ossec-hids: common.c (HEAD) common_rcl.c (HEAD) rootcheck.c (HEAD) [dcid]

2 views

Skip to first unread message

OSSEC CVS

unread,

Aug 28, 2008, 8:07:37 AM8/28/08

to osse...@ossec.net

Module name: ossec-hids
Changes by: dcid 08/08/28 09:07:35

Modified files:
common.c common_rcl.c rootcheck.c

Log message:
Description: Adding support for the ESX security hardening audit.
Reviewed by: dcid
Bug:

Index: common.c
===================================================================
RCS file: /usr/cvsroot/ossec-hids/src/rootcheck/common.c,v
diff -u -r1.23 -r1.24
--- common.c 21 Jul 2008 00:59:58 -0000 1.23
+++ common.c 28 Aug 2008 12:07:35 -0000 1.24
@@ -19,10 +19,28 @@

+/** Checks if the specified string is already in the array.
+ */
+int _is_str_in_array(char **ar, char *str)
+{
+ while(*ar)
+ {
+ if(strcmp(*ar, str) == 0)
+ {
+ return(1);
+ }
+ ar++;
+ }
+ return(0);
+}
+
+
+
/** int rk_check_dir(char *dir, char *file, char *pattern)
*/
int rk_check_dir(char *dir, char *file, char *pattern)
{
+ int ret_code = 0;
char f_name[PATH_MAX +2];
struct dirent *entry;
struct stat statbuf_local;
@@ -58,8 +76,7 @@
{
if(rk_check_file(f_name, pattern))
{
- closedir(dp);
- return(1);
+ ret_code = 1;
}
}
}
@@ -71,8 +88,7 @@
{
if(rk_check_file(f_name, pattern))
{
- closedir(dp);
- return(1);
+ ret_code = 1;
}
}
}
@@ -81,22 +97,18 @@
/* Checking if file is a directory */
if(lstat(f_name, &statbuf_local) == 0)
{
- /* On all the systems, except darwin, the
- * link count is only increased on directories.
- */
if(S_ISDIR(statbuf_local.st_mode))
{
if(rk_check_dir(f_name, file, pattern))
{
- closedir(dp);
- return(1);
+ ret_code = 1;
}
}
}
}

closedir(dp);
- return(0);
+ return(ret_code);

}

@@ -138,9 +150,25 @@
{
if(is_file(file))
{
- snprintf(rootcheck.alert_msg, OS_SIZE_1024, " File: %s.",
+ int i = 0;
+ char _b_msg[OS_SIZE_1024 +1];
+
+ _b_msg[OS_SIZE_1024] = '\0';
+ snprintf(_b_msg, OS_SIZE_1024, " File: %s.",
file);

+ /* Already present. */
+ if(_is_str_in_array(rootcheck.alert_msg, _b_msg))
+ {
+ return(1);
+ }
+
+ while(rootcheck.alert_msg[i] && (i < 255))
+ i++;
+
+ if(!rootcheck.alert_msg[i])
+ os_strdup(_b_msg, rootcheck.alert_msg[i]);
+
return(1);
}
}
@@ -178,11 +206,30 @@
/* Matched */
if(pt_matches(buf, pattern))
{
+ int i = 0;
+ char _b_msg[OS_SIZE_1024 +1];
+
+
+ /* Closing the file before dealing with the alert. */
fclose(fp);

- snprintf(rootcheck.alert_msg, OS_SIZE_1024,
- " File: %s.", file);
+ /* Generating the alert itself. */
+ _b_msg[OS_SIZE_1024] = '\0';
+ snprintf(_b_msg, OS_SIZE_1024, " File: %s.",
+ file);

+ /* Already present. */
+ if(_is_str_in_array(rootcheck.alert_msg, _b_msg))
+ {
+ return(1);
+ }
+
+ while(rootcheck.alert_msg[i] && (i < 255))
+ i++;
+
+ if(!rootcheck.alert_msg[i])
+ os_strdup(_b_msg, rootcheck.alert_msg[i]);
+
return(1);
}
}
@@ -630,9 +677,26 @@
/* Checking if value matches */
if(pt_matches(pinfo->p_path, value))
{
- snprintf(rootcheck.alert_msg, OS_SIZE_1024, " Process: %s.",
+ int i = 0;
+ char _b_msg[OS_SIZE_1024 +1];
+
+ _b_msg[OS_SIZE_1024] = '\0';
+
+ snprintf(_b_msg, OS_SIZE_1024, " Process: %s.",
pinfo->p_path);
+
+ /* Already present. */
+ if(_is_str_in_array(rootcheck.alert_msg, _b_msg))
+ {
+ return(1);
+ }

