From 523acdb84746549fbaa603bf062b351bffce750e Mon Sep 17 00:00:00 2001 From: ddpbsd Date: Tue, 19 Dec 2017 10:58:00 -0500 Subject: [PATCH 01/89] Add USE_LIBSODIUM to the Makefile --- src/Makefile | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/src/Makefile b/src/Makefile index d55b0728d..1069fb610 100644 --- a/src/Makefile +++ b/src/Makefile @@ -22,6 +22,7 @@ USE_PRELUDE?=no USE_ZEROMQ?=no USE_GEOIP?=no USE_INOTIFY=no +USE_LIBSODIUM=no ifneq (${TARGET},winagent) USE_OPENSSL?=auto @@ -203,6 +204,10 @@ ifneq (,$(filter ${USE_GEOIP},auto yes y Y 1)) OSSEC_LDFLAGS+=-lGeoIP endif # USE_GEOIP +ifneq (,$(filter ${USE_LIBSODIUM},auto yes y Y 1)) + DEFINES+=-DLIBSODIUM_ENABLED + OSSEC_LDFLAGS+=-lsodum +endif # USE_LIBSODIUM MI := PI := @@ -541,6 +546,7 @@ settings: @echo " USE_PRELUDE: ${USE_PRELUDE}" @echo " USE_OPENSSL: ${USE_OPENSSL}" @echo " USE_INOTIFY: ${USE_INOTIFY}" + @echo " USE_LIBSODIUM: ${USE_LIBSODIUM}" @echo "Mysql settings:" @echo " includes: ${MI}" @echo " libs: ${ML}" From e1468ea398ffe811016a050d6a292b995ab65f9a Mon Sep 17 00:00:00 2001 From: ddpbsd Date: Tue, 19 Dec 2017 11:21:19 -0500 Subject: [PATCH 02/89] Start to add options for allowing different FIM hashes to be used. --- src/config/syscheck-config.c | 17 +++++++++++++++++ src/config/syscheck-config.h | 4 ++++ 2 files changed, 21 insertions(+) diff --git a/src/config/syscheck-config.c b/src/config/syscheck-config.c index 423b443fa..fe668d9d9 100644 --- a/src/config/syscheck-config.c +++ b/src/config/syscheck-config.c @@ -160,6 +160,7 @@ static int read_attr(syscheck_config *syscheck, const char *dirs, char **g_attrs const char *xml_check_sum = "check_sum"; const char *xml_check_sha1sum = "check_sha1sum"; const char *xml_check_md5sum = "check_md5sum"; + const char *xml_check_sha256sum = "check_sha256sum"; const char *xml_check_size = "check_size"; const char *xml_check_owner = "check_owner"; const char *xml_check_group = "check_group"; @@ -458,6 +459,7 @@ int Read_Syscheck(XML_NODE node, void *configp, __attribute__((unused)) void *ma const char *xml_prefilter_cmd = "prefilter_cmd"; const char *xml_skip_nfs = "skip_nfs"; const char *xml_nodiff = "nodiff"; + const char *xml_algorithms = "algorithms"; /* Configuration example /etc,/usr/bin @@ -542,6 +544,21 @@ int Read_Syscheck(XML_NODE node, void *configp, __attribute__((unused)) void *ma } } + /* Set the algoritms to be used */ + else if(strcmp(node[i]->element, xml_algorithms) == 0) { + char alg[25]; + strncpy(alg, node[i]->content, 24); + char *p, *tokens[3]; + int i = 0; + char *last; + for ((p = strtok_r(alg, ",", &last)); p; (p = strtok_r(NULL, ",", &last))) { + if(i < 2) { + tokens[i++] = p; + } + syscheck->alg[i] = p; + } + } + /* Get if disabled */ else if (strcmp(node[i]->element, xml_disabled) == 0) { if (strcmp(node[i]->content, "yes") == 0) { diff --git a/src/config/syscheck-config.h b/src/config/syscheck-config.h index c82d0a2b0..0dc8da6d9 100644 --- a/src/config/syscheck-config.h +++ b/src/config/syscheck-config.h @@ -23,6 +23,7 @@ #define CHECK_SHA1SUM 0000040 #define CHECK_REALTIME 0000100 #define CHECK_SEECHANGES 0000200 +#define CHECK_SHA256 0000400 #include @@ -50,6 +51,9 @@ typedef struct _config { int *opts; /* attributes set in the tag element */ + char *algorithms; /* Algorithms to use for FIM */ + char **alg; + char *remote_db; char *db; From 201bc616ad7f4622c0040b189e9651f71f84143b Mon Sep 17 00:00:00 2001 From: ddpbsd Date: Tue, 19 Dec 2017 11:40:20 -0500 Subject: [PATCH 03/89] Don't allow sha256 in non-sodium builds. --- src/config/syscheck-config.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/src/config/syscheck-config.c b/src/config/syscheck-config.c index fe668d9d9..dea6da387 100644 --- a/src/config/syscheck-config.c +++ b/src/config/syscheck-config.c @@ -555,6 +555,12 @@ int Read_Syscheck(XML_NODE node, void *configp, __attribute__((unused)) void *ma if(i < 2) { tokens[i++] = p; } +#ifndef LIBSODIUM_ENABLED + if((strncmp(p, "sha256", 6)) == 0) { + merror("sha256 requires libsodium support."); + return(OS_INVALID); // XXX What error here? + } +#endif syscheck->alg[i] = p; } } From 1fa3d1e25701f4b4dfe03bb8dbc67b6ec065bf96 Mon Sep 17 00:00:00 2001 From: ddpbsd Date: Tue, 19 Dec 2017 14:10:55 -0500 Subject: [PATCH 04/89] Silence a clang warning. --- src/headers/file_op.