ossec-hids: config.c (HEAD) syscheck.c (HEAD) [dcid]

5 views
Skip to first unread message

OSSEC CVS

unread,
Mar 30, 2009, 3:09:34 PM3/30/09
to osse...@ossec.net
Module name: ossec-hids
Changes by: dcid 09/03/30 16:09:32

Modified files:
config.c syscheck.c

Log message:
Description: Adding glob support on syscheck. Fixing yum rules.
Reviewed by: dcid
Bug:

Index: config.c
===================================================================
RCS file: /usr/cvsroot/ossec-hids/src/syscheckd/config.c,v
diff -u -r1.22 -r1.23
--- config.c 3 Jul 2008 23:37:13 -0000 1.22
+++ config.c 30 Mar 2009 19:09:32 -0000 1.23
@@ -29,31 +29,21 @@
syscheck.ignore_regex = NULL;
syscheck.scan_day = NULL;
syscheck.scan_time = NULL;
-
+ syscheck.dir = NULL;
+ syscheck.opts = NULL;
#ifdef WIN32
+ syscheck.registry = NULL;
syscheck.reg_fp = NULL;
#endif


- /* Cleaning up the dirs */
- for(i = 0; i<= MAX_DIR_ENTRY; i++)
- {
- syscheck.dir[i] = NULL;
- syscheck.opts[i] = 0;
-
- #ifdef WIN32
- syscheck.registry[i] = NULL;
- #endif
- }
-
-
/* Reading config */
if(ReadConfig(modules, cfgfile, &syscheck, NULL) < 0)
return(OS_INVALID);


/* We must have at least one directory to check */
- if(syscheck.dir[0] == NULL)
+ if(!syscheck.dir || syscheck.dir[0] == NULL)
{
merror(SK_NO_DIR, ARGV0);
return(1);

Index: syscheck.c
===================================================================
RCS file: /usr/cvsroot/ossec-hids/src/syscheckd/syscheck.c,v
diff -u -r1.40 -r1.41
--- syscheck.c 15 Aug 2008 21:03:08 -0000 1.40
+++ syscheck.c 30 Mar 2009 19:09:32 -0000 1.41
@@ -300,6 +300,16 @@
{
verbose(STARTUP_MSG, "ossec-rootcheck", (int)getpid());
}
+
+
+ /* Printing directories to be monitored. */
+ r = 0;
+ while(syscheck.dir[r] != NULL)
+ {
+ verbose("%s: INFO: Monitoring directory: '%s'.",
+ ARGV0, syscheck.dir[r]);
+ r++;
+ }


/* Some sync time */

OSSEC CVS

unread,
Apr 9, 2009, 5:03:01 PM4/9/09
to osse...@ossec.net
Module name: ossec-hids
Changes by: dcid 09/04/09 18:02:59

Modified files:
Makefile config.c create_db.c run_check.c syscheck.c syscheck.h
Added files:
run_realtime.c

Log message:
Description: Adding real time file integrity notifications.
Reviewed by: dcid
Bug:

--- NEW FILE: run_realtime.c ---
/* @(#) $Id: run_realtime.c,v 1.1 2009/04/09 21:02:59 dcid Exp $ */

/* Copyright (C) 2005-2008 Third Brigade, Inc.
* All right reserved.
*
* This program is a free software; you can redistribute it
* and/or modify it under the terms of the GNU General Public
* License (version 3) as published by the FSF - Free Software
* Foundation
*/


#include <stdio.h>
#include <string.h>
#include <stdlib.h>
#include <sys/types.h>
#include <unistd.h>
#include <limits.h>


#ifdef USEINOTIFY
#include <sys/inotify.h>
#endif

#include "hash_op.h"
#include "debug_op.h"
#include "syscheck.h"

#define REALTIME_MONITOR_FLAGS IN_MODIFY|IN_ATTRIB
#define REALTIME_EVENT_SIZE (sizeof (struct inotify_event))
#define REALTIME_EVENT_BUFFER (2048 * (REALTIME_EVENT_SIZE + 16))

int c_read_file(char *file_name, char *oldsum, char *newsum);