+ while(rootcheck.alert_msg[i] && (i< 255))
+ i++;
+
+ if(!rootcheck.alert_msg[i])
+ os_strdup(_b_msg, rootcheck.alert_msg[i]);
+
return(1);
}

Index: common_rcl.c
===================================================================
RCS file: /usr/cvsroot/ossec-hids/src/rootcheck/common_rcl.c,v
diff -u -r1.15 -r1.16
--- common_rcl.c 10 Jul 2008 17:22:24 -0000 1.15
+++ common_rcl.c 28 Aug 2008 12:07:35 -0000 1.16
@@ -373,7 +373,6 @@
memset(root_dir, '\0', sizeof(root_dir));
memset(final_file, '\0', sizeof(final_file));
memset(ref, '\0', sizeof(ref));
- memset(rootcheck.alert_msg, '\0',OS_SIZE_1024 +1);

root_dir_len = sizeof(root_dir) -1;
@@ -687,33 +686,64 @@
/* Alerting if necessary */
if(g_found == 1)
{
+ int j = 0;
char op_msg[OS_SIZE_1024 +1];
- if(ref[0] != '\0')
- {
- snprintf(op_msg, OS_SIZE_1024, "%s %s.%s"
- " Reference: %s .",msg, name,
- rootcheck.alert_msg,
- ref);
- }
- else
+ char **p_alert_msg = rootcheck.alert_msg;
+
+ while(1)
{
- snprintf(op_msg, OS_SIZE_1024, "%s %s.%s",msg,
- name, rootcheck.alert_msg);
+ if(ref[0] != '\0')
+ {
+ snprintf(op_msg, OS_SIZE_1024, "%s %s.%s"
+ " Reference: %s .",msg, name,
+ p_alert_msg[j]?p_alert_msg[j]:"\0",
+ ref);
+ }
+ else
+ {
+ snprintf(op_msg, OS_SIZE_1024, "%s %s.%s",msg,
+ name, p_alert_msg[j]?p_alert_msg[j]:"\0");
+ }
+
+ if((type == RKCL_TYPE_DIR) || (j == 0))
+ {
+ notify_rk(ALERT_POLICY_VIOLATION, op_msg);
+ }
+
+ if(p_alert_msg[j])
+ {
+ free(p_alert_msg[j]);
+ p_alert_msg[j] = NULL;
+ j++;
+
+ if(!p_alert_msg[j])
+ break;
+ }
+ else
+ {
+ break;
+ }
}
- notify_rk(ALERT_POLICY_VIOLATION, op_msg);
}
-
- /* Checking if this entry is required for the rest of the file. */
- else if(condition & RKCL_COND_REQ)
+ else
{
- goto clean_return;
- }
-
+ int j = 0;
+ while(rootcheck.alert_msg[j])
+ {
+ free(rootcheck.alert_msg[j]);
+ rootcheck.alert_msg[j] = NULL;
+ j++;
+ }

- /* Cleaning up alert msg. */
- rootcheck.alert_msg[0] = '\0';

+ /* Checking if this entry is required for the rest of the file. */
+ if(condition & RKCL_COND_REQ)
+ {
+ goto clean_return;
+ }
+ }

+
/* Ending if we don't have anything else. */
if(!nbuf)
{

Index: rootcheck.c
===================================================================
RCS file: /usr/cvsroot/ossec-hids/src/rootcheck/rootcheck.c,v
diff -u -r1.30 -r1.31
--- rootcheck.c 17 Jun 2008 17:04:08 -0000 1.30
+++ rootcheck.c 28 Aug 2008 12:07:35 -0000 1.31
@@ -64,6 +64,7 @@

int rootcheck_init(int test_config)
{
+ int c;

#endif

@@ -87,8 +88,19 @@
rootcheck.scanall = 0;
rootcheck.readall = 0;
rootcheck.disabled = 0;
+ rootcheck.alert_msg = NULL;
rootcheck.time = ROOTCHECK_WAIT;

+
+ /* We store up to 255 alerts in there. */
+ os_calloc(256, sizeof(char *), rootcheck.alert_msg);
+ c = 0;
+ while(c <= 255)
+ {
+ rootcheck.alert_msg[c] = NULL;
+ c++;
+ }
+

