr->name); 439 #else 440 if (sh.flag.checkSum != SH_CHECK_INIT) 441 sh_hash_set_missing(ptr->name); 442 #endif 443 if (sh.flag.reportonce == S_TRUE) 444 SET_SH_FFLAG_REPORTED(ptr->is_reported); 445 } 446 else 447 { 448 /* exists (status >= 0), but was missing (reported == TRUE) 449 */ 450 if (status != SH_FILE_UNKNOWN && SH_FFLAG_REPORTED_SET(ptr->is_reported)) 451 { 452 CLEAR_SH_FFLAG_REPORTED(ptr->is_reported); 453 } 454 455 /* Catchall 456 */ 457 else if (status == SH_FILE_UNKNOWN) 458 { 459 /* Thu Mar 7 15:09:40 CET 2002 Make sure missing file 460 * is reported if ptr->reported == S_TRUE because the 461 * file has been added. 462 */ 463 if (sh_hash_have_it (ptr->name) >= 0 && 464 !SH_FFLAG_REPORTED_SET(ptr->is_reported)) 465 { 466 if (S_FALSE == sh_ignore_chk_del(ptr->name)) 467 { 468 if (0 != hashreport_missing(ptr->name, 469 (ptr->class == SH_LEVEL_ALLIGNORE) ? 470 ShDFLevel[ptr->class] : 471 ShDFLevel[SH_ERR_T_FILE])) { 472 if (tmp == NULL) 473 tmp = sh_util_safe_name (ptr->name); 474 sh_error_handle ((ptr->class == SH_LEVEL_ALLIGNORE)? 475 ShDFLevel[ptr->class] : 476 ShDFLevel[SH_ERR_T_FILE], 477 FIL__, __LINE__, 0, MSG_FI_MISS, 478 tmp); 479 ++sh.statistics.files_report; 480 } 481 } 482 #ifndef REPLACE_OLD 483 if (sh.flag.checkSum != SH_CHECK_INIT) 484 sh_hash_set_visited_true(ptr->name); 485 #else 486 /* delete from database 487 */ 488 if (sh.flag.checkSum != SH_CHECK_INIT) 489 sh_hash_set_missing(ptr->name); 490 #endif 491 } 492 else 493 { 494 if (tmp == NULL) 495 tmp = sh_util_safe_name (ptr->name); 496 sh_error_handle (SH_ERR_INFO, FIL__, __LINE__, 0, 497 MSG_FI_FAIL, 498 tmp); 499 if (sh.flag.checkSum != SH_CHECK_INIT) 500 sh_hash_set_visited_true(ptr->name); 501 } 502 } 503 ++fcount; 504 } 524 fcount += handle_filecheck_ret(ptr, tmp, status); 505 525 506 526 if (tmp != NULL) … … 1475 1495 dirstack_t * dst_ptr; 1476 1496 int status; 1497 int tmp_reported; 1498 volatile int filetype = SH_FILE_UNKNOWN; 1477 1499 volatile unsigned long dcount = 0; 1478 1500 char * tmp; … … 1508 1530 { 1509 1531 BREAKEXIT(sh_files_filecheck); 1510 sh_files_filecheck (dst_ptr->class, dst_ptr->check_mask, 1511 ptr->name, 1512 NULL, &status, 0); 1532 tmp_reported = dst_ptr->is_reported; 1533 filetype = sh_files_filecheck (dst_ptr->class, dst_ptr->check_mask, 1534 ptr->name, 1535 NULL, &tmp_reported, 0); 1536 dst_ptr->is_reported = tmp_reported; 1537 (void) handle_filecheck_ret(dst_ptr, NULL, filetype); 1538 1513 1539 dst_ptr->checked = S_TRUE; 1514 1540 status = S_TRUE; … … 1522 1548 1523 1549 if (status == S_FALSE) 1524 sh_files_filecheck (ptr->class, ptr->check_mask, 1525 ptr->name, NULL, &status, 0); 1550 { 1551 tmp_reported = ptr->is_reported; 1552 filetype = sh_files_filecheck (ptr->class, ptr->check_mask, 1553 ptr->name, NULL, &tmp_reported, 0); 1554 ptr->is_reported = tmp_reported; 1555 (void) handle_filecheck_ret(ptr, NULL, filetype); 1556 } 1526 1557 1527 1558 BREAKEXIT(sh_files_checkdir); … … 1559 1590 { 1560 1591 CLEAR_SH_FFLAG_REPORTED(ptr->is_reported); 1592 sh_hash_clear_flag(ptr->name, SH_FFLAG_ENOENT); 1561 1593 #if 0 1562 1594 /* obsoleted (really?) by the mandatory sh_files_filecheck() … … 2661 2693 } 2662 2694 2663 2664 2695 /* stat the file and determine checksum (if a regular file) 2665 2696 */ -
trunk/src/sh_hash.c
