ossec-hids: rootcheck_control.c (NEW) Makefile (HEAD) syscheck_control.c (HEAD) [dcid]
OSSEC CVS
Changes by: dcid 08/08/22 09:24:09
Modified files:
Makefile syscheck_control.c
Added files:
rootcheck_control.c
Log message:
Description: Adding rootcheck_control script to manage the policy/auditing db.
Reviewed by: dcid
Bug:
--- NEW FILE: rootcheck_control.c ---
/* @(#) $Id: rootcheck_control.c,v 1.1 2008/08/22 12:24:09 dcid Exp $ */
/* Copyright (C) 2008 Third Brigade, Inc.
* All right reserved.
*
* This program is a free software; you can redistribute it
* and/or modify it under the terms of the GNU General Public
* License (version 3) as published by the FSF - Free Software
* Foundation
*/
#include "addagent/manage_agents.h"
#include "sec.h"
#undef ARGV0
#define ARGV0 "rootcheck_control"
/** help **/
void helpmsg()
{
printf("\nOSSEC HIDS %s: Manages the policy and auditing database.\n",
ARGV0);
printf("Available options:\n");
printf("\t-h This help message.\n");
printf("\t-l List available (active or not) agents.\n");
printf("\t-lc List only active agents.\n");
printf("\t-u <id> Updates (clear) the database for the agent.\n");
printf("\t-u all Updates (clear) the database for all agents.\n");
printf("\t-i <id> Prints database for the agent.\n");
printf("\t-r Used with -i, prints all the resolved issues.\n");
printf("\t-q Used with -i, prints all the outstanding issues.\n");
printf("\t-s Changes the output to CSV (comma delimited).\n");
exit(1);
}
/** main **/
int main(int argc, char **argv)
{
char *dir = DEFAULTDIR;
char *group = GROUPGLOBAL;
char *user = USER;
char *agent_id = NULL;
int gid = 0;
int uid = 0;
int c = 0, info_agent = 0, update_rootcheck = 0,
list_agents = 0,
resolved_only = 0;
int agt_id = 0, active_only = 0, csv_output = 0;
char shost[512];
/* Setting the name */
OS_SetName(ARGV0);
/* user arguments */
if(argc < 2)
{
helpmsg();
}
while((c = getopt(argc, argv, "VhqrDdlcsu:i:")) != -1)
{
switch(c){
case 'V':
print_version();
break;
case 'h':
helpmsg();
break;
case 'D':
nowDebug();
break;
case 'l':
list_agents++;
break;
case 's':
csv_output = 1;
case 'c':
active_only++;
break;
case 'r':
resolved_only = 1;
break;
case 'q':
resolved_only = 2;
break;
case 'i':
info_agent++;
if(!optarg)
{
merror("%s: -u needs an argument",ARGV0);
helpmsg();
}
agent_id = optarg;
break;
case 'u':
if(!optarg)
{
merror("%s: -u needs an argument",ARGV0);
helpmsg();
}
agent_id = optarg;
update_rootcheck = 1;
break;
default:
helpmsg();
break;
}
}
/* Getting the group name */
gid = Privsep_GetGroup(group);
uid = Privsep_GetUser(user);
if(gid < 0)
{
ErrorExit(USER_ERROR, ARGV0, user, group);
}
/* Setting the group */
if(Privsep_SetGroup(gid) < 0)
{
ErrorExit(SETGID_ERROR,ARGV0, group);
}
/* Chrooting to the default directory */
if(Privsep_Chroot(dir) < 0)
{
ErrorExit(CHROOT_ERROR, ARGV0, dir);
}
/* Inside chroot now */
nowChroot();
/* Setting the user */
if(Privsep_SetUser(uid) < 0)
{
ErrorExit(SETUID_ERROR, ARGV0, user);
}
/* Getting servers hostname */
memset(shost, '\0', 512);
if(gethostname(shost, 512 -1) != 0)
{
strncpy(shost, "localhost", 32);
return(0);
}
/* Listing available agents. */
if(list_agents)
{
if(!csv_output)
{
printf("\nOSSEC HIDS %s. List of available agents:",
ARGV0);
printf("\n ID: 000, Name: %s (server), IP: 127.0.0.1, "
"Active/Local\n", shost);
}
else
{
printf("000,%s (server),127.0.0.1,Active/Local,\n", shost);
}
print_agents(1, active_only, csv_output);
printf("\n");
exit(0);
}
/* Update rootcheck database. */
if(update_rootcheck)
{
/* Cleaning all agents (and server) db. */
if(strcmp(agent_id, "all") == 0)
{
DIR *sys_dir;
struct dirent *entry;
sys_dir = opendir(ROOTCHECK_DIR);
if(!sys_dir)
{
ErrorExit("%s: Unable to open: '%s'", ARGV0, ROOTCHECK_DIR);
}
while((entry = readdir(sys_dir)) != NULL)
{
FILE *fp;
char full_path[OS_MAXSTR +1];
/* Do not even attempt to delete . and .. :) */
if((strcmp(entry->d_name,".") == 0)||
(strcmp(entry->d_name,"..") == 0))
{
continue;
}
snprintf(full_path, OS_MAXSTR,"%s/%s", ROOTCHECK_DIR,
entry->d_name);
fp = fopen(full_path, "w");
if(fp)
{
fclose(fp);
}
if(entry->d_name[0] == '.')