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/headers/file_op.h b/src/headers/file_op.h index 9fb9e8022..739ae48a2 100644 --- a/src/headers/file_op.h +++ b/src/headers/file_op.h @@ -25,7 +25,7 @@ int IsDir(const char *file) __attribute__((nonnull)); int CreatePID(const char *name, int pid) __attribute__((nonnull)); -char *GetRandomNoise(); +char *GetRandomNoise(void); int DeletePID(const char *name) __attribute__((nonnull)); From 26c27e1df919cc1b12ef0322a354da2af7b7c519 Mon Sep 17 00:00:00 2001 From: ddpbsd Date: Tue, 19 Dec 2017 14:13:38 -0500 Subject: [PATCH 05/89] Make sure msg is initialized. --- src/monitord/sendcustomemail.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/monitord/sendcustomemail.c b/src/monitord/sendcustomemail.c index e7e9b5adf..c53a1abac 100644 --- a/src/monitord/sendcustomemail.c +++ b/src/monitord/sendcustomemail.c @@ -50,7 +50,7 @@ int OS_SendCustomEmail2(char **to, char *subject, char *smtpserver, char *from, { FILE *sendmail = NULL; int socket = -1, i = 0; - char *msg; + char *msg = NULL; char snd_msg[128]; char buffer[2049]; From a5452f951ad68a061fd79301b530cec9d37dcb58 Mon Sep 17 00:00:00 2001 From: ddpbsd Date: Mon, 15 Jan 2018 15:58:13 -0500 Subject: [PATCH 06/89] Try to use libsodium to allow us to check sha256 hashes. It will switch from running OS_md5_sha1_File to OS_algorithm_File The output will be different. Enable with LIBSODIUM_ENABLED=y !! Incomplete and untested !! --- src/os_crypto/md5_sha1/algorithms.c | 159 +++++++++++++++++++++++++++ src/os_crypto/md5_sha1/md5_sha1_op.h | 10 ++ src/syscheckd/run_check.c | 18 +++ 3 files changed, 187 insertions(+) create mode 100644 src/os_crypto/md5_sha1/algorithms.c diff --git a/src/os_crypto/md5_sha1/algorithms.c b/src/os_crypto/md5_sha1/algorithms.c new file mode 100644 index 000000000..efb1636a3 --- /dev/null +++ b/src/os_crypto/md5_sha1/algorithms.c @@ -0,0 +1,159 @@ +/* Copyright (C) 2009 Trend Micro Inc. + * All right reserved. + * + * This program is a free software; you can redistribute it + * and/or modify it under the terms of the GNU General Public + * License (version 2) as published by the FSF - Free Software + * Foundation + */ + +#include +#include + +#include + +#include "md5_sha1_op.h" +#include "../md5/md5.h" +#include "../sha1/sha.h" +#include "headers/defs.h" +#include "headers/debug_op.h" + + +int OS_algorithms_File(const char *fname, const char *prefilter_cmd, alg_output file_output, int mode, syscheck_config syscheck) +{ + size_t n; + FILE *fp; + unsigned char buf[2048 + 2]; + unsigned char sha1_digest[SHA_DIGEST_LENGTH]; + unsigned char md5_digest[16]; + + int c_sha1 = 0, c_md5 = 0, c_sha256 = 0, al = 0; + while(syscheck->alg[al]) { + if((strncmp(syscheck->alg[al], "md5", 3) == 0 || strncmp(syscheck->alg[al], + "MD5", 3) == 0)) { + c_md5 = 1; + } else if((strncmp(syscheck->alg[al], "sha1", 4) == 0 || strncmp(syscheck->alg[al], + "SHA1", 4) == 0)) { + c_sha1 = 1; + } else if((strncmp(syscheck->alg[al], "sha256", 6) == 0 || strncmp(syscheck->alg[al], + "SHA256", 6) == 0)) { +#ifdef LIBSODIUM_ENABLED + c_sha256 = 1; +#else + merror("syscheck: Not compiled with libsodium support, enabling sha1"); + c_sha1 = 1; +#endif + } + al++; + } + +#ifdef LIBSODIUM_ENABLED + if(c_sha1 == 1 && c_sha256 == 1) { + merror("syscheckd: sha1 and sha256 enabled, disabling sha1."); + c_sha1 = 0; + } +#endif + + + SHA_CTX sha1_ctx; + MD5_CTX md5_ctx; + +#ifdef LIBSODIUM_ENABLED + unsigned char sha256_digest[crypto_hash_sha256_BYTES]; + if(sodium_init() < 0) { + merror("Hash failed: (%d) %s", errno, strerror(errno)); + exit(errno); // XXX - doesn't seem right + } + crypto_hash_sha256_state sha256_state; + crypto_hash_sha256_init(&state); + file_output->sha256output[0] = '\0'; +#endif + + /* Clear the memory */ + file_output->md5output[0] = '\0'; + file_output->sha1output[0] = '\0'; + buf[2048 + 1] = '\0'; + + /* Use prefilter_cmd if set */ + if (prefilter_cmd == NULL) { + fp = fopen(fname, mode == OS_BINARY ? "rb" : "r"); + if (!fp) { + return (-1); + } + } else { + char cmd[OS_MAXSTR]; + size_t target_length = strlen(prefilter_cmd) + 1 + strlen(fname); + int res = snprintf(cmd, sizeof(cmd), "%s %s", prefilter_cmd, fname); + if (res < 0 || (unsigned int)res != target_length) { + return (-1); + } + fp = popen(cmd, "r"); + if (!fp) { + return (-1); + } + } + + /* Initialize both hashes */ + if(c_md5 > 0) { + MD5Init(&md5_ctx); + } + if(c_sha1 > 0) { + SHA1_Init(&sha1_ctx); + } + + /* Update for each one */ + while ((n = fread(buf, 1, 2048, fp)) > 0) { + buf[n] = '\0'; + if(c_sha1 > 0) { + SHA1_Update(&sha1_ctx, buf, n); + } + if(c_md5 > 0) { + MD5Update(&md5_ctx, buf, (unsigned)n); + } +#ifdef LIBSODIUM_ENABLED + if(c_sha256 > 0) { + crypto_hash_sha256_update(&sha256_state, buf, n); + } +#endif + } + + if(c_sha1 > 0) { + SHA1_Final(&(sha1_digest[0]), &sha1_ctx); + } + if(c_md5 > 0) { + MD5Final(md5_digest, &md5_ctx); + } +#ifdef LIBSODIUM_ENABLED + if(c_sha256 > 0) { + crypto_hash_sha256_final(&sha256_state, sha256_digest); + } +#endif + + /* Set output for MD5 */ + for (n = 0; n < 16; n++) { + snprintf(md5output, 3, "%02x", md5_digest[n]); + md5output += 2; + } + + /* Set output for SHA-1 */ + for (n = 0; n < SHA_DIGEST_LENGTH; n++) { + snprintf(sha1output, 3, "%02x", sha1_digest[n]); + sha1output += 2; + } + +#ifdef LIBSODIUM_ENABLED + for (n = 0; n < crypto_hash_sha256_BYTES; n++) { + snprintf(sha256output, 3, "%02x", sha256_digest[n]); + sha256output += 2; + } +#endif + + /* Close it */ + if (prefilter_cmd == NULL) { + fclose(fp); + } else { + pclose(fp); + } + + return (0); +} diff --git a/src/os_crypto/md5_sha1/md5_sha1_op.h b/src/os_crypto/md5_sha1/md5_sha1_op.h index 81c113224..c55f91673 100644 --- a/src/os_crypto/md5_sha1/md5_sha1_op.h +++ b/src/os_crypto/md5_sha1/md5_sha1_op.h @@ -17,3 +17,13 @@ int OS_MD5_SHA1_File(const char *fname, const char *prefilter_cmd, os_md5 md5out #endif +#ifdef LIBSODIUM_ENABLED + +struct alg_output { + os_md5 md5output; + os_sha1 sha1output; + char sha256output[crypto_hash_sha256_BYTES]; +}; +int OS_algorithms_File(const char *fname, const char *prefilter_cmd, alg_output file_output, int mode); +#endif + diff --git a/src/syscheckd/run_check.c b/src/syscheckd/run_check.c index 6a9804da5..6819dbc7e 100644 --- a/src/syscheckd/run_check.c +++ b/src/syscheckd/run_check.c @@ -13,6 +13,10 @@ #include #endif +#ifdef LIBSODIUM_ENABLED +#include +#endif + #include "shared.h" #include "syscheck.h" #include "os_crypto/md5/md5_op.h" @@ -309,7 +313,14 @@ int c_read_file(const char *file_name, const char *oldsum, char *newsum) struct stat statbuf; os_md5 mf_sum; os_sha1 sf_sum; +#ifdef LIBSODIUM_ENABLED + alg_output file_sums; + /* Clean sums */ + strncpy(file_sums.md5output, "xxx", 4); + strncpy(file_sums.sha1output, "xxx", 4); + strncpy(file_sums.sha256output, "xxx", 4); +#endif /* Clean sums */ strncpy(mf_sum, "xxx", 4); strncpy(sf_sum, "xxx", 4); @@ -372,6 +383,13 @@ int c_read_file(const char *file_name, const char *oldsum, char *newsum) { if (sha1sum || md5sum) { /* Generate checksums of the file */ +#ifdef LIBSODIUM_ENABLED + if (OS_algorithms_File(file_name, syscheck.prefilter_cmd, file_sums, OS_BINARY) < 0) { + strncpy(file_sums.md5output, "xxx", 4); + strncpy(file_sums.sha1output, "xxx", 4); + strncpy(file_sums.sha256output, "xxx", 4); + } +#endif if (OS_MD5_SHA1_File(file_name, syscheck.prefilter_cmd, mf_sum, sf_sum, OS_BINARY) < 0) { strncpy(sf_sum, "xxx", 4); strncpy(mf_sum, "xxx", 4); From 882058b7cc9a88094a1560b7652dbebcd882c4bb Mon Sep 17 00:00:00 2001 From: ddpbsd Date: Wed, 17 Jan 2018 09:10:35 -0500 Subject: [PATCH 07/89] Fix a typo --- src/Makefile | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/Makefile b/src/Makefile index 7eb1405e4..75c39af32 100644 --- a/src/Makefile +++ b/src/Makefile @@ -212,7 +212,7 @@ endif # USE_GEOIP ifneq (,$(filter ${USE_LIBSODIUM},auto yes y Y 1)) DEFINES+=-DLIBSODIUM_ENABLED - OSSEC_LDFLAGS+=-lsodum + OSSEC_LDFLAGS+=-lsodium endif # USE_LIBSODIUM MI := @@ -1007,7 +1007,7 @@ syscheck_o := $(syscheck_c:.c=.o) syscheckd/%.o: syscheckd/%.c ${OSSEC_CC} ${OSSEC_CFLAGS} -DARGV0=\"ossec-syscheckd\" -c $^ -o $@ -ossec-syscheckd: ${syscheck_o} rootcheck.a ${ossec_libs} ${ZLIB_LIB} +ossec-syscheckd: ${syscheck_o} rootcheck.a os_crypto.a ${ossec_libs} ${ZLIB_LIB} ${OSSEC_CCBIN} ${OSSEC_CFLAGS} ${ZLIB_INCLUDE} $^ ${OSSEC_LDFLAGS} -o $@ #### Monitor ####### From 09b44cea8fd3550c219a6acfcac960b7234a2eb7 Mon Sep 17 00:00:00 2001 From: ddpbsd Date: Wed, 17 Jan 2018 09:15:45 -0500 Subject: [PATCH 08/89] xml_check_sha256sum is not used --- src/config/syscheck-config.