/* Starts real time monitoring using inotify. */
int realtime_start()
{
verbose("%s: INFO: Initializing real time file monitoring (not started).", ARGV0);

syscheck.realtime = calloc(1, sizeof(rtfim));
syscheck.realtime->dirtb = (void *)OSHash_Create();
syscheck.realtime->fd = -1;

#ifdef USEINOTIFY
syscheck.realtime->fd = inotify_init();
if(syscheck.realtime->fd < 0)
{
merror("%s: ERROR: Unable to initialize inotify.", ARGV0);
return(-1);
}
#endif

return(1);
}

/* Adds a directory to real time checking. */
int realtime_adddir(char *dir)
{
if(!syscheck.realtime)
{
realtime_start();
}


/* Checking if it is ready to use. */
if(syscheck.realtime->fd < 0)
{
return(-1);
}
else
{

#ifdef USEINOTIFY
int wd = 0;

wd = inotify_add_watch(syscheck.realtime->fd,
dir,
REALTIME_MONITOR_FLAGS);
if(wd < 0)
{
merror("%s: ERROR: Unable to add directory to real time "
"monitoring: '%s'.", ARGV0, dir);
}
else
{
char wdchar[32 +1];
wdchar[32] = '\0';
snprintf(wdchar, 32, "%d", wd);

/* Entry not present. */
if(!OSHash_Get(syscheck.realtime->dirtb, wdchar))
{
OSHash_Add(syscheck.realtime->dirtb, strdup(wdchar), dir);
debug1("%s: DEBUG: Directory added for real time monitoring: "
"'%s'.", ARGV0, dir);
}
}
#endif

}

return(1);
}


/* Checking sum of the realtime file being monitored. */
int realtime_checksumfile(char *file_name)
{
char buf[MAX_LINE +2];
buf[MAX_LINE +1] = '\0';

fseek(syscheck.fp, 0, SEEK_SET);
while(fgets(buf, MAX_LINE, syscheck.fp) != NULL)
{
if((buf[0] != '#') && (buf[0] != ' ') && (buf[0] != '\n'))
{
char *n_buf;

/* Removing the new line */
n_buf = strchr(buf,'\n');
if(n_buf == NULL)
continue;

*n_buf = '\0';


/* First 6 characters are for internal use */
n_buf = buf;
n_buf+=6;

n_buf = strchr(n_buf, ' ');
if(n_buf)
{
n_buf++;

/* Checking if name matches */
if(strcmp(n_buf, file_name) == 0)
{
char c_sum[256 +2];
c_sum[0] = '\0';
c_sum[255] = '\0';


/* If it returns < 0, we will already have alerted. */
if(c_read_file(file_name, buf, c_sum) < 0)
continue;


if(strcmp(c_sum, buf+6) != 0)
{
char alert_msg[912 +2];

/* Sending the new checksum to the analysis server */
alert_msg[912 +1] = '\0';
snprintf(alert_msg, 912, "%s %s", c_sum, file_name);
send_syscheck_msg(alert_msg);

return(1);
}

return(0);

}
}
}
}

/* Adding entry if not in there. */
fseek(syscheck.fp, 0, SEEK_END);
return(0);
}


/* Process events in the real time queue. */
int realtime_process()
{
int len, i = 0;
char buf[REALTIME_EVENT_BUFFER +1];
struct inotify_event *event;

buf[REALTIME_EVENT_BUFFER] = '\0';


len = read(syscheck.realtime->fd, buf, REALTIME_EVENT_BUFFER);
if (len < 0)
{
merror("%s: ERROR: Unable to read from real time buffer.", ARGV0);
}
else if (len > 0)
{
while (i < len)
{
event = (struct inotify_event *) &buf[i];

if(event->len)
{
char wdchar[32 +1];
char final_name[MAX_LINE +1];

wdchar[32] = '\0';
final_name[MAX_LINE] = '\0';

snprintf(wdchar, 32, "%d", event->wd);

snprintf(final_name, MAX_LINE, "%s/%s",
(char *)OSHash_Get(syscheck.realtime->dirtb, wdchar),
event->name);
realtime_checksumfile(final_name);
}

i += REALTIME_EVENT_SIZE + event->len;
}
}

return(0);
}

/* EOF */

Index: Makefile
===================================================================
RCS file: /usr/cvsroot/ossec-hids/src/syscheckd/Makefile,v
diff -u -r1.7 -r1.8
--- Makefile 15 Aug 2008 21:03:08 -0000 1.7
+++ Makefile 9 Apr 2009 21:02:59 -0000 1.8
@@ -8,7 +8,7 @@
include ../Config.Make