{
unlink(full_path);
}
}
closedir(sys_dir);
printf("\n** Policy and auditing database updated.\n\n");
exit(0);
}
else if((strcmp(agent_id, "000") == 0) ||
(strcmp(agent_id, "local") == 0))
{
char final_dir[1024];
FILE *fp;
snprintf(final_dir, 1020, "/%s/rootcheck", ROOTCHECK_DIR);
fp = fopen(final_dir, "w");
if(fp)
{
fclose(fp);
}
unlink(final_dir);
printf("\n** Policy and auditing database updated.\n\n");
exit(0);
}
/* Database from remote agents. */
else
{
int i;
keystore keys;
OS_ReadKeys(&keys);
i = OS_IsAllowedID(&keys, agent_id);
if(i < 0)
{
printf("\n** Invalid agent id '%s'.\n", agent_id);
helpmsg();
}
/* Deleting syscheck */
delete_rootcheck(keys.keyentries[i]->name,
keys.keyentries[i]->ip->ip, 0);
printf("\n** Policy and auditing database updated.\n\n");
exit(0);
}
}
/* Printing information from an agent. */
if(info_agent)
{
int i;
char final_ip[128 +1];
char final_mask[128 +1];
keystore keys;
if((strcmp(agent_id, "000") == 0) ||
(strcmp(agent_id, "local") == 0))
{
if(!csv_output)
printf("\nPolicy and auditing events for local system '%s - %s':\n",
shost, "127.0.0.1");
print_rootcheck(NULL,
NULL, NULL, resolved_only, csv_output);
}
else
{
OS_ReadKeys(&keys);
i = OS_IsAllowedID(&keys, agent_id);
if(i < 0)
{
printf("\n** Invalid agent id '%s'.\n", agent_id);
helpmsg();
}
/* Getting netmask from ip. */
final_ip[128] = '\0';
final_mask[128] = '\0';
getNetmask(keys.keyentries[agt_id]->ip->netmask, final_mask, 128);
snprintf(final_ip, 128, "%s%s",keys.keyentries[agt_id]->ip->ip,
final_mask);
if(!csv_output)
printf("\nPolicy and auditing events for agent "
"'%s (%s) - %s':\n",
keys.keyentries[i]->name, keys.keyentries[i]->id,
final_ip);
print_rootcheck(keys.keyentries[i]->name,
keys.keyentries[i]->ip->ip, NULL,
resolved_only, csv_output);
}
exit(0);
}
printf("\n** Invalid argument combination.\n");
helpmsg();
return(0);
}
/* EOF */
Index: Makefile
===================================================================
RCS file: /usr/cvsroot/ossec-hids/src/util/Makefile,v
diff -u -r1.12 -r1.13
--- Makefile 15 Aug 2008 21:03:08 -0000 1.12
+++ Makefile 22 Aug 2008 12:24:09 -0000 1.13
@@ -16,7 +16,8 @@
$(CC) $(CFLAGS) ${OS_LINK} list_agents.c $(OBJS) -o list_agents
$(CC) $(CFLAGS) ${OS_LINK} ${SUP} agent_control.c $(OBJS) -o agent_control
$(CC) $(CFLAGS) ${OS_LINK} ${SUP} syscheck_control.c $(OBJS) -o syscheck_control
+ $(CC) $(CFLAGS) ${OS_LINK} ${SUP} rootcheck_control.c $(OBJS) -o rootcheck_control
clean:
- $(CLEAN) syscheck_update clear_stats list_agents agent_control
+ $(CLEAN) syscheck_update clear_stats list_agents agent_control syscheck_control rootcheck_control
build:
- cp -pr syscheck_update clear_stats list_agents syscheck_control agent_control ${PT}../bin
+ cp -pr syscheck_update clear_stats list_agents syscheck_control rootcheck_control agent_control ${PT}../bin
Index: syscheck_control.c
===================================================================
RCS file: /usr/cvsroot/ossec-hids/src/util/syscheck_control.c,v
diff -u -r1.1 -r1.2
--- syscheck_control.c 7 Aug 2008 16:34:13 -0000 1.1
+++ syscheck_control.c 22 Aug 2008 12:24:09 -0000 1.2
@@ -269,7 +269,10 @@
{
fclose(fp);
}
- /* unlink(final_dir); */
+ unlink(final_dir);
+
+ printf("\n** Integrity check database updated.\n\n");
+ exit(0);
}
/* Database from remote agents. */
@@ -290,6 +293,9 @@
/* Deleting syscheck */
delete_syscheck(keys.keyentries[i]->name,
keys.keyentries[i]->ip->ip, 0);
+
+ printf("\n** Integrity check database updated.\n\n");
+ exit(0);
}
}
OSSEC CVS
Changes by: dcid 09/04/07 15:20:00
Modified files:
Makefile
Log message:
Description: Adding ossec-logtest to the default build.
