ossec-hids: check_rc_winpolicy.c (HEAD) [dcid]
OSSEC CVS
Changes by: dcid 07/07/21 20:50:56
Modified files:
check_rc_winpolicy.c
Log message:
Description: A few more changes to the installer, changing license to gplv3, etc
Reviewed by: dcid
Bug:
Index: check_rc_winpolicy.c
===================================================================
RCS file: /usr/cvsroot/ossec-hids/src/rootcheck/check_rc_winpolicy.c,v
diff -u -r1.3 -r1.4
--- check_rc_winpolicy.c 20 Jul 2007 00:19:26 -0000 1.3
+++ check_rc_winpolicy.c 21 Jul 2007 23:50:56 -0000 1.4
@@ -23,7 +23,7 @@
{
debug1("%s: DEBUG: Starting on check_rc_winaudit", ARGV0);
- rkcl_get_entry(fp, "winaudit:", p_list);
+ rkcl_get_entry(fp, "Windows Audit:", p_list);
}
@@ -35,7 +35,7 @@
{
debug1("%s: DEBUG: Starting on check_rc_winmalware", ARGV0);
- rkcl_get_entry(fp, "winmalware:", p_list);
+ rkcl_get_entry(fp, "Windows Malware:", p_list);
}
@@ -47,7 +47,7 @@
{
debug1("%s: DEBUG: Starting on check_rc_winapps", ARGV0);
- rkcl_get_entry(fp, "winapps: Found: ", p_list);
+ rkcl_get_entry(fp, "Application Found:", p_list);
}
OSSEC CVS
Changes by: dcid 07/09/20 01:06:01
Modified files:
Makefile common.c common_rcl.c rootcheck-config.c rootcheck.conf
rootcheck.h run_rk_check.c win-common.c win-process.c
Added files:
check_rc_policy.c unix-process.c
Removed files:
check_rc_winpolicy.c
Log message:
Description: Lots of change here.
1- Fixed and re-organized the policy monitor code. Added support for Unix.
2- Improved Windows UI and install options.
3- Some fixes for the XML lib (old code being reorganized too).
Reviewed by: dcid
Bug:
--- NEW FILE: check_rc_policy.c ---
/* @(#) $Id: check_rc_policy.c,v 1.1 2007/09/20 04:06:00 dcid Exp $ */
/* Copyright (C) 2006-2007 Daniel B. Cid <dc...@ossec.net>
* All right reserved.
*
* This program is a free software; you can redistribute it
* and/or modify it under the terms of the GNU General Public
* License (version 3) as published by the FSF - Free Software
* Foundation
*/
#include "shared.h"
#include "rootcheck.h"
/* check_rc_unixaudit:
* Read the file pointer specified
* and check if the configured file is there
*/
void check_rc_unixaudit(FILE *fp, void *p_list)
{
debug1("%s: DEBUG: Starting on check_rc_unixaudit", ARGV0);
rkcl_get_entry(fp, "System Audit:", p_list);
}
/* check_rc_winaudit:
* Read the file pointer specified (winpolicy)
* and check if the configured file is there
*/
void check_rc_winaudit(FILE *fp, void *p_list)
{
debug1("%s: DEBUG: Starting on check_rc_winaudit", ARGV0);
rkcl_get_entry(fp, "Windows Audit:", p_list);
}
/* check_rc_winmalware:
* Read the file pointer specified (winpolicy)
* and check if the configured file is there
*/
void check_rc_winmalware(FILE *fp, void *p_list)
{
debug1("%s: DEBUG: Starting on check_rc_winmalware", ARGV0);
rkcl_get_entry(fp, "Windows Malware:", p_list);
}
/* check_rc_winapps:
* Read the file pointer specified (winpolicy)
* and check if the configured file is there
*/
void check_rc_winapps(FILE *fp, void *p_list)
{
debug1("%s: DEBUG: Starting on check_rc_winapps", ARGV0);
rkcl_get_entry(fp, "Application Found:", p_list);
}
/* EOF */
--- NEW FILE: unix-process.c ---
/* @(#) $Id: unix-process.c,v 1.1 2007/09/20 04:06:00 dcid Exp $ */
/* Copyright (C) 2005-2007 Daniel B. Cid <dc...@ossec.net>
* All right reserved.
*
* This program is a free software; you can redistribute it
* and/or modify it under the terms of the GNU General Public
* License (version 3) as published by the FSF - Free Software
* Foundation
*
* License details at the LICENSE file included with OSSEC or
* online at: http://www.ossec.net/main/license/ .