#ifndef OSSECHIDS
rootcheck.notify = SYSLOG;

OSSEC CVS

unread,

Jun 24, 2009, 2:53:41 PM6/24/09

to osse...@ossec.net

Module name: ossec-hids
Changes by: dcid 09/06/24 15:53:08

Modified files:
check_open_ports.c check_rc_dev.c check_rc_files.c check_rc_if.c
check_rc_pids.c check_rc_policy.c check_rc_ports.c
check_rc_readproc.c check_rc_sys.c check_rc_trojans.c common.c
common_rcl.c config.c rootcheck-config.c rootcheck.c rootcheck.h
run_rk_check.c unix-process.c win-common.c win-process.c

Log message:
Description: Changing copyrights to Trend Micro
Reviewed by: dcid
Bug:

Index: check_open_ports.c
===================================================================
RCS file: /usr/cvsroot/ossec-hids/src/rootcheck/check_open_ports.c,v
diff -u -r1.7 -r1.8
--- check_open_ports.c 17 Jun 2008 17:04:08 -0000 1.7
+++ check_open_ports.c 24 Jun 2009 18:53:07 -0000 1.8
@@ -1,6 +1,6 @@
/* @(#) $Id$ */

-/* Copyright (C) 2008 Third Brigade, Inc.
+/* Copyright (C) 2009 Trend Micro Inc.
* All right reserved.
*
* This program is a free software; you can redistribute it

Index: check_rc_dev.c
===================================================================
RCS file: /usr/cvsroot/ossec-hids/src/rootcheck/check_rc_dev.c,v
diff -u -r1.23 -r1.24
--- check_rc_dev.c 21 May 2009 14:09:48 -0000 1.23
+++ check_rc_dev.c 24 Jun 2009 18:53:07 -0000 1.24
@@ -1,6 +1,6 @@
/* @(#) $Id$ */

-/* Copyright (C) 2008 Third Brigade, Inc.
+/* Copyright (C) 2009 Trend Micro Inc.
* All right reserved.
*
* This program is a free software; you can redistribute it

Index: check_rc_files.c
===================================================================
RCS file: /usr/cvsroot/ossec-hids/src/rootcheck/check_rc_files.c,v
diff -u -r1.11 -r1.12
--- check_rc_files.c 17 Jun 2008 17:04:08 -0000 1.11
+++ check_rc_files.c 24 Jun 2009 18:53:07 -0000 1.12
@@ -1,6 +1,6 @@
/* @(#) $Id$ */

-/* Copyright (C) 2008 Third Brigade, Inc.
+/* Copyright (C) 2009 Trend Micro Inc.
* All right reserved.
*
* This program is a free software; you can redistribute it

Index: check_rc_if.c
===================================================================
RCS file: /usr/cvsroot/ossec-hids/src/rootcheck/check_rc_if.c,v
diff -u -r1.9 -r1.10
--- check_rc_if.c 17 Jun 2008 17:04:08 -0000 1.9
+++ check_rc_if.c 24 Jun 2009 18:53:07 -0000 1.10
@@ -1,6 +1,6 @@
/* @(#) $Id$ */

-/* Copyright (C) 2008 Third Brigade, Inc.
+/* Copyright (C) 2009 Trend Micro Inc.
* All right reserved.
*
* This program is a free software; you can redistribute it

Index: check_rc_pids.c
===================================================================
RCS file: /usr/cvsroot/ossec-hids/src/rootcheck/check_rc_pids.c,v
diff -u -r1.28 -r1.29
--- check_rc_pids.c 22 Aug 2008 21:07:28 -0000 1.28
+++ check_rc_pids.c 24 Jun 2009 18:53:07 -0000 1.29
@@ -1,6 +1,6 @@
/* @(#) $Id$ */

-/* Copyright (C) 2008 Third Brigade, Inc.
+/* Copyright (C) 2009 Trend Micro Inc.
* All right reserved.
*
* This program is a free software; you can redistribute it

Index: check_rc_policy.c
===================================================================
RCS file: /usr/cvsroot/ossec-hids/src/rootcheck/check_rc_policy.c,v
diff -u -r1.2 -r1.3
--- check_rc_policy.c 17 Jun 2008 17:04:08 -0000 1.2
+++ check_rc_policy.c 24 Jun 2009 18:53:07 -0000 1.3
@@ -1,6 +1,6 @@
/* @(#) $Id$ */