Reviewed by: dcid
Bug:
Index: Makefile
===================================================================
RCS file: /usr/cvsroot/ossec-hids/src/analysisd/Makefile,v
diff -u -r1.12 -r1.13
--- Makefile 2 Feb 2009 15:55:39 -0000 1.12
+++ Makefile 7 Apr 2009 18:20:00 -0000 1.13
@@ -19,9 +19,9 @@
cd ./decoders; make
cd ./compiled_rules; make;
$(CC) $(CFLAGS) ${OS_LINK} -I./ ${loga_OBJS} -o ${NAME}
+ make logtest
logtest:
- cd ./alerts; make
cd ./decoders; make logtest
cd ./compiled_rules; make;
$(CC) $(CFLAGS) ${OS_LINK} -DTESTRULE -I./ testrule.c ${loga_OBJS} -o ossec-logtest
@@ -34,3 +34,4 @@
build:
${BUILD}
+ cp -pr ossec-logtest ${PT}../bin
OSSEC CVS
Changes by: dcid 09/06/03 15:09:55
Modified files:
agent_control.c syscheck_control.c
Log message:
Description: Adding option to restart agent remotely and adding agentless to syscheck_control
Reviewed by: dcid
Bug:
Index: agent_control.c
===================================================================
RCS file: /usr/cvsroot/ossec-hids/src/util/agent_control.c,v
diff -u -r1.9 -r1.10
--- agent_control.c 25 Sep 2008 13:22:41 -0000 1.9
+++ agent_control.c 3 Jun 2009 18:09:55 -0000 1.10
@@ -27,6 +27,7 @@
printf("\t-l List available (active or not) agents.\n");
printf("\t-lc List active agents.\n");
printf("\t-i <id> Extracts information from an agent.\n");
+ printf("\t-R <id> Restarts agent.\n");
printf("\t-r -a Runs the integrity/rootkit checking on all agents now.\n");
printf("\t-r -u <id> Runs the integrity/rootkit checking on one agent now.\n\n");
printf("\t-b <ip> Blocks the specified ip address.\n");
@@ -52,7 +53,7 @@
int uid = 0;
int c = 0, restart_syscheck = 0, restart_all_agents = 0, list_agents = 0;
int info_agent = 0, agt_id = 0, active_only = 0, csv_output = 0;
- int list_responses = 0, end_time = 0;
+ int list_responses = 0, end_time = 0, restart_agent = 0;
char shost[512];
@@ -71,7 +72,7 @@
}
- while((c = getopt(argc, argv, "VehdlLcsaru:i:b:f:")) != -1)
+ while((c = getopt(argc, argv, "VehdlLcsaru:i:b:f:R:")) != -1)
{
switch(c){
case 'V':
@@ -127,6 +128,14 @@
}
ar = optarg;
break;
+ case 'R':
+ if(!optarg)
+ {
+ merror("%s: -R needs an argument",ARGV0);
+ helpmsg();
+ }
+ agent_id = optarg;
+ restart_agent = 1;
case 'a':
restart_all_agents = 1;
break;
@@ -219,6 +228,10 @@
continue;
*r_timeout = '\0';
+ if(strcmp(r_name, "restart-ossec0") == 0)
+ {
+ continue;
+ }
printf("\n Response name: %s, command: %s", r_name, r_cmd);
}
@@ -454,6 +467,33 @@
exit(0);
}
+
+ if(restart_agent && agent_id)
+ {
+ /* Connecting to remoted. */
+ debug1("%s: DEBUG: Connecting to remoted...", ARGV0);
+ arq = connect_to_remoted();
+ if(arq < 0)
+ {
+ printf("\n** Unable to connect to remoted.\n");
+ exit(1);
+ }
+ debug1("%s: DEBUG: Connected...", ARGV0);
+
+
+ if(send_msg_to_agent(arq, "restart-ossec0", agent_id, "null") == 0)
+ {
+ printf("\nOSSEC HIDS %s: Restarting agent: %s\n",
+ ARGV0, agent_id);
+ }
+ else
+ {
+ printf("\n** Unable to restart agent: %s\n", agent_id);
+ exit(1);
+ }
+
+ exit(0);
+ }
/* running active response on the specified agent id. */
Index: syscheck_control.c
===================================================================
RCS file: /usr/cvsroot/ossec-hids/src/util/syscheck_control.c,v
diff -u -r1.2 -r1.3
--- syscheck_control.c 22 Aug 2008 12:24:09 -0000 1.2
+++ syscheck_control.c 3 Jun 2009 18:09:55 -0000 1.3