r457 r458 477 477 SH_MUTEX_UNLOCK(mutex_hash); 478 478 479 /* remove here to avoid second message from hash_unvisited */ 480 if (retval == 0) 481 sh_hash_remove (fullpath); 482 479 483 return retval; 480 484 } … … 537 541 SL_RET0(_("hash_unvisited")); 538 542 } 539 #if 0 540 if (!strcmp(p->fullpath, "/var/lib/synaptic")) 541 { 542 fprintf(stderr, "FIXME: Check for missing files %s\n", p->fullpath); 543 if (SH_FFLAG_VISITED_SET(p->fflags)) fprintf(stderr, "FIXME: visited\n"); 544 if (SH_FFLAG_CHECKED_SET(p->fflags)) fprintf(stderr, "FIXME: checked\n"); 545 if (SH_FFLAG_REPORTED_SET(p->fflags)) fprintf(stderr, "FIXME: reported\n"); 546 if (SH_FFLAG_ALLIGNORE_SET(p->fflags)) fprintf(stderr, "FIXME: allignore\n"); 547 } 548 #endif 543 549 544 /* visited flag not set: not seen; 550 545 * checked flag set: not seen (i.e. missing), and already checked … … 560 555 { 561 556 i = retry_lstat(FIL__, __LINE__, p->fullpath, &buf); 562 #if 0 563 if (!strcmp(p->fullpath, "/var/lib/synaptic")) 564 fprintf(stderr, "FIXME: Check for missing files %s (%d)\n", p->fullpath, i); 565 #endif 557 566 558 /* if file does not exist 567 559 */ … … 653 645 CLEAR_SH_FFLAG_VISITED(p->fflags); 654 646 CLEAR_SH_FFLAG_CHECKED(p->fflags); 647 SET_SH_FFLAG_ENOENT(p->fflags); 655 648 656 649 SL_RET0(_("hash_unvisited")); … … 2202 2195 /* needs lock to be threadsafe 2203 2196 */ 2204 void sh_hash_ addflag (char * filename, int flag_to_set)2197 void sh_hash_set_flag (char * filename, int flag_to_set) 2205 2198 { 2206 2199 sh_file_t * p; … … 2218 2211 return; 2219 2212 } 2213 2214 /* needs lock to be threadsafe 2215 */ 2216 void sh_hash_clear_flag (char * filename, int flag_to_clear) 2217 { 2218 sh_file_t * p; 2219 2220 if (IsInit != 1) 2221 sh_hash_init(); 2222 2223 SH_MUTEX_LOCK(mutex_hash); 2224 p = sh_hash_have_it_int (filename); 2225 if (p) 2226 { 2227 p->fflags &= ~flag_to_clear; 2228 } 2229 SH_MUTEX_UNLOCK(mutex_hash); 2230 return; 2231 } 2232 2220 2233 2221 2234 /***************************************************************** -
trunk/src/sh_suidchk.c
r453 r458 1294 1294 } 1295 1295 1296 sh_hash_ addflag(tmpcat, SH_FFLAG_SUIDCHK); /* no call to sh_error_handle */1296 sh_hash_set_flag(tmpcat, SH_FFLAG_SUIDCHK); /* no call to sh_error_handle */ 1297 1297 1298 1298 } … … 1367 1367 SH_MUTEX_UNLOCK(mutex_thread_nolog); 1368 1368 1369 sh_hash_ addflag(tmpcat, SH_FFLAG_SUIDCHK); /* no call to sh_error_handle */1369 sh_hash_set_flag(tmpcat, SH_FFLAG_SUIDCHK); /* no call to sh_error_handle */ 1370 1370 1371 1371 } … … 1381 1381 ShSuidchkSeverity); 1382 1382 SH_MUTEX_UNLOCK(mutex_thread_nolog); 1383 sh_hash_ addflag(tmpcat, SH_FFLAG_SUIDCHK); /* no call to sh_error_handle */1383 sh_hash_set_flag(tmpcat, SH_FFLAG_SUIDCHK); /* no call to sh_error_handle */ 1384 1384 1385 1385 } -
trunk/src/sh_unix.c
r454 r458 3930 3930 { 3931 3931 if (S_FALSE == sh_ignore_chk_del(theFile->fullpath)) { 3932 char errbuf[SH_ERRBUF_SIZE]; 3933 uid_t euid; 3934 (void) sl_get_euid(&euid); 3935 tmp2 = sh_util_safe_name (theFile->fullpath); 3936 SH_MUTEX_LOCK(mutex_thread_nolog); 3937 sh_error_handle (level, FIL__, __LINE__, stat_return, MSG_FI_STAT, 3938 _("lstat"), 3939 sh_error_message (stat_errno, errbuf, sizeof(errbuf)), 3940 (long) euid, 3941 tmp2); 3942 SH_MUTEX_UNLOCK(mutex_thread_nolog); 3943 SH_FREE(tmp2); 3932 int flags = sh_hash_getflags (theFile->fullpath); 3933 3934 if ((flags >= 0) && (flags & SH_FFLAG_ENOENT) == 0) { 3935 char errbuf[SH_ERRBUF_SIZE]; 3936 uid_t euid; 3937 (void) sl_get_euid(&euid); 3938 tmp2 = sh_util_safe_name (theFile->fullpath); 3939 SH_MUTEX_LOCK(mutex_thread_nolog); 3940 sh_error_handle (level, FIL__, __LINE__, stat_return, MSG_FI_STAT, 3941 _("lstat"), 3942 sh_error_message (stat_errno, errbuf, sizeof(errbuf)), 3943 (long) euid, 3944 tmp2); 3945 SH_MUTEX_UNLOCK(mutex_thread_nolog); 3946 SH_FREE(tmp2); 3947 sh_hash_set_flag (theFile->fullpath, SH_FFLAG_ENOENT); 3948 } 3944 3949 } 3945 3950 } -
trunk/src/zAVLTree.c
r457 r458 80 80 return NULL; 81 81 } 82 void zAVL_string_del (zAVLTree * tree, const char * key) 83 { 84 /* zAVLSearch() checks for NULL tree 85 */ 86 if (key) 87 { 88 char * item = ((char *) zAVLSearch (tree, key)); 89 if (item) 90 { 91 zAVLDelete(tree, key); 92 zfree_string(item); 93 } 94 } 95 return; 96 } 97 82 98 83 99
Note:
See TracChangeset
for help on using the changeset viewer.