-/* Copyright (C) 2006-2008 Third Brigade, Inc.
+/* Copyright (C) 2009 Trend Micro Inc.
* All right reserved.
*
* This program is a free software; you can redistribute it

Index: check_rc_ports.c
===================================================================
RCS file: /usr/cvsroot/ossec-hids/src/rootcheck/check_rc_ports.c,v
diff -u -r1.20 -r1.21
--- check_rc_ports.c 17 Jun 2008 17:04:08 -0000 1.20
+++ check_rc_ports.c 24 Jun 2009 18:53:07 -0000 1.21
@@ -1,6 +1,6 @@
/* @(#) $Id$ */

-/* Copyright (C) 2008 Third Brigade, Inc.
+/* Copyright (C) 2009 Trend Micro Inc.
* All right reserved.
*
* This program is a free software; you can redistribute it

Index: check_rc_readproc.c
===================================================================
RCS file: /usr/cvsroot/ossec-hids/src/rootcheck/check_rc_readproc.c,v
diff -u -r1.7 -r1.8
--- check_rc_readproc.c 17 Jun 2008 17:04:08 -0000 1.7
+++ check_rc_readproc.c 24 Jun 2009 18:53:07 -0000 1.8
@@ -1,6 +1,6 @@
/* @(#) $Id$ */

-/* Copyright (C) 2008 Third Brigade, Inc.
+/* Copyright (C) 2009 Trend Micro Inc.
* All right reserved.
*
* This program is a free software; you can redistribute it

Index: check_rc_sys.c
===================================================================
RCS file: /usr/cvsroot/ossec-hids/src/rootcheck/check_rc_sys.c,v
diff -u -r1.40 -r1.41
--- check_rc_sys.c 21 May 2009 14:09:48 -0000 1.40
+++ check_rc_sys.c 24 Jun 2009 18:53:07 -0000 1.41
@@ -1,6 +1,6 @@
/* @(#) $Id$ */

-/* Copyright (C) 2008 Third Brigade, Inc.
+/* Copyright (C) 2009 Trend Micro Inc.
* All right reserved.
*
* This program is a free software; you can redistribute it

Index: check_rc_trojans.c
===================================================================
RCS file: /usr/cvsroot/ossec-hids/src/rootcheck/check_rc_trojans.c,v
diff -u -r1.11 -r1.12
--- check_rc_trojans.c 17 Jun 2008 17:04:08 -0000 1.11
+++ check_rc_trojans.c 24 Jun 2009 18:53:07 -0000 1.12
@@ -1,6 +1,6 @@
/* @(#) $Id$ */

-/* Copyright (C) 2005,2008 Third Brigade, Inc.
+/* Copyright (C) 2009 Trend Micro Inc.
* All right reserved.
*
* This program is a free software; you can redistribute it

Index: common.c
===================================================================
RCS file: /usr/cvsroot/ossec-hids/src/rootcheck/common.c,v

diff -u -r1.24 -r1.25
--- common.c 28 Aug 2008 12:07:35 -0000 1.24
+++ common.c 24 Jun 2009 18:53:07 -0000 1.25
@@ -1,6 +1,6 @@
/* @(#) $Id$ */

-/* Copyright (C) 2005-2008 Third Brigade, Inc.
+/* Copyright (C) 2009 Trend Micro Inc.
* All right reserved.
*
* This program is a free software; you can redistribute it

Index: common_rcl.c
===================================================================
RCS file: /usr/cvsroot/ossec-hids/src/rootcheck/common_rcl.c,v

diff -u -r1.16 -r1.17
--- common_rcl.c 28 Aug 2008 12:07:35 -0000 1.16
+++ common_rcl.c 24 Jun 2009 18:53:07 -0000 1.17
@@ -1,6 +1,6 @@
/* @(#) $Id$ */

-/* Copyright (C) 2005-2008 Third Brigade, Inc.
+/* Copyright (C) 2009 Trend Micro Inc.
* All right reserved.
*
* This program is a free software; you can redistribute it

Index: config.c
===================================================================
RCS file: /usr/cvsroot/ossec-hids/src/rootcheck/config.c,v
diff -u -r1.17 -r1.18
--- config.c 24 Jun 2009 18:52:13 -0000 1.17
+++ config.c 24 Jun 2009 18:53:07 -0000 1.18
@@ -1,6 +1,6 @@
/* @(#) $Id$ */

-/* Copyright (C) 2008 Third Brigade, Inc.
+/* Copyright (C) 2009 Trend Micro Inc.
* All right reserved.
*
* This program is a free software; you can redistribute it