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/config/syscheck-config.c b/src/config/syscheck-config.c index dea6da387..e662a1dcf 100644 --- a/src/config/syscheck-config.c +++ b/src/config/syscheck-config.c @@ -160,7 +160,7 @@ static int read_attr(syscheck_config *syscheck, const char *dirs, char **g_attrs const char *xml_check_sum = "check_sum"; const char *xml_check_sha1sum = "check_sha1sum"; const char *xml_check_md5sum = "check_md5sum"; - const char *xml_check_sha256sum = "check_sha256sum"; + //const char *xml_check_sha256sum = "check_sha256sum"; const char *xml_check_size = "check_size"; const char *xml_check_owner = "check_owner"; const char *xml_check_group = "check_group"; From fbcd1260d301c5a448fd459401dcb88ae42375fe Mon Sep 17 00:00:00 2001 From: ddpbsd Date: Wed, 17 Jan 2018 09:16:13 -0500 Subject: [PATCH 09/89] randombytes -> OS_randombytes. There is a randombytes() in libsodium as well --- src/headers/randombytes.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/headers/randombytes.h b/src/headers/randombytes.h index 9c69de3f5..b14c5cfb8 100644 --- a/src/headers/randombytes.h +++ b/src/headers/randombytes.h @@ -1,7 +1,7 @@ #ifndef __RANDOMBYTES_H #define __RANDOMBYTES_H -void randombytes(void *ptr, size_t length); +void OS_randombytes(void *ptr, size_t length); void srandom_init(void); #endif From 7e9152668d7dd1732a042d4c434a46b0501eef5d Mon Sep 17 00:00:00 2001 From: ddpbsd Date: Wed, 17 Jan 2018 09:17:11 -0500 Subject: [PATCH 10/89] Fix-up the sha256 stuff. It compiles. Testing will begin shortly. --- src/os_crypto/md5_sha1/md5_sha1_op.c | 154 +++++++++++++++++++++++++++ src/os_crypto/md5_sha1/md5_sha1_op.h | 3 +- src/syscheckd/run_check.c | 4 +- 3 files changed, 158 insertions(+), 3 deletions(-) diff --git a/src/os_crypto/md5_sha1/md5_sha1_op.c b/src/os_crypto/md5_sha1/md5_sha1_op.c index dd367c7a0..3d9edfcce 100644 --- a/src/os_crypto/md5_sha1/md5_sha1_op.c +++ b/src/os_crypto/md5_sha1/md5_sha1_op.c @@ -9,6 +9,11 @@ #include #include +#include + +#ifdef LIBSODIUM_ENABLED +#include +#endif #include "md5_sha1_op.h" #include "../md5/md5.h" @@ -86,3 +91,152 @@ int OS_MD5_SHA1_File(const char *fname, const char *prefilter_cmd, os_md5 md5out return (0); } + + +int OS_algorithms_File(const char *fname, const char *prefilter_cmd, struct alg_output file_output, int mode, char **alg) +{ + size_t n; + FILE *fp; + unsigned char buf[2048 + 2]; + unsigned char sha1_digest[SHA_DIGEST_LENGTH]; + unsigned char md5_digest[16]; + + int c_sha1 = 0, c_md5 = 0, c_sha256 = 0, al = 0; + while(alg[al]) { + if((strncmp(alg[al], "md5", 3) == 0 || strncmp(alg[al], + "MD5", 3) == 0)) { + c_md5 = 1; + } else if((strncmp(alg[al], "sha1", 4) == 0 || strncmp(alg[al], + "SHA1", 4) == 0)) { + c_sha1 = 1; + } else if((strncmp(alg[al], "sha256", 6) == 0 || strncmp(alg[al], + "SHA256", 6) == 0)) { +#ifdef LIBSODIUM_ENABLED + c_sha256 = 1; +#else + //merror("syscheck: Not compiled with libsodium support, enabling sha1"); + c_sha1 = 1; +#endif + } + al++; + } + +#ifdef LIBSODIUM_ENABLED + if(c_sha1 == 1 && c_sha256 == 1) { + //merror("syscheckd: sha1 and sha256 enabled, disabling sha1."); + c_sha1 = 0; + } +#endif + + + SHA_CTX sha1_ctx; + MD5_CTX md5_ctx; + +#ifdef LIBSODIUM_ENABLED + unsigned char sha256_digest[crypto_hash_sha256_BYTES]; + if(sodium_init() < 0) { + //merror("Hash failed: (%d) %s", errno, strerror(errno)); + exit(errno); // XXX - doesn't seem right + } + crypto_hash_sha256_state sha256_state; + crypto_hash_sha256_init(&sha256_state); + file_output.sha256output[0] = '\0'; +#endif + + /* Clear the memory */ + file_output.md5output[0] = '\0'; + file_output.sha1output[0] = '\0'; + buf[2048 + 1] = '\0'; + + /* Use prefilter_cmd if set */ + if (prefilter_cmd == NULL) { + fp = fopen(fname, mode == OS_BINARY ? "rb" : "r"); + if (!fp) { + return (-1); + } + } else { + char cmd[OS_MAXSTR]; + size_t target_length = strlen(prefilter_cmd) + 1 + strlen(fname); + int res = snprintf(cmd, sizeof(cmd), "%s %s", prefilter_cmd, fname); + if (res < 0 || (unsigned int)res != target_length) { + return (-1); + } + fp = popen(cmd, "r"); + if (!fp) { + return (-1); + } + } + + /* Initialize both hashes */ + if(c_md5 > 0) { + MD5Init(&md5_ctx); + } + if(c_sha1 > 0) { + SHA1_Init(&sha1_ctx); + } + + /* Update for each one */ + while ((n = fread(buf, 1, 2048, fp)) > 0) { + buf[n] = '\0'; + if(c_sha1 > 0) { + SHA1_Update(&sha1_ctx, buf, n); + } + if(c_md5 > 0) { + MD5Update(&md5_ctx, buf, (unsigned)n); + } +#ifdef LIBSODIUM_ENABLED + if(c_sha256 > 0) { + crypto_hash_sha256_update(&sha256_state, buf, n); + } +#endif + } + + if(c_sha1 > 0) { + SHA1_Final(&(sha1_digest[0]), &sha1_ctx); + } + if(c_md5 > 0) { + MD5Final(md5_digest, &md5_ctx); + } +#ifdef LIBSODIUM_ENABLED + if(c_sha256 > 0) { + crypto_hash_sha256_final(&sha256_state, sha256_digest); + } +#endif + + /* Set output for MD5 */ + for (n = 0; n < 16; n++) { + if(n == 0) { + snprintf(file_output.md5output, 3, "%02x", md5_digest[n]); + } else { + snprintf(file_output.md5output, strnlen(file_output.md5output, 33) + 3, "%s%02x", file_output.md5output, md5_digest[n]); + } + } + + /* Set output for SHA-1 */ + for (n = 0; n < SHA_DIGEST_LENGTH; n++) { + if(n == 0) { + snprintf(file_output.sha1output, 3, "%02x", sha1_digest[n]); + } else { + snprintf(file_output.sha1output, strnlen(file_output.sha1output, 65) + 3, "%s%02x", file_output.sha1output, sha1_digest[n]); + } + } + +#ifdef LIBSODIUM_ENABLED + for (n = 0; n < crypto_hash_sha256_BYTES; n++) { + if(n == 0) { + snprintf(file_output.sha256output, 3, "%02x", sha256_digest[n]); + } else { + snprintf(file_output.sha256output, strnlen(file_output.sha256output, 66) + 3, "%s%02x", file_output.sha256output, sha256_digest[n]); + } + } +#endif + + /* Close it */ + if (prefilter_cmd == NULL) { + fclose(fp); + } else { + pclose(fp); + } + + return (0); +} diff --git a/src/os_crypto/md5_sha1/md5_sha1_op.h b/src/os_crypto/md5_sha1/md5_sha1_op.h index c55f91673..43408f4f7 100644 --- a/src/os_crypto/md5_sha1/md5_sha1_op.h +++ b/src/os_crypto/md5_sha1/md5_sha1_op.h @@ -10,6 +10,7 @@ #ifndef __MD5SHA1_OP_H #define __MD5SHA1_OP_H +#include #include "../md5/md5_op.h" #include "../sha1/sha1_op.h" @@ -24,6 +25,6 @@ struct alg_output { os_sha1 sha1output; char sha256output[crypto_hash_sha256_BYTES]; }; -int OS_algorithms_File(const char *fname, const char *prefilter_cmd, alg_output file_output, int mode); +int OS_algorithms_File(const char *fname, const char *prefilter_cmd, struct alg_output file_output, int mode, char **alg); #endif diff --git a/src/syscheckd/run_check.c b/src/syscheckd/run_check.c index 6819dbc7e..cb2b92f80 100644 --- a/src/syscheckd/run_check.c +++ b/src/syscheckd/run_check.c @@ -314,7 +314,7 @@ int c_read_file(const char *file_name, const char *oldsum, char *newsum) os_md5 mf_sum; os_sha1 sf_sum; #ifdef LIBSODIUM_ENABLED - alg_output file_sums; + struct alg_output file_sums; /* Clean sums */ strncpy(file_sums.md5output, "xxx", 4); @@ -384,7 +384,7 @@ int c_read_file(const char *file_name, const char *oldsum, char *newsum) if (sha1sum || md5sum) { /* Generate checksums of the file */ #ifdef LIBSODIUM_ENABLED - if (OS_algorithms_File(file_name, syscheck.prefilter_cmd, file_sums, OS_BINARY) < 0) { + if (OS_algorithms_File(file_name, syscheck.prefilter_cmd, file_sums, OS_BINARY, syscheck.alg) < 0) { strncpy(file_sums.md5output, "xxx", 4); strncpy(file_sums.sha1output, "xxx", 4); strncpy(file_sums.sha256output, "xxx", 4); From a556191b0ca8d076021d05696509cf5dd42479c5 Mon Sep 17 00:00:00 2001 From: ddpbsd Date: Wed, 17 Jan 2018 09:17:55 -0500 Subject: [PATCH 11/89] Merged into md5_sha1_op.c. --- src/os_crypto/md5_sha1/algorithms.c | 159 ---------------------------- 1 file changed, 159 deletions(-) delete mode 100644 src/os_crypto/md5_sha1/algorithms.c diff --git a/src/os_crypto/md5_sha1/algorithms.c b/src/os_crypto/md5_sha1/algorithms.c deleted file mode 100644 index efb1636a3..000000000 --- a/src/os_crypto/md5_sha1/algorithms.c +++ /dev/null @@ -1,159 +0,0 @@ -/* Copyright (C) 2009 Trend Micro Inc. - * All right reserved. - * - * This program is a free software; you can redistribute it - * and/or modify it under the terms of the GNU General Public - * License (version 2) as published by the FSF - Free Software - * Foundation - */ - -#include -#include - -#include - -#include "md5_sha1_op.h" -#include "../md5/md5.h" -#include "../sha1/sha.h" -#include "headers/defs.h" -#include "headers/debug_op.h" - - -int OS_algorithms_File(const char *fname, const char *prefilter_cmd, alg_output file_output, int mode, syscheck_config syscheck) -{ - size_t n; - FILE *fp; - unsigned char buf[2048 + 2]; - unsigned char