-OBJS = syscheck.c config.c create_db.c run_check.c ${OS_CONFIG} ${OS_ROOTCHECK} ${OS_SHARED} ${OS_XML} ${OS_REGEX} ${OS_NET} ${OS_CRYPTO}
+OBJS = syscheck.c config.c run_realtime.c create_db.c run_check.c ${OS_CONFIG} ${OS_ROOTCHECK} ${OS_SHARED} ${OS_XML} ${OS_REGEX} ${OS_NET} ${OS_CRYPTO}
OBJS2 = syscheck-baseline.c config.c create_db.c run_check.c ${OS_CONFIG} ${OS_ROOTCHECK} ${OS_SHARED} ${OS_XML} ${OS_REGEX} ${OS_NET} ${OS_CRYPTO}

syscheck:

Index: config.c
===================================================================
RCS file: /usr/cvsroot/ossec-hids/src/syscheckd/config.c,v

diff -u -r1.24 -r1.25
--- config.c 7 Apr 2009 18:20:00 -0000 1.24
+++ config.c 9 Apr 2009 21:02:59 -0000 1.25
@@ -30,6 +30,7 @@
syscheck.scan_time = NULL;
syscheck.dir = NULL;
syscheck.opts = NULL;
+ syscheck.realtime = NULL;
#ifdef WIN32


syscheck.registry = NULL;
syscheck.reg_fp = NULL;

Index: create_db.c
===================================================================
RCS file: /usr/cvsroot/ossec-hids/src/syscheckd/create_db.c,v
diff -u -r1.24 -r1.25
--- create_db.c 28 Jan 2009 16:56:13 -0000 1.24
+++ create_db.c 9 Apr 2009 21:02:59 -0000 1.25
@@ -293,6 +293,7 @@

f_name[PATH_MAX +1] = '\0';

+
/* Directory should be valid */
if((dir_name == NULL)||((dir_size = strlen(dir_name)) > PATH_MAX))
{
@@ -315,7 +316,7 @@

if(flag == CREATE_DB)
{
- merror("%s: Error opening directory: '%s': %s ",
+ merror("%s: WARN: Error opening directory: '%s': %s ",
ARGV0,
dir_name,
strerror(errno));
@@ -325,6 +326,15 @@
}


+ /* Checking for real time flag. */
+ if(opts & CHECK_REALTIME)
+ {
+ #ifdef USEINOTIFY
+ realtime_adddir(dir_name);
+ #endif
+ }
+
+
while((entry = readdir(dp)) != NULL)
{
char *s_name;
@@ -407,6 +417,9 @@
}


+ merror("%s: INFO: Starting syscheck database (pre-scan).", ARGV0);
+
+
/* Read all available directories */
__counter = 0;
do
@@ -415,6 +428,9 @@
i++;
}while(syscheck.dir[i] != NULL);

+
+ merror("%s: INFO: Finished creating syscheck database (pre-scan "
+ "completed).", ARGV0);
return(0);

}

Index: run_check.c
===================================================================
RCS file: /usr/cvsroot/ossec-hids/src/syscheckd/run_check.c,v
diff -u -r1.41 -r1.42
--- run_check.c 6 Feb 2009 16:55:15 -0000 1.41
+++ run_check.c 9 Apr 2009 21:02:59 -0000 1.42
@@ -90,7 +90,7 @@


/* Sending scan start message */
- merror("%s: INFO: Starting syscheck scan (db).", ARGV0);
+ merror("%s: INFO: Starting syscheck scan (forwarding database).", ARGV0);
send_rootcheck_msg("Starting syscheck scan.");


@@ -134,7 +134,7 @@

/* Sending scan ending message */
sleep(syscheck.tsleep +10);
- merror("%s: INFO: Ending syscheck scan (db).", ARGV0);
+ merror("%s: INFO: Ending syscheck scan (forwarding database).", ARGV0);
send_rootcheck_msg("Ending syscheck scan.");
}

@@ -157,6 +157,13 @@

struct tm *p;