*/
#include "shared.h"
#include "rootcheck.h"
#ifndef WIN32
char *_os_get_runps(char *ps, int mpid)
{
char *tmp_str, *nbuf;
char buf[OS_SIZE_2048 +1];
char command[OS_SIZE_1024 +1];
FILE *fp;
buf[0] = '\0';
command[0] = '\0';
command[OS_SIZE_1024] = '\0';
snprintf(command, OS_SIZE_1024, "%s -p %d 2> /dev/null", ps, mpid);
fp = popen(command, "r");
if(fp)
{
while(fgets(buf, OS_SIZE_2048, fp) != NULL)
{
tmp_str = strchr(buf, ':');
if(!tmp_str)
{
continue;
}
nbuf = tmp_str++;
tmp_str = strchr(nbuf, ' ');
if(!tmp_str)
{
continue;
}
nbuf = tmp_str++;
tmp_str = strchr(nbuf, '\n');
if(tmp_str)
{
tmp_str = '\0';
}
fclose(fp);
return(strdup(nbuf));
}
fclose(fp);
}
return(NULL);
}
/* os_get_unix_process_list: Get list of Unix processes */
void *os_get_process_list()
{
int i = 1;
pid_t max_pid = MAX_PID;
OSList *p_list = NULL;
char ps[OS_SIZE_1024 +1];
/* Checking where ps is */
memset(ps, '\0', OS_SIZE_1024 +1);
strncpy(ps, "/bin/ps", OS_SIZE_1024);
if(!is_file(ps))
{
strncpy(ps, "/usr/bin/ps", OS_SIZE_1024);
if(!is_file(ps))
{
merror("%s: ERROR: 'ps' not found.", ARGV0);
return(NULL);
}
}
/* Creating process list */
p_list = OSList_Create();
if(!p_list)
{
merror(LIST_ERROR, ARGV0);
return(NULL);
}
for(i = 1; i<= max_pid; i++)
{
/* Checking if the pid is present. */
if((!((getsid(i) == -1)&&(errno == ESRCH))) &&
(!((getpgid(i) == -1)&&(errno == ESRCH))))
{
Proc_Info *p_info;
char *p_name;
p_name = _os_get_runps(ps, (int)i);
if(!p_name)
{
continue;
}
os_calloc(1, sizeof(Proc_Info), p_info);
p_info->p_path = p_name;
p_info->p_name = NULL;
OSList_AddData(p_list, p_info);
}
}
return((void *)p_list);
}
#endif
/* EOF */
Index: Makefile
===================================================================
RCS file: /usr/cvsroot/ossec-hids/src/rootcheck/Makefile,v
diff -u -r1.9 -r1.10
--- Makefile 14 Jun 2007 23:40:50 -0000 1.9
+++ Makefile 20 Sep 2007 04:06:00 -0000 1.10
@@ -9,8 +9,8 @@
include ../Config.Make
-OBJS = check_open_ports.c check_rc_pids.c check_rc_trojans.c run_rk_check.c check_rc_dev.c check_rc_ports.c common.c common_rcl.c win-common.c check_rc_files.c check_rc_readproc.c os_string.c check_rc_if.c check_rc_sys.c rootcheck.c
-OBJS2 = ${OS_SHARED} ${OS_XML}
+OBJS = check_open_ports.c check_rc_pids.c check_rc_trojans.c run_rk_check.c check_rc_dev.c check_rc_ports.c check_rc_policy.c common.c common_rcl.c win-common.c unix-process.c check_rc_files.c check_rc_readproc.c os_string.c check_rc_if.c check_rc_sys.c rootcheck.c
+OBJS2 = ${OS_SHARED} ${OS_XML} ${OS_REGEX}
rootcheck:
$(CC) $(CFLAGS) -c ${OBJS} config.c -D_GNU_SOURCE
Index: common.c
===================================================================
RCS file: /usr/cvsroot/ossec-hids/src/rootcheck/common.c,v
diff -u -r1.17 -r1.18
--- common.c 22 Aug 2007 00:39:33 -0000 1.17
+++ common.c 20 Sep 2007 04:06:00 -0000 1.18
@@ -7,11 +7,16 @@
* and/or modify it under the terms of the GNU General Public
* License (version 3) as published by the FSF - Free Software
* Foundation
+ *
+ * License details at the LICENSE file included with OSSEC or
+ * online at: http://www.ossec.net/main/license/ .
*/
#include "shared.h"
#include "rootcheck.h"
+#include "os_regex/os_regex.h"
+
/** int rk_check_file(char *value, char *pattern)
@@ -19,13 +24,12 @@
int rk_check_file(char *file, char *pattern)
{
char *split_file;
- char *tmp_str;
FILE *fp;
char buf[OS_SIZE_2048 +1];
- /* If string we null, we don't match */
+ /* If string is null, we don't match */
if(file == NULL)
{
return(0);
@@ -33,71 +37,82 @@
/* Checking if the file is divided */
- split_file = file;
- tmp_str = strchr(file, ',');
- if(tmp_str)
+ split_file = strchr(file, ',');
+ if(split_file)
{
- *tmp_str = '\0';
+ *split_file = '\0';
+ split_file++;
}
/* Getting each file */
- while(split_file)
+ do
{
+
/* If we don't have a pattern, just check if the file/dir is there */
if(pattern == NULL)
{
- if(is_file(split_file))
+ if(is_file(file))
{
return(1);
}
-
- continue;
}
-
- /* Checking for a content in the file */
- fp = fopen(file, "r");
- if(!fp)
- {
- continue;
- }
-
- buf[OS_SIZE_2048] = '\0';
- while(fgets(buf, OS_SIZE_2048, fp) != NULL)
+ else
{
- char *nbuf;
+ /* Checking for a content in the file */
+ fp = fopen(file, "r");
+ if(fp)
+ {
+
+ buf[OS_SIZE_2048] = '\0';
+ while(fgets(buf, OS_SIZE_2048, fp) != NULL)
+ {
+ char *nbuf;
+
+ /* Removing end of line */
+ nbuf = strchr(buf, '\n');
+ if(nbuf)
+ {
+ *nbuf = '\0';
+ }
+
+
+ #ifdef WIN32
+ /* Removing end of line */
+ nbuf = strchr(buf, '\r');
+ if(nbuf)
+ {
+ *nbuf = '\0';
+ }
+ #endif
+
+
+ /* Matched */
+ if(pt_matches(buf, pattern))
+ {
+ fclose(fp);
+ return(1);
+ }
+ }
- /* Removing end of line */
- nbuf = strchr(buf, '\n');
- if(nbuf)
- {
- *nbuf = '\0';
+ fclose(fp);
}
+ }
-
- #ifdef WIN32
- /* Removing end of line */
- nbuf = strchr(buf, '\r');
- if(nbuf)
+ if(split_file)
+ {
+ file = split_file;
+ split_file = strchr(split_file, ',');
+ if(split_file)
{
- *nbuf = '\0';
- }
- #endif
-
-
- /* Matched */
- if(pt_matches(buf, pattern))
- {
- fclose(fp);
- return(1);
+ split_file++;
}
}
-
- fclose(fp);
- continue;
- }
+
+
+ }while(split_file);
return(0);
@@ -316,6 +331,7 @@
}
+
/* is_file: Check if the file is present
* by different attempts (to try to avoid syscall hidding).
*/
@@ -439,5 +455,99 @@
return(1);
}
+
+
+/* del_plist:. Deletes the process list
+ */
+int del_plist(void *p_list_p)
+{
+ OSList *p_list = (OSList *)p_list_p;
+ OSListNode *l_node;
+ OSListNode *p_node = NULL;
+
+ if(p_list == NULL)
+ {
+ return(0);
+ }
+
+ l_node = OSList_GetFirstNode(p_list);
+ while(l_node)
+ {
+ Proc_Info *pinfo;
+
+ pinfo = (Proc_Info *)l_node->data;
+
+ if(pinfo->p_name)
+ {
+ free(pinfo->p_name);
+ }
+
+ if(pinfo->p_path)
+ {
+ free(pinfo->p_path);
+ }
+
+ free(l_node->data);
+
+ if(p_node)
+ {
+ free(p_node);
+ p_node = NULL;
+ }
+ p_node = l_node;
+
+ l_node = OSList_GetNextNode(p_list);
+ }
+
+ if(p_node)
+ {
+ free(p_node);
+ p_node = NULL;
+ }
+
+ free(p_list);
+
+ return(1);
+}
+
+
+
+/* is_process: Check is a process is running.