sha1_digest[SHA_DIGEST_LENGTH]; - unsigned char md5_digest[16]; - - int c_sha1 = 0, c_md5 = 0, c_sha256 = 0, al = 0; - while(syscheck->alg[al]) { - if((strncmp(syscheck->alg[al], "md5", 3) == 0 || strncmp(syscheck->alg[al], - "MD5", 3) == 0)) { - c_md5 = 1; - } else if((strncmp(syscheck->alg[al], "sha1", 4) == 0 || strncmp(syscheck->alg[al], - "SHA1", 4) == 0)) { - c_sha1 = 1; - } else if((strncmp(syscheck->alg[al], "sha256", 6) == 0 || strncmp(syscheck->alg[al], - "SHA256", 6) == 0)) { -#ifdef LIBSODIUM_ENABLED - c_sha256 = 1; -#else - merror("syscheck: Not compiled with libsodium support, enabling sha1"); - c_sha1 = 1; -#endif - } - al++; - } - -#ifdef LIBSODIUM_ENABLED - if(c_sha1 == 1 && c_sha256 == 1) { - merror("syscheckd: sha1 and sha256 enabled, disabling sha1."); - c_sha1 = 0; - } -#endif - - - SHA_CTX sha1_ctx; - MD5_CTX md5_ctx; - -#ifdef LIBSODIUM_ENABLED - unsigned char sha256_digest[crypto_hash_sha256_BYTES]; - if(sodium_init() < 0) { - merror("Hash failed: (%d) %s", errno, strerror(errno)); - exit(errno); // XXX - doesn't seem right - } - crypto_hash_sha256_state sha256_state; - crypto_hash_sha256_init(&state); - file_output->sha256output[0] = '\0'; -#endif - - /* Clear the memory */ - file_output->md5output[0] = '\0'; - file_output->sha1output[0] = '\0'; - buf[2048 + 1] = '\0'; - - /* Use prefilter_cmd if set */ - if (prefilter_cmd == NULL) { - fp = fopen(fname, mode == OS_BINARY ? "rb" : "r"); - if (!fp) { - return (-1); - } - } else { - char cmd[OS_MAXSTR]; - size_t target_length = strlen(prefilter_cmd) + 1 + strlen(fname); - int res = snprintf(cmd, sizeof(cmd), "%s %s", prefilter_cmd, fname); - if (res < 0 || (unsigned int)res != target_length) { - return (-1); - } - fp = popen(cmd, "r"); - if (!fp) { - return (-1); - } - } - - /* Initialize both hashes */ - if(c_md5 > 0) { - MD5Init(&md5_ctx); - } - if(c_sha1 > 0) { - SHA1_Init(&sha1_ctx); - } - - /* Update for each one */ - while ((n = fread(buf, 1, 2048, fp)) > 0) { - buf[n] = '\0'; - if(c_sha1 > 0) { - SHA1_Update(&sha1_ctx, buf, n); - } - if(c_md5 > 0) { - MD5Update(&md5_ctx, buf, (unsigned)n); - } -#ifdef LIBSODIUM_ENABLED - if(c_sha256 > 0) { - crypto_hash_sha256_update(&sha256_state, buf, n); - } -#endif - } - - if(c_sha1 > 0) { - SHA1_Final(&(sha1_digest[0]), &sha1_ctx); - } - if(c_md5 > 0) { - MD5Final(md5_digest, &md5_ctx); - } -#ifdef LIBSODIUM_ENABLED - if(c_sha256 > 0) { - crypto_hash_sha256_final(&sha256_state, sha256_digest); - } -#endif - - /* Set output for MD5 */ - for (n = 0; n < 16; n++) { - snprintf(md5output, 3, "%02x", md5_digest[n]); - md5output += 2; - } - - /* Set output for SHA-1 */ - for (n = 0; n < SHA_DIGEST_LENGTH; n++) { - snprintf(sha1output, 3, "%02x", sha1_digest[n]); - sha1output += 2; - } - -#ifdef LIBSODIUM_ENABLED - for (n = 0; n < crypto_hash_sha256_BYTES; n++) { - snprintf(sha256output, 3, "%02x", sha256_digest[n]); - sha256output += 2; - } -#endif - - /* Close it */ - if (prefilter_cmd == NULL) { - fclose(fp); - } else { - pclose(fp); - } - - return (0); -} From bd9fa4de8692e68ebfed2d968db3fa4b896a139a Mon Sep 17 00:00:00 2001 From: ddpbsd Date: Wed, 17 Jan 2018 09:18:22 -0500 Subject: [PATCH 12/89] randombytes() -> OS_randombytes(). libsodium has a randombytes() too --- src/shared/randombytes.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/src/shared/randombytes.c b/src/shared/randombytes.c index 0dc4a22b5..a7c7850c3 100644 --- a/src/shared/randombytes.c +++ b/src/shared/randombytes.c @@ -9,7 +9,7 @@ #include "shared.h" -void randombytes(void *ptr, size_t length) +void OS_randombytes(void *ptr, size_t length) { char failed = 0; @@ -37,7 +37,7 @@ void randombytes(void *ptr, size_t length) #endif if (failed) { - ErrorExit("%s: ERROR: randombytes failed for all possible methods for accessing random data", __local_name); + ErrorExit("%s: ERROR: OS_randombytes failed for all possible methods for accessing random data", __local_name); } } @@ -48,7 +48,7 @@ void srandom_init(void) srandomdev(); #else unsigned int seed; - randombytes(&seed, sizeof seed); + OS_randombytes(&seed, sizeof seed); srandom(seed); #endif /* !