+
+ /* To be used by select. */
+ #ifdef USEINOTIFY
+ struct timeval selecttime;
+ fd_set rfds;
+ #endif
+

/*
* SCHED_BATCH forces the kernel to assume this is a cpu intensive
@@ -267,7 +274,12 @@
}


+ #ifdef USEINOTIFY
+ if(syscheck.realtime->fd >= 0)
+ verbose("%s: INFO: Starting real time file monitoring.", ARGV0);
+ #endif

+
/* Checking every SYSCHECK_WAIT */
while(1)
{
@@ -403,7 +415,40 @@
}


+ #ifdef USEINOTIFY
+ selecttime.tv_sec = SYSCHECK_WAIT;
+ selecttime.tv_usec = 0;
+
+ /* zero-out the fd_set */
+ FD_ZERO (&rfds);
+
+
+ if(syscheck.realtime->fd >= 0)
+ FD_SET(syscheck.realtime->fd, &rfds);
+
+ run_now = select (syscheck.realtime->fd + 1, &rfds,
+ NULL, NULL, &selecttime);
+ if(run_now < 0)
+ {
+ merror("%s: ERROR: Select failed (for realtime fim).", ARGV0);
+ sleep(SYSCHECK_WAIT);
+ }
+ else if(run_now == 0)
+ {
+ /* Timeout. */
+ }
+ else if (FD_ISSET (syscheck.realtime->fd, &rfds))
+ {
+ realtime_process();
+ }
+
+ sleep(10);
+
+ #else
sleep(SYSCHECK_WAIT);
+ #endif
+
+
}
}

Index: syscheck.c
===================================================================
RCS file: /usr/cvsroot/ossec-hids/src/syscheckd/syscheck.c,v

diff -u -r1.41 -r1.42
--- syscheck.c 30 Mar 2009 19:09:32 -0000 1.41
+++ syscheck.c 9 Apr 2009 21:02:59 -0000 1.42
@@ -310,6 +310,23 @@
ARGV0, syscheck.dir[r]);
r++;
}
+
+ /* Checking directories set for real time. */


+ r = 0;
+ while(syscheck.dir[r] != NULL)
+ {

+ if(syscheck.opts[r] & CHECK_REALTIME)
+ {
+ #ifdef USEINOTIFY
+ verbose("%s: INFO: Directory set for real time monitoring: "
+ "'%s'.", ARGV0, syscheck.dir[r]);
+ #else
+ verbose("%s: WARN: Ignoring flag for real time monitoring on "
+ "directory: '%s'.", ARGV0, syscheck.dir[r]);
+ #endif
+ }


+ r++;
+ }


/* Some sync time */

Index: syscheck.h
===================================================================
RCS file: /usr/cvsroot/ossec-hids/src/syscheckd/syscheck.h,v
diff -u -r1.13 -r1.14
--- syscheck.h 17 Jun 2008 17:04:09 -0000 1.13
+++ syscheck.h 9 Apr 2009 21:02:59 -0000 1.14
@@ -56,6 +56,11 @@
*/
void os_winreg_check();

+/* Adds a directory to real time monitoring. */
+int realtime_adddir(char *dir);
+
+/* Process real time queue. */
+int realtime_process();

/** Sends syscheck message.
*/

OSSEC CVS

unread,
Jun 24, 2009, 2:53:12 PM6/24/09
to osse...@ossec.net
Module name: ossec-hids
Changes by: dcid 09/06/24 15:53:09

Modified files:
config.c create_db.c run_check.c run_realtime.c syscheck-baseline.c
syscheck.c syscheck.h win-registry.c

Log message:
Description: Changing copyrights to Trend Micro
Reviewed by: dcid
Bug:

Index: config.c
===================================================================
RCS file: /usr/cvsroot/ossec-hids/src/syscheckd/config.c,v

diff -u -r1.28 -r1.29
--- config.c 24 Jun 2009 18:52:13 -0000 1.28
+++ config.c 24 Jun 2009 18:53:09 -0000 1.29
@@ -1,6 +1,6 @@
/* @(#) $Id$ */

-/* Copyright (C) 2004-2008 Third Brigade, Inc.
+/* Copyright (C) 2009 Trend Micro Inc.