+ */
+int is_process(char *value, void *p_list_p)
+{
+ OSList *p_list = (OSList *)p_list_p;
+ OSListNode *l_node;
+ if(p_list == NULL)
+ {
+ return(0);
+ }
+ if(!value)
+ {
+ return(0);
+ }
+
+
+ l_node = OSList_GetFirstNode(p_list);
+ while(l_node)
+ {
+ Proc_Info *pinfo;
+
+ pinfo = (Proc_Info *)l_node->data;
+
+ /* Checking if value matches */
+ if(pt_matches(pinfo->p_path, value))
+ {
+ return(1);
+ }
+
+ l_node = OSList_GetNextNode(p_list);
+ }
+
+ return(0);
+
+}
+
+
/* EOF */
Index: common_rcl.c
===================================================================
RCS file: /usr/cvsroot/ossec-hids/src/rootcheck/common_rcl.c,v
diff -u -r1.10 -r1.11
--- common_rcl.c 5 Sep 2007 22:12:47 -0000 1.10
+++ common_rcl.c 20 Sep 2007 04:06:00 -0000 1.11
@@ -5,8 +5,11 @@
*
* This program is a free software; you can redistribute it
* and/or modify it under the terms of the GNU General Public
- * License (version 2) as published by the FSF - Free Software
+ * License (version 3) as published by the FSF - Free Software
* Foundation
+ *
+ * License details at the LICENSE file included with OSSEC or
+ * online at: http://www.ossec.net/main/license/
*/
@@ -124,6 +127,8 @@
*/
int _rkcl_get_vars(OSStore *vars, char *nbuf)
{
+ char *var_name;
+ char *var_value;
char *tmp;
/* If not a variable, return 0 */
@@ -132,6 +137,20 @@
return(0);
}
+
+ /* Removing ; from the end. */
+ tmp = strchr(nbuf, ';');
+ if(tmp)
+ {
+ *tmp = '\0';
+ }
+ else
+ {
+ return(-1);
+ }
+
+
+ /* Getting value. */
tmp = strchr(nbuf, '=');
if(tmp)
{
@@ -140,12 +159,17 @@
}
else
{
- return(0);
+ return(-1);
}
+ /* Dumping the variable options. */
+ os_strdup(nbuf, var_name);
+ os_strdup(tmp, var_value);
+
+
/* Adding entry to the storage */
- OSStore_Create(vars, nbuf, tmp);
+ OSStore_Put(vars, var_name, var_value);
return(1);
}
@@ -241,7 +265,7 @@
(value[2] == '>') && (value[3] == ' '))
{
*value = '\0';
- value+=4;
+ value += 4;
return(value);
}
@@ -314,7 +338,7 @@
*/
int rkcl_get_entry(FILE *fp, char *msg, void *p_list_p)
{
- int type = 0, condition = 0, root_dir_len;
+ int type = 0, condition = 0, root_dir_len = 0;
char *nbuf;
char buf[OS_SIZE_1024 +2];
char root_dir[OS_SIZE_1024 +2];
@@ -323,11 +347,12 @@
char *value;
char *name = NULL;
- char *tmp_str;
OSStore *vars;
OSList *p_list = (OSList *)p_list_p;
+
+ /* Cleaning up vars */
memset(buf, '\0', sizeof(buf));
memset(root_dir, '\0', sizeof(root_dir));
memset(final_file, '\0', sizeof(final_file));
@@ -336,56 +361,75 @@
root_dir_len = sizeof(root_dir) -1;
+ #ifdef WIN32
/* Getting Windows rootdir */
_rkcl_getrootdir(root_dir, root_dir_len);
if(root_dir[0] == '\0')
{
merror(INVALID_ROOTDIR, ARGV0);
}
+ #endif
/* Getting variables */
vars = OSStore_Create();
+ /* We first read all variables -- they must be defined at the top. */
+ while(1)
+ {
+ int rc_code = 0;
+ nbuf = _rkcl_getfp(fp, buf);
+ if(nbuf == NULL)
+ {
+ goto clean_return;
+ }
+
+ rc_code = _rkcl_get_vars(vars, nbuf);
+ if(rc_code == 0)
+ {
+ break;
+ }
+ else if(rc_code == -1)
+ {
+ merror(INVALID_RKCL_VAR, ARGV0, nbuf);
+ goto clean_return;
+ }
+ }
+
+
+ /* Getting first name */
+ name = _rkcl_get_name(nbuf, ref, &condition);
+ if(name == NULL || condition == RKCL_COND_INV)
+ {
+ merror(INVALID_RKCL_NAME, ARGV0, nbuf);
+ goto clean_return;
+ }
+
+
+
+ /* Getting the real entries. */
do
{
int g_found = 0;
+
/* Getting entry name */
if(name == NULL)
{
- nbuf = _rkcl_getfp(fp, buf);
- if(nbuf == NULL)
- {
- return(0);
- }
-
-
- /* Getting any variable */
- if(_rkcl_get_vars(vars, nbuf))
- {
- continue;
- }
-
-
- /* Veryfying that the name is valid */
- name = _rkcl_get_name(nbuf, ref, &condition);
-
- if(name == NULL || condition == RKCL_COND_INV)
- {
- merror(INVALID_RKCL_NAME, ARGV0, nbuf);
- return(0);
- }
+ merror(INVALID_RKCL_NAME, ARGV0, "NULL");
+ goto clean_return;
}
debug2("%s: DEBUG: Checking entry: '%s'.", ARGV0, name);
+
/* Getting each value */
do
{
int negate = 0;
int found = 0;
+ value = NULL;
nbuf = _rkcl_getfp(fp, buf);
if(nbuf == NULL)
@@ -405,13 +449,8 @@
value = _rkcl_get_value(nbuf, &type);
if(value == NULL)
{
- if(name)
- {
- free(name);
- name = NULL;
- }
merror(INVALID_RKCL_VALUE, ARGV0, nbuf);
- return(0);
+ goto clean_return;
}
@@ -422,6 +461,7 @@
value++;
}
+
/* Checking for a file. */
if(type == RKCL_TYPE_FILE)
{
@@ -430,63 +470,58 @@
pattern = _rkcl_get_pattern(value);
+ f_value = value;
+
+
+ /* Getting any variable. */
+ if(value[0] == '$')
+ {
+ f_value = OSStore_Get(vars, value);
+ if(!f_value)
+ {
+ merror(INVALID_RKCL_VAR, ARGV0, value);
+ continue;
+ }
+ }
#ifdef WIN32
- final_file[0] = '\0';
- final_file[2048] = '\0';
-
- if(value[0] == '\\')
+ else if(value[0] == '\\')
{
- snprintf(final_file, 2047, "%s%s", root_dir, value);
+ final_file[0] = '\0';
+ final_file[sizeof(final_file -1)] = '\0';
+
+ snprintf(final_file, sizeof(final_file -2), "%s%s",
+ root_dir, value);
f_value = final_file;
}