Index: rootcheck-config.c
===================================================================
RCS file: /usr/cvsroot/ossec-hids/src/rootcheck/rootcheck-config.c,v
diff -u -r1.10 -r1.11
--- rootcheck-config.c 10 Jul 2008 17:22:24 -0000 1.10
+++ rootcheck-config.c 24 Jun 2009 18:53:07 -0000 1.11
@@ -1,6 +1,6 @@
/* @(#) $Id$ */

-/* Copyright (C) 2008 Third Brigade, Inc.
+/* Copyright (C) 2009 Trend Micro Inc.
* All right reserved.
*
* This program is a free software; you can redistribute it

Index: rootcheck.c
===================================================================
RCS file: /usr/cvsroot/ossec-hids/src/rootcheck/rootcheck.c,v

diff -u -r1.31 -r1.32
--- rootcheck.c 28 Aug 2008 12:07:35 -0000 1.31
+++ rootcheck.c 24 Jun 2009 18:53:07 -0000 1.32
@@ -1,6 +1,6 @@
/* @(#) $Id$ */

-/* Copyright (C) 2008 Third Brigade, Inc.
+/* Copyright (C) 2009 Trend Micro Inc.
* All right reserved.
*
* This program is a free software; you can redistribute it

Index: rootcheck.h
===================================================================
RCS file: /usr/cvsroot/ossec-hids/src/rootcheck/rootcheck.h,v
diff -u -r1.33 -r1.34
--- rootcheck.h 17 Jun 2008 17:04:08 -0000 1.33
+++ rootcheck.h 24 Jun 2009 18:53:07 -0000 1.34
@@ -1,6 +1,6 @@
/* @(#) $Id$ */

-/* Copyright (C) 2005,2008 Third Brigade, Inc.
+/* Copyright (C) 2009 Trend Micro Inc.
* All right reserved.
*
* This program is a free software; you can redistribute it

Index: run_rk_check.c
===================================================================
RCS file: /usr/cvsroot/ossec-hids/src/rootcheck/run_rk_check.c,v
diff -u -r1.40 -r1.41
--- run_rk_check.c 21 Jul 2008 00:59:58 -0000 1.40
+++ run_rk_check.c 24 Jun 2009 18:53:07 -0000 1.41
@@ -1,6 +1,6 @@
/* @(#) $Id$ */

-/* Copyright (C) 2008 Third Brigade, Inc.
+/* Copyright (C) 2009 Trend Micro Inc.
* All right reserved.
*
* This program is a free software; you can redistribute it

Index: unix-process.c
===================================================================
RCS file: /usr/cvsroot/ossec-hids/src/rootcheck/unix-process.c,v
diff -u -r1.4 -r1.5
--- unix-process.c 10 Jul 2008 17:22:25 -0000 1.4
+++ unix-process.c 24 Jun 2009 18:53:07 -0000 1.5
@@ -1,6 +1,6 @@
/* @(#) $Id$ */

-/* Copyright (C) 2008 Third Brigade, Inc.
+/* Copyright (C) 2009 Trend Micro Inc.
* All right reserved.
*
* This program is a free software; you can redistribute it

Index: win-common.c
===================================================================
RCS file: /usr/cvsroot/ossec-hids/src/rootcheck/win-common.c,v
diff -u -r1.14 -r1.15
--- win-common.c 17 Jun 2008 17:04:08 -0000 1.14
+++ win-common.c 24 Jun 2009 18:53:08 -0000 1.15
@@ -1,6 +1,6 @@
/* @(#) $Id$ */

-/* Copyright (C) 2008 Third Brigade, Inc.
+/* Copyright (C) 2009 Trend Micro Inc.
* All right reserved.
*
* This program is a free software; you can redistribute it

Index: win-process.c
===================================================================
RCS file: /usr/cvsroot/ossec-hids/src/rootcheck/win-process.c,v
diff -u -r1.4 -r1.5
--- win-process.c 17 Jun 2008 17:04:08 -0000 1.4
+++ win-process.c 24 Jun 2009 18:53:08 -0000 1.5
@@ -1,6 +1,6 @@
/* @(#) $Id$ */

-/* Copyright (C) 2008 Third Brigade, Inc.
+/* Copyright (C) 2009 Trend Micro Inc.
* All right reserved.
*
* This program is a free software; you can redistribute it

Reply all

Reply to author

Forward

0 new messages