* All right reserved.
*
* This program is a free software; you can redistribute it

Index: create_db.c
===================================================================
RCS file: /usr/cvsroot/ossec-hids/src/syscheckd/create_db.c,v
diff -u -r1.25 -r1.26
--- create_db.c 9 Apr 2009 21:02:59 -0000 1.25
+++ create_db.c 24 Jun 2009 18:53:09 -0000 1.26
@@ -1,6 +1,6 @@
/* @(#) $Id$ */

-/* Copyright (C) 2008 Third Brigade, Inc.
+/* Copyright (C) 2009 Trend Micro Inc.


* All right reserved.
*
* This program is a free software; you can redistribute it

Index: run_check.c
===================================================================
RCS file: /usr/cvsroot/ossec-hids/src/syscheckd/run_check.c,v
diff -u -r1.42 -r1.43
--- run_check.c 9 Apr 2009 21:02:59 -0000 1.42
+++ run_check.c 24 Jun 2009 18:53:09 -0000 1.43
@@ -1,6 +1,6 @@
/* @(#) $Id$ */

-/* Copyright (C) 2005-2008 Third Brigade, Inc.
+/* Copyright (C) 2009 Trend Micro Inc.


* All right reserved.
*
* This program is a free software; you can redistribute it

Index: run_realtime.c
===================================================================
RCS file: /usr/cvsroot/ossec-hids/src/syscheckd/run_realtime.c,v
diff -u -r1.3 -r1.4
--- run_realtime.c 13 Apr 2009 17:41:36 -0000 1.3
+++ run_realtime.c 24 Jun 2009 18:53:09 -0000 1.4
@@ -1,6 +1,6 @@
/* @(#) $Id$ */

-/* Copyright (C) 2005-2008 Third Brigade, Inc.
+/* Copyright (C) 2009 Trend Micro Inc.


* All right reserved.
*
* This program is a free software; you can redistribute it

Index: syscheck-baseline.c
===================================================================
RCS file: /usr/cvsroot/ossec-hids/src/syscheckd/syscheck-baseline.c,v
diff -u -r1.1 -r1.2
--- syscheck-baseline.c 3 Jul 2008 23:37:13 -0000 1.1
+++ syscheck-baseline.c 24 Jun 2009 18:53:09 -0000 1.2
@@ -1,6 +1,6 @@
/* @(#) $Id$ */

-/* Copyright (C) 2008 Third Brigade, Inc.
+/* Copyright (C) 2009 Trend Micro Inc.
* All rights reserved.


*
* This program is a free software; you can redistribute it

Index: syscheck.c
===================================================================
RCS file: /usr/cvsroot/ossec-hids/src/syscheckd/syscheck.c,v
diff -u -r1.42 -r1.43
--- syscheck.c 9 Apr 2009 21:02:59 -0000 1.42
+++ syscheck.c 24 Jun 2009 18:53:09 -0000 1.43
@@ -1,6 +1,6 @@
/* @(#) $Id$ */

-/* Copyright (C) 2008 Third Brigade, Inc.
+/* Copyright (C) 2009 Trend Micro Inc.
* All rights reserved.


*
* This program is a free software; you can redistribute it

Index: syscheck.h
===================================================================
RCS file: /usr/cvsroot/ossec-hids/src/syscheckd/syscheck.h,v
diff -u -r1.14 -r1.15
--- syscheck.h 9 Apr 2009 21:02:59 -0000 1.14
+++ syscheck.h 24 Jun 2009 18:53:09 -0000 1.15
@@ -1,6 +1,6 @@
/* @(#) $Id$ */

-/* Copyright (C) 2008 Third Brigade, Inc.
+/* Copyright (C) 2009 Trend Micro Inc.


* All right reserved.
*
* This program is a free software; you can redistribute it

Index: win-registry.c
===================================================================
RCS file: /usr/cvsroot/ossec-hids/src/syscheckd/win-registry.c,v
diff -u -r1.13 -r1.14
--- win-registry.c 21 Jul 2008 00:59:59 -0000 1.13
+++ win-registry.c 24 Jun 2009 18:53:09 -0000 1.14
@@ -1,6 +1,6 @@
/* @(#) $Id$ */

-/* Copyright (C) 2008 Third Brigade, Inc.
+/* Copyright (C) 2009 Trend Micro Inc.
* All rights reserved.

Reply all
Reply to author
Forward
0 new messages