- Timestamp:
- Oct 21, 2016, 6:40:46 PM (8 years ago)
- Location:
- trunk/src
- Files:
-
- 3 edited
Legend:
- Unmodified
- Added
- Removed
-
trunk/src/sh_audit.c
r489 r514 180 180 if (0 == strcmp(state.success, "yes")) 181 181 { 182 char time_str[81]; 182 183 char * tmp_exe = sh_util_safe_name(state.exe); 184 185 (void) sh_unix_gmttime (state.time, time_str, sizeof(time_str)); 183 186 sl_snprintf(result, rsize, 184 _("time=%lu.%u, syscall=%s, auid=%u, uid=%u, gid=%u, euid=%u, egid=%u, fsuid=%u, fsgid=%u, exe=%s"),185 (unsigned long) state.time, state.milli, 187 _("time=%lu.%u, timestamp=%s, syscall=%s, auid=%u, uid=%u, gid=%u, euid=%u, egid=%u, fsuid=%u, fsgid=%u, exe=%s"), 188 (unsigned long) state.time, state.milli, time_str, 186 189 state.syscall, 187 190 state.auid, state.uid, state.gid, state.euid, state.egid, … … 196 199 return NULL; 197 200 } 201 202 #define SH_AUDIT_DEF "wa" 203 static char sh_audit_flags[32] = SH_AUDIT_DEF; 204 205 int sh_audit_set_flags(const char * str) 206 { 207 if (!str || strlen(str) >= sizeof(sh_audit_flags)) 208 return -1; 209 sl_strlcpy(sh_audit_flags, str, sizeof(sh_audit_flags)); 210 return 0; 211 } 212 static void reset_audit_flags() 213 { 214 sl_strlcpy(sh_audit_flags, SH_AUDIT_DEF, sizeof(sh_audit_flags)); 215 return; 216 } 217 198 218 199 219 static int sh_audit_checkdaemon(); … … 207 227 }; 208 228 229 static char * getflags (char * file); 209 230 210 231 /* Public function to fetch an audit record for path 'file', time 'time' 211 232 * The 'result' array should be sized ~256 char. 212 233 */ 213 char * sh_audit_fetch (char * file, time_t mtime, time_t ctime, char * result, size_t rsize) 214 { 215 char * res = NULL; 234 char * sh_audit_fetch (char * file, time_t mtime, time_t ctime, time_t atime, char * result, size_t rsize) 235 { 236 char * res = NULL; 237 char * flags = getflags(file); 216 238 217 239 if (sh_audit_checkdaemon() >= 0) 218 240 { 219 241 time_t new; 220 221 if (mtime >= ctime) { new = mtime; } 222 else { new = ctime; } 242 243 if (flags && (strchr(flags, 'r') || strchr(flags, 'x')) && atime >= ctime && atime >= mtime) { new = atime; } 244 else if (mtime >= ctime) { new = mtime; } 245 else { new = ctime; } 223 246 224 247 res = doAuparse (file, new, 1, result, rsize, S_FALSE); … … 251 274 sh_ext_system(ctl, ctl, "-D", "-k", _("samhain"), NULL); 252 275 } 276 reset_audit_flags(); 253 277 return; 254 278 } … … 263 287 } 264 288 265 static void sh_audit_mark_int (const char * file )289 static void sh_audit_mark_int (const char * file, const char * flags) 266 290 { 267 291 static int flushRules = 0; … … 286 310 char a2[32]; 287 311 char a3[32]; 288 289 sl_snprintf(command, len, _("%s -w %s -p wa -k samhain"), 290 _(actl_paths[p]),291 file);312 char a4[32]; 313 314 sl_snprintf(command, len, _("%s -w %s -p %s -k samhain"), 315 _(actl_paths[p]), file, flags); 292 316 293 317 safe = sh_util_safe_name_keepspace(command); … … 303 327 304 328 sl_strlcpy(a3, _("samhain"), sizeof(a3)); 305 sh_ext_system(ctl, ctl, "-w", command, "-p", "wa", "-k", a3, NULL); 329 sl_strlcpy(a4, flags, sizeof(a4)); 330 sh_ext_system(ctl, ctl, "-w", command, "-p", a4, "-k", a3, NULL); 306 331 307 332 /* Placing a watch on a directory will not place a watch on the … … 319 344 sl_strlcat(command, file, len); 320 345 sl_strlcpy(a1, _("always,exit"), sizeof(a1)); 321 sl_strlcpy(a2, _("perm=wa"), sizeof(a2)); 346 sl_strlcpy(a2, _("perm="), sizeof(a2)); 347 sl_strlcat(a2, flags, sizeof(a2)); 322 348 sh_ext_system(ctl, ctl, "-a", a1, "-F", command, "-F", a2, "-k", a3, NULL); 323 349 } … … 327 353 } 328 354 355 #define SH_AU_FLAGS_SIZ 32 329 356 struct aud_list { 330 357 char * file; 358 char flags[SH_AU_FLAGS_SIZ]; 331 359 struct aud_list * next; 332 360 }; 333 361 334 362 struct aud_list * mark_these = NULL; 363 static int marked_committed = 0; 364 365 static void delete_listofmarked() 366 { 367 struct aud_list * tmp; 368 struct aud_list * this = mark_these; 369 370 mark_these = NULL; 371 372 while (this) 373 { 374 tmp = this; 375 this = this->next; 376 377 SH_FREE(tmp->file); 378 SH_FREE(tmp); 379 } 380 marked_committed = 