- else if(value[0] == '$')
- {
- f_value = OSStore_Get(vars, value);
- }
else
{
- ExpandEnvironmentStrings(value, final_file, 2047);
+ final_file[0] = '\0';
+ final_file[sizeof(final_file -1)] = '\0';
+
+ ExpandEnvironmentStrings(value, final_file,
+ sizeof(final_file -2));
f_value = final_file;
}
- if(!f_value)
- {
- merror("%s: ERROR: Invalid variable for XXXX ", ARGV0);
- }
-
+ #endif
- debug2("%s: DEBUG: Checking file: '%s'.", ARGV0, final_file);
- if(rk_check_file(f_value, pattern))
- {
- debug2("%s: DEBUG: found file.", ARGV0);
- found = 1;
- }
- value = f_value;
- #else
-
- if(value[0] == '$')
- {
- f_value = OSStore_Get(vars, value);
- }
- else
- {
- f_value = value;
- }
-
- debug2("%s: DEBUG: Checking file: '%s'.", ARGV0, value);
+ debug2("%s: DEBUG: Checking file: '%s'.", ARGV0, f_value);
if(rk_check_file(f_value, pattern))
{
+ debug1("%s: DEBUG: found file.", ARGV0);
found = 1;
}
-
- #endif
}
+
+
+ /* Checking for a registry entry */
else if(type == RKCL_TYPE_REGISTRY)
{
char *entry = NULL;
char *pattern = NULL;
+
/* Looking for additional entries in the registry
* and a pattern to match.
@@ -496,14 +531,20 @@
{
pattern = _rkcl_get_pattern(entry);
}
-
+
+
+ #ifdef WIN32
debug2("%s: DEBUG: Checking registry: '%s'.", ARGV0, value);
if(is_registry(value, entry, pattern))
{
debug2("%s: DEBUG: found registry.", ARGV0);
found = 1;
}
+ #endif
}
+
+
+ /* Checking for a process. */
else if(type == RKCL_TYPE_PROCESS)
{
debug2("%s: DEBUG: Checking process: '%s'.", ARGV0, value);
@@ -514,6 +555,7 @@
}
}
+
/* Switching the values if ! is present */
if(negate)
{
@@ -528,6 +570,7 @@
}
+ /** Checking the conditions **/
if(condition == RKCL_COND_ANY)
{
debug2("%s: DEBUG: Condition ANY.", ARGV0);
@@ -551,6 +594,7 @@
}
}while(value != NULL);
+
/* Alerting if necessary */
if(g_found == 1)
{
@@ -567,37 +611,43 @@
notify_rk(ALERT_POLICY_VIOLATION, op_msg);
}
+
/* Ending if we don't have anything else. */
if(!nbuf)
{
- if(name)
- {
- free(name);
- name = NULL;
- }
- return(0);
+ goto clean_return;
+ }
+
+
+ /* Cleaning up name. */
+ if(name)
+ {
+ free(name);
+ name = NULL;
}
+
/* Getting name already read */
- if(_rkcl_is_name(nbuf))
+ name = _rkcl_get_name(nbuf, ref, &condition);
+ if(!name)
{
- tmp_str = _rkcl_get_name(nbuf, ref, &condition);
- if(tmp_str)
- {
- if(name)
- {
- free(name);
- }
- name = tmp_str;
- }
- else
- {
- merror(INVALID_RKCL_NAME, ARGV0, nbuf);
- return(0);
- }
+ merror(INVALID_RKCL_NAME, ARGV0, nbuf);
+ goto clean_return;
}
}while(nbuf != NULL);
+
+
+ /* Cleaning up the memory */
+ clean_return:
+ if(name)
+ {
+ free(name);
+ name = NULL;
+ }
+ vars = OSStore_Free(vars);
+
+
return(1);
}
Index: rootcheck-config.c
===================================================================
RCS file: /usr/cvsroot/ossec-hids/src/rootcheck/rootcheck-config.c,v
diff -u -r1.6 -r1.7
--- rootcheck-config.c 26 Jun 2007 00:49:51 -0000 1.6
+++ rootcheck-config.c 20 Sep 2007 04:06:00 -0000 1.7
@@ -39,6 +39,7 @@
char *(xml_workdir[])={xml_rootcheck, "work_directory", NULL};
char *(xml_rootkit_files[])={xml_rootcheck, "rootkit_files", NULL};
char *(xml_rootkit_trojans[])={xml_rootcheck, "rootkit_trojans", NULL};
+ char *(xml_rootkit_unixaudit[])={xml_rootcheck, "system_audit", NULL};
char *(xml_rootkit_winaudit[])={xml_rootcheck, "windows_audit", NULL};
char *(xml_rootkit_winapps[])={xml_rootcheck, "windows_apps", NULL};
char *(xml_rootkit_winmalware[])={xml_rootcheck, "windows_malware", NULL};
@@ -155,6 +156,9 @@
rootcheck.rootkit_trojans = OS_GetOneContentforElement
(&xml,xml_rootkit_trojans);
+ rootcheck.unixaudit = OS_GetOneContentforElement
+ (&xml,xml_rootkit_unixaudit);
+
rootcheck.winaudit = OS_GetOneContentforElement
(&xml,xml_rootkit_winaudit);
Index: rootcheck.conf
===================================================================
RCS file: /usr/cvsroot/ossec-hids/src/rootcheck/rootcheck.conf,v
diff -u -r1.5 -r1.6
--- rootcheck.conf 27 Jul 2007 22:41:42 -0000 1.5
+++ rootcheck.conf 20 Sep 2007 04:06:00 -0000 1.6
@@ -4,6 +4,7 @@
<rootkit_files>./db/rootkit_files.txt</rootkit_files>
<rootkit_trojans>./db/rootkit_trojans.txt</rootkit_trojans>
+ <system_audit>./db/system_audit_rcl.txt</system_audit>
<windows_audit>./shared/win_audit_rcl.txt</windows_audit>
<windows_apps>./shared/win_applications_rcl.txt</windows_apps>
<windows_malware>./shared/win_malware_rcl.txt</windows_malware>
Index: rootcheck.h
===================================================================
RCS file: /usr/cvsroot/ossec-hids/src/rootcheck/rootcheck.h,v
diff -u -r1.29 -r1.30
--- rootcheck.h 5 Jul 2007 00:14:12 -0000 1.29
+++ rootcheck.h 20 Sep 2007 04:06:00 -0000 1.30
@@ -79,9 +79,9 @@
*/
int os_check_ads(char *full_path);
-/* os_get_win32_process_list: Get list of win32 processes
+/* os_get_process_list: Get list of processes
*/
-void *os_get_win32_process_list();
+void *os_get_process_list();
/* is_process: Check is a process is running.