@@ -324,6 +324,16 @@
NULL, fname, 0, 0,
csv_output, zero_counter);
}
+ else if(strchr(agent_id, '@'))
+ {
+ if(fname)
+ {
+ printf("Detailed information for entries matching: '%s'\n",
+ fname);
+ }
+ print_syscheck(agent_id, NULL, fname, registry_only, 0,
+ csv_output, zero_counter);
+ }
else
{
OSSEC CVS
Changes by: dcid 09/06/24 15:53:10
Modified files:
agent_control.c clear_stats.c list_agents.c rootcheck_control.c
syscheck_control.c syscheck_update.c
Log message:
Description: Changing copyrights to Trend Micro
Reviewed by: dcid
Bug:
Index: agent_control.c
===================================================================
RCS file: /usr/cvsroot/ossec-hids/src/util/agent_control.c,v
diff -u -r1.10 -r1.11
--- agent_control.c 3 Jun 2009 18:09:55 -0000 1.10
+++ agent_control.c 24 Jun 2009 18:53:09 -0000 1.11
@@ -1,6 +1,6 @@
/* @(#) $Id$ */
-/* Copyright (C) 2008 Third Brigade, Inc.
+/* Copyright (C) 2009 Trend Micro Inc.
* All right reserved.
*
* This program is a free software; you can redistribute it
Index: clear_stats.c
===================================================================
RCS file: /usr/cvsroot/ossec-hids/src/util/clear_stats.c,v
diff -u -r1.5 -r1.6
--- clear_stats.c 17 Jun 2008 17:04:09 -0000 1.5
+++ clear_stats.c 24 Jun 2009 18:53:09 -0000 1.6
@@ -1,6 +1,6 @@
/* @(#) $Id$ */
-/* Copyright (C) 2008 Third Brigade, Inc.
+/* Copyright (C) 2009 Trend Micro Inc.
* All right reserved.
*
* This program is a free software; you can redistribute it
Index: list_agents.c
===================================================================
RCS file: /usr/cvsroot/ossec-hids/src/util/list_agents.c,v
diff -u -r1.6 -r1.7
--- list_agents.c 17 Jun 2008 17:04:09 -0000 1.6
+++ list_agents.c 24 Jun 2009 18:53:09 -0000 1.7
@@ -1,6 +1,6 @@
/* @(#) $Id$ */
-/* Copyright (C) 2005,2008 Third Brigade, Inc.
+/* Copyright (C) 2009 Trend Micro Inc.
* All right reserved.
*
* This program is a free software; you can redistribute it
Index: rootcheck_control.c
===================================================================
RCS file: /usr/cvsroot/ossec-hids/src/util/rootcheck_control.c,v
diff -u -r1.4 -r1.5
--- rootcheck_control.c 20 Feb 2009 15:22:31 -0000 1.4
+++ rootcheck_control.c 24 Jun 2009 18:53:09 -0000 1.5
@@ -1,6 +1,6 @@
/* @(#) $Id$ */
-/* Copyright (C) 2008 Third Brigade, Inc.
+/* Copyright (C) 2009 Trend Micro Inc.
* All right reserved.
*
* This program is a free software; you can redistribute it
Index: syscheck_control.c
===================================================================
RCS file: /usr/cvsroot/ossec-hids/src/util/syscheck_control.c,v
diff -u -r1.3 -r1.4
--- syscheck_control.c 3 Jun 2009 18:09:55 -0000 1.3
+++ syscheck_control.c 24 Jun 2009 18:53:09 -0000 1.4
@@ -1,6 +1,6 @@
/* @(#) $Id$ */
-/* Copyright (C) 2008 Third Brigade, Inc.
+/* Copyright (C) 2009 Trend Micro Inc.
* All right reserved.
*
* This program is a free software; you can redistribute it
Index: syscheck_update.c
===================================================================
RCS file: /usr/cvsroot/ossec-hids/src/util/syscheck_update.c,v
diff -u -r1.15 -r1.16
--- syscheck_update.c 17 Jun 2008 17:04:09 -0000 1.15
+++ syscheck_update.c 24 Jun 2009 18:53:10 -0000 1.16
@@ -1,6 +1,6 @@
/* @(#) $Id$ */
-/* Copyright (C) 2005,2008 Third Brigade, Inc.
+/* Copyright (C) 2009 Trend Micro Inc.