0; 381 } 382 383 static char * getflags (char * file) 384 { 385 struct aud_list * this = mark_these; 386 387 while (this) 388 { 389 if (0 == strcmp(file, this->file)) 390 return this->flags; 391 this = this->next; 392 } 393 /* no explicit rule for this file */ 394 return NULL; 395 } 335 396 336 397 static void add_this (char * file) … … 340 401 341 402 this->file = sh_util_strdup(file); 403 404 /* strip trailing '/' */ 342 405 if ((len > 1) && (file[len-1] == '/')) 343 406 this->file[len-1] = '\0'; 407 408 sl_strlcpy(this->flags, sh_audit_flags, SH_AU_FLAGS_SIZ); 344 409 345 410 this->next = mark_these; … … 362 427 else 363 428 { 364 char * s0 = SH_ALLOC(len0 + 2); 365 char * s1 = SH_ALLOC(len1 + 2); 366 367 sl_strlcpy(s0, this->file, len0 + 2); 368 sl_strlcpy(s1, file, len1 + 2); 369 370 if (s0 < s1) 371 { 372 sl_strlcat(s0, "/", len0 + 2); 373 ret = strncmp(s0, s1, len0 + 1); 374 } 375 else 376 { 377 sl_strlcat(s1, "/", len1 + 2); 378 if (0 == strncmp(s0, s1, len1 + 1)) 379 { 380 size_t len = strlen(file); 381 SH_FREE(this->file); 382 this->file = sh_util_strdup(file); 383 if ((len > 1) && (file[len-1] == '/')) 384 this->file[len-1] = '\0'; 385 ret = 0; 386 } 387 } 388 SH_FREE(s0); 389 SH_FREE(s1); 429 if (0 == strcmp(this->flags, sh_audit_flags)) 430 { 431 char * s0 = SH_ALLOC(len0 + 2); 432 char * s1 = SH_ALLOC(len1 + 2); 433 434 sl_strlcpy(s0, this->file, len0 + 2); 435 sl_strlcpy(s1, file, len1 + 2); 436 437 if (s0 < s1) 438 { 439 sl_strlcat(s0, "/", len0 + 2); 440 ret = strncmp(s0, s1, len0 + 1); 441 } 442 else 443 { 444 sl_strlcat(s1, "/", len1 + 2); 445 if (0 == strncmp(s0, s1, len1 + 1)) 446 { 447 size_t len = strlen(file); 448 SH_FREE(this->file); 449 this->file = sh_util_strdup(file); 450 if ((len > 1) && (file[len-1] == '/')) 451 this->file[len-1] = '\0'; 452 ret = 0; 453 } 454 } 455 SH_FREE(s0); 456 SH_FREE(s1); 457 } 390 458 } 391 459 … … 397 465 void sh_audit_mark (char * file) 398 466 { 399 struct aud_list * this = mark_these; 400 467 struct aud_list * this; 468 469 if (marked_committed != 0) 470 delete_listofmarked(); 471 401 472 if (!mark_these) { 402 473 add_this (file); 403 474 return; 404 475 } 476 477 this = mark_these; 405 478 406 479 while (this) … … 411 484 if (0 == test_exchange(this, file)) 412 485 return; 486 413 487 this = this->next; 414 488 } … … 420 494 void sh_audit_commit () 421 495 { 422 struct aud_list * next;423 496 struct aud_list * this = mark_these; 424 497 425 mark_these = NULL;426 427 498 while (this) 428 499 { 429 sh_audit_mark_int (this->file); 430 next = this->next; 431 SH_FREE(this->file); 432 SH_FREE(this); 433 this = next; 434 } 435 500 sh_audit_mark_int (this->file, this->flags); 501 this = this->next; 502 } 503 marked_committed = 1; 436 504 } 437 505 … … 538 606 /* HAVE_AUPARSE_H */ 539 607 #else 540 char * sh_audit_fetch (char * file, time_t mtime, time_t ctime, char * result, size_t rsize)608 char * sh_audit_fetch (char * file, time_t mtime, time_t ctime, time_t atime, char * result, size_t rsize) 541 609 { 542 610 (void) file; 543 611 (void) mtime; 544 612 (void) ctime; 613 (void) atime; 545 614 (void) result; 546 615 (void) rsize; … … 564 633 return; 565 634 } 635 int sh_audit_set_flags(const char * str) 636 { 637 (void) str; 638 return -1; 639 } 566 640 #endif 567 641 -
trunk/src/sh_hash.c
r492 r514 2585 2585 _("sh_hash"), theFile->fullpath ); 2586 2586 2587 if (NULL != sh_audit_fetch (theFile->fullpath, theFile->mtime, theFile->ctime, result, sizeof(result))) 2587 if (NULL != sh_audit_fetch (theFile->fullpath, theFile->mtime, theFile->ctime, theFile->atime, 2588 result, sizeof(result))) 2588 2589 { 2589 2590 #ifdef SH_USE_XML -
trunk/src/sh_readconf.c
r488 r514 1018 1018 sh_unix_setcheckacl }, 1019 1019 #endif 1020 #if !defined(SH_COMPILE_STATIC) && defined(__linux__) && defined(HAVE_AUPARSE_H) && defined(HAVE_AUPARSE_LIB) 1021 { N_("setauditdflags"), SH_SECTION_MISC, SH_SECTION_NONE, 1022 sh_audit_set_flags }, 1023 #endif 1020 1024 { N_("loosedircheck"), SH_SECTION_MISC, SH_SECTION_NONE, 1021 1025 sh_hash_loosedircheck },
Note:
See TracChangeset
for help on using the changeset viewer.