*/
@@ -117,6 +117,8 @@
void check_rc_trojans(char *basedir, FILE *fp);
+void check_rc_unixaudit(FILE *fp, void *p_list);
+
void check_rc_winaudit(FILE *fp, void *p_list);
void check_rc_winmalware(FILE *fp, void *p_list);
@@ -150,12 +152,12 @@
char total_ports_tcp[65535 +1];
-/* Win32 process struct */
-typedef struct _Win32Proc_Info
+/* Process struct */
+typedef struct _Proc_Info
{
char *p_name;
char *p_path;
-}Win32Proc_Info;
+}Proc_Info;
#endif
Index: run_rk_check.c
===================================================================
RCS file: /usr/cvsroot/ossec-hids/src/rootcheck/run_rk_check.c,v
diff -u -r1.32 -r1.33
--- run_rk_check.c 21 Jul 2007 02:53:21 -0000 1.32
+++ run_rk_check.c 20 Sep 2007 04:06:00 -0000 1.33
@@ -84,6 +84,7 @@
time_t time2;
FILE *fp;
+ OSList *plist;
#ifndef WIN32
/* Hard coding basedir */
@@ -103,7 +104,6 @@
/* Basedir for Windows */
char basedir[] = "C:\\";
- OSList *win32_plist;
#endif
@@ -121,12 +121,13 @@
if(rootcheck.notify != QUEUE)
{
printf("\n");
- printf("** Starting Rootcheck v0.8 by Daniel B. Cid **\n");
+ printf("** Starting Rootcheck v0.9 by Daniel B. Cid **\n");
printf("** http://www.ossec.net/en/about.html#dev-team **\n");
printf("** http://www.ossec.net/rootcheck/ **\n\n");
printf("Be patient, it may take a few minutes to complete...\n");
printf("\n");
}
+
/* Cleaning the global variables */
rk_sys_count = 0;
@@ -134,10 +135,12 @@
rk_sys_name[rk_sys_count] = NULL;
+
/* Sending scan start message */
notify_rk(ALERT_POLICY_VIOLATION, "Starting rootcheck scan.");
+
/*** First check, look for rootkits ***/
/* Open rootkit_files and pass the pointer to check_rc_files */
if(!rootcheck.rootkit_files)
@@ -163,6 +166,7 @@
fclose(fp);
}
}
+
/*** Second check. look for trojan entries in common binaries ***/
@@ -193,10 +197,11 @@
}
+
#ifdef WIN32
/*** Getting process list ***/
- win32_plist = os_get_win32_process_list();
+ plist = os_get_process_list();
/*** Windows audit check ***/
@@ -214,7 +219,7 @@
}
else
{
- check_rc_winaudit(fp, win32_plist);
+ check_rc_winaudit(fp, plist);
fclose(fp);
}
}
@@ -234,7 +239,7 @@
}
else
{
- check_rc_winmalware(fp, win32_plist);
+ check_rc_winmalware(fp, plist);
fclose(fp);
}
}
@@ -254,15 +259,50 @@
}
else
{
- check_rc_winapps(fp, win32_plist);
+ check_rc_winapps(fp, plist);
fclose(fp);
}
}
/* Freeing process list */
- del_plist((void *)win32_plist);
+ del_plist((void *)plist);
+
+
+ /** Checks for other non Windows. **/
+ #else
+
+
+
+ /*** Unix audit check ***/
+ if(!rootcheck.unixaudit)
+ {
+ merror("%s: No unixaudit file configured.", ARGV0);
+ }
+ else
+ {
+ fp = fopen(rootcheck.unixaudit, "r");
+ if(!fp)
+ {
+ merror("%s: No unixaudit file: '%s'",ARGV0,
+ rootcheck.unixaudit);
+ }
+ else
+ {
+ /* Getting process list. */
+ plist = os_get_process_list();
+
+ /* Running unix audit. */
+ check_rc_unixaudit(fp, plist);
+
+ /* Freeing list */
+ del_plist((void *)plist);
+ fclose(fp);
+ }
+ }
+
+
#endif
Index: win-common.c
===================================================================
RCS file: /usr/cvsroot/ossec-hids/src/rootcheck/win-common.c,v
diff -u -r1.10 -r1.11
--- win-common.c 26 Jul 2007 01:32:03 -0000 1.10
+++ win-common.c 20 Sep 2007 04:06:00 -0000 1.11
@@ -413,92 +413,6 @@
}
-
-/* del_plist:. Deletes the process list
- */
-int del_plist(void *p_list_p)
-{
- OSList *p_list = (OSList *)p_list_p;
- OSListNode *l_node;
- OSListNode *p_node = NULL;
-
- if(p_list == NULL)
- {
- return(0);
- }
-
- l_node = OSList_GetFirstNode(p_list);
- while(l_node)
- {
- Win32Proc_Info *pinfo;
-
- pinfo = (Win32Proc_Info *)l_node->data;
-
- free(pinfo->p_name);
- free(pinfo->p_path);
- free(l_node->data);
-
- if(p_node)
- {
- free(p_node);
- p_node = NULL;
- }
- p_node = l_node;
-
- l_node = OSList_GetNextNode(p_list);
- }
-
- if(p_node)
- {
- free(p_node);
- p_node = NULL;
- }
-
- free(p_list);
-
- return(1);
-}
-
-
-
-/* is_process: Check is a process is running.