__OpenBSD__ */ #endif /* !WIN32 */ From fb1ac4917f1724758ab7bd5907e85c425238e769 Mon Sep 17 00:00:00 2001 From: ddpbsd Date: Sat, 10 Feb 2018 22:20:38 -0500 Subject: [PATCH 13/89] Add some more libsodium bits. --- src/syscheckd/run_check.c | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) diff --git a/src/syscheckd/run_check.c b/src/syscheckd/run_check.c index cb2b92f80..249f4c161 100644 --- a/src/syscheckd/run_check.c +++ b/src/syscheckd/run_check.c @@ -389,11 +389,12 @@ int c_read_file(const char *file_name, const char *oldsum, char *newsum) strncpy(file_sums.sha1output, "xxx", 4); strncpy(file_sums.sha256output, "xxx", 4); } -#endif +#else if (OS_MD5_SHA1_File(file_name, syscheck.prefilter_cmd, mf_sum, sf_sum, OS_BINARY) < 0) { strncpy(sf_sum, "xxx", 4); strncpy(mf_sum, "xxx", 4); } +#endif } } #ifndef WIN32 @@ -404,10 +405,18 @@ int c_read_file(const char *file_name, const char *oldsum, char *newsum) if (S_ISREG(statbuf_lnk.st_mode)) { if (sha1sum || md5sum) { /* Generate checksums of the file */ +#ifdef LIBSODIUM_ENABLED + if (OS_algorithms_File(file_name, syscheck.prefilter_cmd, file_sums, OS_BINARY, syscheck.alg) < 0) { + strncpy(file_sums.md5output, "xxx", 4); + strncpy(file_sums.sha1output, "xxx", 4); + strncpy(file_sums.sha256output, "xxx", 4); + } +#else if (OS_MD5_SHA1_File(file_name, syscheck.prefilter_cmd, mf_sum, sf_sum, OS_BINARY) < 0) { strncpy(sf_sum, "xxx", 4); strncpy(mf_sum, "xxx", 4); } +#endif } } } From 765b4994ca38db8c0e02951f2957f25e2a8f4fd2 Mon Sep 17 00:00:00 2001 From: ddpbsd Date: Wed, 14 Feb 2018 11:13:49 -0500 Subject: [PATCH 14/89] alg_output -> hash_output --- src/os_crypto/md5_sha1/md5_sha1_op.c | 2 +- src/os_crypto/md5_sha1/md5_sha1_op.h | 4 ++-- src/syscheckd/run_check.c | 14 +++++++++++++- 3 files changed, 16 insertions(+), 4 deletions(-) diff --git a/src/os_crypto/md5_sha1/md5_sha1_op.c b/src/os_crypto/md5_sha1/md5_sha1_op.c index 3d9edfcce..162553b71 100644 --- a/src/os_crypto/md5_sha1/md5_sha1_op.c +++ b/src/os_crypto/md5_sha1/md5_sha1_op.c @@ -93,7 +93,7 @@ int OS_MD5_SHA1_File(const char *fname, const char *prefilter_cmd, os_md5 md5out } -int OS_algorithms_File(const char *fname, const char *prefilter_cmd, struct alg_output file_output, int mode, char **alg) +int OS_algorithms_File(const char *fname, const char *prefilter_cmd, struct hash_output file_output, int mode, char **alg) { size_t n; FILE *fp; diff --git a/src/os_crypto/md5_sha1/md5_sha1_op.h b/src/os_crypto/md5_sha1/md5_sha1_op.h index 43408f4f7..4496aa88e 100644 --- a/src/os_crypto/md5_sha1/md5_sha1_op.h +++ b/src/os_crypto/md5_sha1/md5_sha1_op.h @@ -20,11 +20,11 @@ int OS_MD5_SHA1_File(const char *fname, const char *prefilter_cmd, os_md5 md5out #ifdef LIBSODIUM_ENABLED -struct alg_output { +struct hash_output { os_md5 md5output; os_sha1 sha1output; char sha256output[crypto_hash_sha256_BYTES]; }; -int OS_algorithms_File(const char *fname, const char *prefilter_cmd, struct alg_output file_output, int mode, char **alg); +int OS_algorithms_File(const char *fname, const char *prefilter_cmd, struct hash_output file_output, int mode, char **alg); #endif diff --git a/src/syscheckd/run_check.c b/src/syscheckd/run_check.c index 249f4c161..4befd7d36 100644 --- a/src/syscheckd/run_check.c +++ b/src/syscheckd/run_check.c @@ -314,7 +314,7 @@ int c_read_file(const char *file_name, const char *oldsum, char *newsum) os_md5 mf_sum; os_sha1 sf_sum; #ifdef LIBSODIUM_ENABLED - struct alg_output file_sums; + struct hash_output file_sums; /* Clean sums */ strncpy(file_sums.md5output, "xxx", 4); @@ -425,6 +425,9 @@ int c_read_file(const char *file_name, const char *oldsum, char *newsum) newsum[0] = '\0'; newsum[255] = '\0'; +#ifdef LIBSODIUM_ENABLED + + if( snprintf(newsum, 255, "%ld:%d:%d:%d:%s:%s", size == 0 ? 0 : (long)statbuf.st_size, perm == 0 ? 0 : (int)statbuf.st_mode, @@ -432,6 +435,15 @@ int c_read_file(const char *file_name, const char *oldsum, char *newsum) group == 0 ? 0 : (int)statbuf.st_gid, md5sum == 0 ? "xxx" : mf_sum, sha1sum == 0 ? "xxx" : sf_sum); +#else + snprintf(newsum, 255, "%ld:%d:%d:%d:%s:%s", + size == 0 ? 0 : (long)statbuf.st_size, + perm == 0 ? 0 : (int)statbuf.st_mode, + owner == 0 ? 0 : (int)statbuf.st_uid, + group == 0 ? 