- */
-int is_process(char *value, void *p_list_p)
-{
- OSList *p_list = (OSList *)p_list_p;
- OSListNode *l_node;
- if(p_list == NULL)
- {
- return(0);
- }
- if(!value)
- {
- return(0);
- }
-
-
- l_node = OSList_GetFirstNode(p_list);
- while(l_node)
- {
- Win32Proc_Info *pinfo;
-
- pinfo = (Win32Proc_Info *)l_node->data;
-
- /* Checking if value matches */
- if(pt_matches(pinfo->p_path, value))
- {
- return(1);
- }
-
- l_node = OSList_GetNextNode(p_list);
- }
-
- return(0);
-
-}
-
-
-
#else /* WIN32 */
@@ -508,10 +422,6 @@
return(0);
}
int is_registry(char *entry_name, char *reg_option, char *reg_value)
-{
- return(0);
-}
-int is_process(char *value, void *p_list)
{
return(0);
}
Index: win-process.c
===================================================================
RCS file: /usr/cvsroot/ossec-hids/src/rootcheck/win-process.c,v
diff -u -r1.1 -r1.2
--- win-process.c 30 Jun 2007 21:48:14 -0000 1.1
+++ win-process.c 20 Sep 2007 04:06:00 -0000 1.2
@@ -71,8 +71,8 @@
-/* os_get_win32_process_list: Get list of win32 processes */
-void *os_get_win32_process_list()
+/* os_get_process_list: Get list of win32 processes */
+void *os_get_process_list()
{
OSList *p_list = NULL;
@@ -155,7 +155,7 @@
{
char *p_name;
char *p_path;
- Win32Proc_Info *p_info;
+ Proc_Info *p_info;
/* Setting process name */
os_strdup(p_entry.szExeFile, p_name);
@@ -187,7 +187,7 @@
CloseHandle(hmod);
}
- os_calloc(1, sizeof(Win32Proc_Info), p_info);
+ os_calloc(1, sizeof(Proc_Info), p_info);
p_info->p_name = p_name;
p_info->p_path = p_path;
OSList_AddData(p_list, p_info);
OSSEC CVS
Changes by: dcid 07/10/11 19:17:58
Modified files:
Makefile
Log message:
Description: Adding support for the AIX syslog header format, and fixing some compilation issues with prelude.
Reviewed by: dcid
Bug:
Index: Makefile
===================================================================
RCS file: /usr/cvsroot/ossec-hids/src/Makefile,v
diff -u -r1.9 -r1.10
--- Makefile 10 Oct 2007 23:29:32 -0000 1.9
+++ Makefile 11 Oct 2007 22:17:57 -0000 1.10
@@ -41,7 +41,7 @@
@echo "CEXTRA=-DCLIENT" >> ./Config.OS
setprelude:
- @echo "CPRELUDE=-DPRELUDE `libprelude-config --cflags` `libprelude-config --libs`" >> ./Config.OS
+ @echo "CPRELUDE=-DPRELUDE -lprelude `libprelude-config --pthread-cflags` `libprelude-config --libs`" >> ./Config.OS
setlocal:
@echo "CEXTRA=-DLOCAL" >> ./Config.OS
OSSEC CVS
Changes by: dcid 07/10/17 21:06:59
Modified files:
Makefile
Log message:
Description: Changing the way we compile for db support. Final fixes for prelude support. Hopefully final version before beta2.
Reviewed by: dcid
Bug:
Index: Makefile
===================================================================
RCS file: /usr/cvsroot/ossec-hids/src/Makefile,v
diff -u -r1.10 -r1.11
--- Makefile 11 Oct 2007 22:17:57 -0000 1.10
+++ Makefile 18 Oct 2007 00:06:58 -0000 1.11
@@ -9,10 +9,12 @@
@echo "\"make local\" to build the local."
@echo "\"make agent\" to build the agent."
@echo "\"make libs\" to build the libraries only."
- @echo "\"make clean\" to clean anything built"
- @echo "\"make setagent\" to set agent install"
- @echo "\"make setlocal\" to set local install"
- @echo "\"make setprelude\" to set local install"
+ @echo "\"make clean\" to clean anything built."
+ @echo "\"make setagent\" to set agent install."
+ @echo "\"make setlocal\" to set local install."
+ @echo "\"make setprelude\" to enable prelude output."
+ @echo "\"make setdb\" to enable database support."
+ @echo "\"make unsetdb\" to disable database support."
clean:
@/bin/sh ./Makeall clean
@@ -42,7 +44,11 @@
setprelude:
@echo "CPRELUDE=-DPRELUDE -lprelude `libprelude-config --pthread-cflags` `libprelude-config --libs`" >> ./Config.OS
-
+
+setdb:
+ @cd ./os_dbd; echo "CDB=`./dbmake.sh`" >> ../Config.OS;
+unsetdb:
+ @echo "CDB=" >> ./Config.OS;
setlocal:
@echo "CEXTRA=-DLOCAL" >> ./Config.OS
OSSEC CVS
Changes by: dcid 08/10/30 11:41:53
Modified files:
Makefile analysisd.c rules.c rules.h rules_list.c
Log message:
Description: Adding compiled rules.
Reviewed by: dcid
Bug:
Index: Makefile
===================================================================
RCS file: /usr/cvsroot/ossec-hids/src/analysisd/Makefile,v
diff -u -r1.10 -r1.11
--- Makefile 15 Aug 2008 21:03:04 -0000 1.10
+++ Makefile 30 Oct 2008 14:41:52 -0000 1.11
@@ -7,7 +7,7 @@
include ../Config.Make
-LOCAL= analysisd.c stats.c rules.c rules_list.c config.c fts.c eventinfo.c eventinfo_list.c cleanevent.c active-response.c prelude.c ${OS_CONFIG}
+LOCAL= analysisd.c stats.c rules.c rules_list.c config.c fts.c eventinfo.c eventinfo_list.c cleanevent.c active-response.c prelude.c compiled_rules/*.o ${OS_CONFIG}
PLUGINS = decoders/decoders.a
ALERTS = alerts/alerts.a
@@ -17,16 +17,19 @@
logaudit:
cd ./alerts; make
cd ./decoders; make
+ cd ./compiled_rules; make;
$(CC) $(CFLAGS) ${OS_LINK} -I./ ${loga_OBJS} -o ${NAME}
logtest:
cd ./alerts; make
cd ./decoders; make logtest
+ cd ./compiled_rules; make;
$(CC) $(CFLAGS) ${OS_LINK} -DTESTRULE -I./ testrule.c ${loga_OBJS} -o ossec-logtest
clean:
cd ./alerts; make clean
cd ./decoders; make clean
+ cd ./compiled_rules; make clean
${CLEAN}
build:
Index: analysisd.c
===================================================================
RCS file: /usr/cvsroot/ossec-hids/src/analysisd/analysisd.c,v
diff -u -r1.140 -r1.141
--- analysisd.c 20 Aug 2008 19:48:39 -0000 1.140
+++ analysisd.c 30 Oct 2008 14:41:52 -0000 1.141
@@ -1234,6 +1234,15 @@
/* Extra information from event */
if(currently_rule->alert_opts & DO_EXTRAINFO)
{
+ /* Checking compiled rule. */
+ if(currently_rule->compiled_rule)
+ {
+ if(!currently_rule->compiled_rule(lf))
+ {
+ return(NULL);
+ }
+ }
+
/* Checking if exist any user to match */
if(currently_rule->user)
Index: rules.c
===================================================================
RCS file: /usr/cvsroot/ossec-hids/src/analysisd/rules.c,v
diff -u -r1.75 -r1.76
--- rules.c 18 Aug 2008 16:48:02 -0000 1.75
+++ rules.c 30 Oct 2008 14:41:52 -0000 1.76
@@ -17,6 +17,7 @@
#include "rules.h"
#include "config.h"
#include "eventinfo.h"
+#include "compiled_rules/compiled_rules.h"
/* Chaging path for test rule. */
@@ -97,6 +98,7 @@
char *xml_program_name = "program_name";
char *xml_status = "status";
char *xml_action = "action";
+ char *xml_compiled = "compiled_rule";
char *xml_if_sid = "if_sid";
char *xml_if_group = "if_group";
@@ -589,6 +591,33 @@
loadmemory(url,
rule_opt[k]->content);
}
+ else if(strcasecmp(rule_opt[k]->element, xml_compiled)==0)
+ {
+ int it_id = 0;
+
+ while(compiled_rules_name[it_id])
+ {
+ if(strcmp(compiled_rules_name[it_id],
+ rule_opt[k]->content) == 0)
+ break;
+ it_id++;
+ }
+
+ /* checking if the name is valid. */
+ if(!compiled_rules_name[it_id])
+ {
+ merror("%s: ERROR: Compiled rule not found: '%s'",
+ ARGV0, rule_opt[k]->content);
+ merror(INVALID_CONFIG, ARGV0,
+ rule_opt[k]->element, rule_opt[k]->content);
+ return(-1);
+
+ }
+
+ config_ruleinfo->compiled_rule = compiled_rules_list[it_id];
+ if(!(config_ruleinfo->alert_opts & DO_EXTRAINFO))
+ config_ruleinfo->alert_opts |= DO_EXTRAINFO;
+ }
/* We allow these four categories so far */
else if(strcasecmp(rule_opt[k]->element, xml_category)==0)
@@ -1399,6 +1428,7 @@
ruleinfo_pt->group_search = NULL;
ruleinfo_pt->event_search = NULL;
+ ruleinfo_pt->compiled_rule = NULL;
return(ruleinfo_pt);
}
Index: rules.h
===================================================================
RCS file: /usr/cvsroot/ossec-hids/src/analysisd/rules.h,v
diff -u -r1.39 -r1.40
--- rules.h 17 Jun 2008 17:03:57 -0000 1.39
+++ rules.h 30 Oct 2008 14:41:52 -0000 1.40
@@ -129,6 +129,7 @@
OSMatch *if_matched_group;
int if_matched_sid;
+ void *(*compiled_rule)(void *lf);
active_response **ar;
}RuleInfo;
Index: rules_list.c
===================================================================
RCS file: /usr/cvsroot/ossec-hids/src/analysisd/rules_list.c,v
diff -u -r1.26 -r1.27
--- rules_list.c 17 Jun 2008 17:03:57 -0000 1.26
+++ rules_list.c 30 Oct 2008 14:41:52 -0000 1.27
@@ -373,6 +373,7 @@
r_node->ruleinfo->context = newrule->context;
r_node->ruleinfo->decoded_as = newrule->decoded_as;
r_node->ruleinfo->ar = newrule->ar;
+ r_node->ruleinfo->compiled_rule = newrule->compiled_rule;
return(1);
}
OSSEC CVS
Changes by: dcid 09/02/02 11:55:39
Modified files:
Makefile analysisd.c config.c
Added files:
picviz.c picviz.h
Log message:
Description: Adding support for picviz.
Reviewed by: dcid
Bug:
--- NEW FILE: picviz.c ---
/* @(#) $Id: picviz.c,v 1.1 2009/02/02 15:55:39 dcid Exp $ */
/* Copyright (C) 2009 Sebastien Tricaud
* Copyright (C) 2004-2009 Third Brigade, Inc.
* All right reserved.
*
* This program is a free software; you can redistribute it
* and/or modify it under the terms of the GNU General Public
* License (version 3) as published by the FSF - Free Software
* Foundation
*/
#include "shared.h"
#include "eventinfo.h"
static FILE *picviz_fp;
static char *(ossec2picviz[])={"blue","blue","blue","blue",
"green","green","green","green",
"orange", "orange", "orange", "orange",
"red", "red", "red", "red", "red"};
void OS_PicvizOpen(char *socket)
{
picviz_fp = fopen(socket, "a");
if(!picviz_fp)
{
merror("%s: Unable to open picviz socket file '%s'.",
ARGV0, socket);
}
}
void OS_PicvizLog(Eventinfo *lf)
{
char *color = (lf->generated_rule->level > 15) ? "red" : ossec2picviz[lf->generated_rule->level];
char *hostname;
char *location;
char *srcip;
char *dstip;
char *srcuser;
char *dstuser;
char *prgname;
char *comment;
if(!picviz_fp)
return;
hostname = lf->hostname ? lf->hostname : "";
location = lf->location ? lf->location : "";
srcip = lf->srcip ? lf->srcip : "";
dstip = lf->dstip ? lf->dstip : "";
srcuser = lf->srcuser ? lf->srcuser : "";
dstuser = lf->dstuser ? lf->dstuser : "";
prgname = lf->program_name ? lf->program_name : "";
comment = lf->generated_rule->comment ? lf->generated_rule->comment : "";
fprintf(picviz_fp,
"time=\"%s\", host=\"%s\", file=\"%s\", sip=\"%s\", dip=\"%s\""
", srcuser=\"%s\", dstuser=\"%s\", prgnme=\"%s\", alert=\"%s\" [color=\"%s\"];\n",
lf->hour,
hostname, location, srcip, dstip, srcuser, dstuser, prgname, comment, color);
fflush(picviz_fp);
}
void OS_PicvizClose(void)
{
if(picviz_fp)
fclose(picviz_fp);
}
--- NEW FILE: picviz.h ---
/* @(#) $Id: picviz.h,v 1.1 2009/02/02 15:55:39 dcid Exp $ */
/* Copyright (C) 2009 Sebastien Tricaud
* Copyright (C) 2004-2009 Third Brigade, Inc.
* All right reserved.
*
* This program is a free software; you can redistribute it
* and/or modify it under the terms of the GNU General Public
* License (version 3) as published by the FSF - Free Software
* Foundation
*/
#include <stdio.h>
#include "eventinfo.h"
#ifndef _PICVIZ_H_
#define _PICVIZ_H_
void OS_PicvizOpen(char *socket);
void OS_PicvizLog(Eventinfo *lf);
void OS_PicvizClose(void);
#endif /* _PICVIZ_H_ */
Index: Makefile
===================================================================
RCS file: /usr/cvsroot/ossec-hids/src/analysisd/Makefile,v
diff -u -r1.11 -r1.12
--- Makefile 30 Oct 2008 14:41:52 -0000 1.11
+++ Makefile 2 Feb 2009 15:55:39 -0000 1.12
@@ -7,7 +7,7 @@
include ../Config.Make
-LOCAL= analysisd.c stats.c rules.c rules_list.c config.c fts.c eventinfo.c eventinfo_list.c cleanevent.c active-response.c prelude.c compiled_rules/*.o ${OS_CONFIG}
+LOCAL= analysisd.c stats.c rules.c rules_list.c config.c fts.c eventinfo.c eventinfo_list.c cleanevent.c active-response.c picviz.c prelude.c compiled_rules/*.o ${OS_CONFIG}
PLUGINS = decoders/decoders.a
ALERTS = alerts/alerts.a
Index: analysisd.c
===================================================================
RCS file: /usr/cvsroot/ossec-hids/src/analysisd/analysisd.c,v
diff -u -r1.141 -r1.142
--- analysisd.c 30 Oct 2008 14:41:52 -0000 1.141
+++ analysisd.c 2 Feb 2009 15:55:39 -0000 1.142
@@ -44,6 +44,8 @@
#include "eventinfo.h"
#include "analysisd.h"
+#include "picviz.h"
+
#ifdef PRELUDE
#include "prelude.h"
#endif
@@ -258,13 +260,19 @@
prelude_start(Config.prelude_profile, argc, argv);
}
#endif
+
+
+ /* Opening the Picviz socket */
+ if(Config.picviz)
+ {
+ OS_PicvizOpen(Config.picviz_socket);
+ }
/* Setting the group */
if(Privsep_SetGroup(gid) < 0)
ErrorExit(SETGID_ERROR,ARGV0,group);
-
/* Chrooting */
if(Privsep_Chroot(dir) < 0)
ErrorExit(CHROOT_ERROR,ARGV0,dir);
@@ -457,6 +465,10 @@
/* Going to main loop */
OS_ReadMSG(m_queue);
+ if (Config.picviz)
+ {
+ OS_PicvizClose();
+ }
exit(0);
@@ -942,6 +954,13 @@
}
#endif
+
+ /* Log to Picviz */
+ if (Config.picviz)
+ {
+ OS_PicvizLog(lf);
+ }
+
/* Execute an active response */
if(currently_rule->ar)
Index: config.c
===================================================================
RCS file: /usr/cvsroot/ossec-hids/src/analysisd/config.c,v
diff -u -r1.29 -r1.30
--- config.c 17 Jun 2008 17:03:57 -0000 1.29
+++ config.c 2 Feb 2009 15:55:39 -0000 1.30
@@ -40,6 +40,7 @@
Config.integrity = 8;
Config.rootcheck = 8;
Config.hostinfo = 8;
+ Config.picviz = 0;
Config.prelude = 0;
Config.memorysize = 1024;
Config.mailnotify = -1;
OSSEC CVS
Changes by: dcid 09/06/30 14:08:20
Modified files:
config.c syscheck.h
Log message:
Description: More syscheck fixes..
Reviewed by: dcid
Bug:
Index: config.c
===================================================================
RCS file: /usr/cvsroot/ossec-hids/src/syscheckd/config.c,v
diff -u -r1.29 -r1.30
--- config.c 24 Jun 2009 18:53:09 -0000 1.29
+++ config.c 30 Jun 2009 17:08:19 -0000 1.30
@@ -37,6 +37,10 @@
#endif
+ /* Starting realtime */
+ realtime_start();
+
+
/* Reading config */
if(ReadConfig(modules, cfgfile, &syscheck, NULL) < 0)
return(OS_INVALID);
Index: syscheck.h
===================================================================
RCS file: /usr/cvsroot/ossec-hids/src/syscheckd/syscheck.h,v
diff -u -r1.15 -r1.16
--- syscheck.h 24 Jun 2009 18:53:09 -0000 1.15
+++ syscheck.h 30 Jun 2009 17:08:19 -0000 1.16
@@ -56,6 +56,9 @@
*/
void os_winreg_check();
+/* starts real time */
+int realtime_start();
+
/* Adds a directory to real time monitoring. */
int realtime_adddir(char *dir);