0 : (int)statbuf.st_gid, + md5sum == 0 ? "xxx" : mf_sum, + sha1sum == 0 ? "xxx" : sf_sum); +#endif return (0); } From 9b339f8eb103604c3ccd5c7efadb503a24e334aa Mon Sep 17 00:00:00 2001 From: ddpbsd Date: Wed, 14 Feb 2018 11:18:56 -0500 Subject: [PATCH 15/89] OS_algorithms_File -> OS_Hash_File --- src/os_crypto/md5_sha1/md5_sha1_op.c | 5 +++-- src/os_crypto/md5_sha1/md5_sha1_op.h | 2 +- src/syscheckd/run_check.c | 4 ++-- 3 files changed, 6 insertions(+), 5 deletions(-) diff --git a/src/os_crypto/md5_sha1/md5_sha1_op.c b/src/os_crypto/md5_sha1/md5_sha1_op.c index 162553b71..f0237b283 100644 --- a/src/os_crypto/md5_sha1/md5_sha1_op.c +++ b/src/os_crypto/md5_sha1/md5_sha1_op.c @@ -93,7 +93,7 @@ int OS_MD5_SHA1_File(const char *fname, const char *prefilter_cmd, os_md5 md5out } -int OS_algorithms_File(const char *fname, const char *prefilter_cmd, struct hash_output file_output, int mode, char **alg) +int OS_Hash_File(const char *fname, const char *prefilter_cmd, struct hash_output file_output, int mode, char **alg) { size_t n; FILE *fp; @@ -133,6 +133,7 @@ int OS_algorithms_File(const char *fname, const char *prefilter_cmd, struct hash MD5_CTX md5_ctx; #ifdef LIBSODIUM_ENABLED + // Initialize libsodium and clear the sha256output unsigned char sha256_digest[crypto_hash_sha256_BYTES]; if(sodium_init() < 0) { //merror("Hash failed: (%d) %s", errno, strerror(errno)); @@ -175,7 +176,7 @@ int OS_algorithms_File(const char *fname, const char *prefilter_cmd, struct hash SHA1_Init(&sha1_ctx); } - /* Update for each one */ + /* Update for each hash */ while ((n = fread(buf, 1, 2048, fp)) > 0) { buf[n] = '\0'; if(c_sha1 > 0) { diff --git a/src/os_crypto/md5_sha1/md5_sha1_op.h b/src/os_crypto/md5_sha1/md5_sha1_op.h index 4496aa88e..fcc2c3ae9 100644 --- a/src/os_crypto/md5_sha1/md5_sha1_op.h +++ b/src/os_crypto/md5_sha1/md5_sha1_op.h @@ -25,6 +25,6 @@ struct hash_output { os_sha1 sha1output; char sha256output[crypto_hash_sha256_BYTES]; }; -int OS_algorithms_File(const char *fname, const char *prefilter_cmd, struct hash_output file_output, int mode, char **alg); +int OS_Hash_File(const char *fname, const char *prefilter_cmd, struct hash_output file_output, int mode, char **alg); #endif diff --git a/src/syscheckd/run_check.c b/src/syscheckd/run_check.c index 4befd7d36..5b1c67494 100644 --- a/src/syscheckd/run_check.c +++ b/src/syscheckd/run_check.c @@ -384,7 +384,7 @@ int c_read_file(const char *file_name, const char *oldsum, char *newsum) if (sha1sum || md5sum) { /* Generate checksums of the file */ #ifdef LIBSODIUM_ENABLED - if (OS_algorithms_File(file_name, syscheck.prefilter_cmd, file_sums, OS_BINARY, syscheck.alg) < 0) { + if (OS_Hash_File(file_name, syscheck.prefilter_cmd, file_sums, OS_BINARY, syscheck.alg) < 0) { strncpy(file_sums.md5output, "xxx", 4); strncpy(file_sums.sha1output, "xxx", 4); strncpy(file_sums.sha256output, "xxx", 4); @@ -406,7 +406,7 @@ int c_read_file(const char *file_name, const char *oldsum, char *newsum) if (sha1sum || md5sum) { /* Generate checksums of the file */ #ifdef LIBSODIUM_ENABLED - if (OS_algorithms_File(file_name, syscheck.prefilter_cmd, file_sums, OS_BINARY, syscheck.alg) < 0) { + if (OS_Hash_File(file_name, syscheck.prefilter_cmd, file_sums, OS_BINARY, syscheck.alg) < 0) { strncpy(file_sums.md5output, "xxx", 4); strncpy(file_sums.sha1output, "xxx", 4); strncpy(file_sums.sha256output, "xxx", 4); From a9785135713b60d66298791b0f1ab9575355a590 Mon Sep 17 00:00:00 2001 From: ddpbsd Date: Wed, 14 Feb 2018 11:21:49 -0500 Subject: [PATCH 16/89] Make sure we don't set the output for a hash if we aren't checking that hash. --- src/os_crypto/md5_sha1/md5_sha1_op.c | 38 +++++++++++++++++----------- 1 file changed, 23 insertions(+), 15 deletions(-) diff --git a/src/os_crypto/md5_sha1/md5_sha1_op.c b/src/os_crypto/md5_sha1/md5_sha1_op.c index f0237b283..51821223f 100644 --- a/src/os_crypto/md5_sha1/md5_sha1_op.c +++ b/src/os_crypto/md5_sha1/md5_sha1_op.c @@ -205,29 +205,36 @@ int OS_Hash_File(const char *fname, const char *prefilter_cmd, struct hash_outpu #endif /* Set output for MD5 */ - for (n = 0; n < 16; n++) { - if(n == 0) { - snprintf(file_output.md5output, 3, "%02x", md5_digest[n]); - } else { - snprintf(file_output.md5output, strnlen(file_output.md5output, 33) + 3, "%s%02x", file_output.md5output, md5_digest[n]); + if(c_md5 > 0) { + for (n = 0; n < 16; n++) { + if(n == 0) { + snprintf(file_output.md5output, 3, "%02x", md5_digest[n]); + } else { + snprintf(file_output.md5output, strnlen(file_output.md5output, 33) + 3, "%s%02x", file_output.md5output, md5_digest[n]); + } } } /* Set output for SHA-1 */ - for (n = 0; n < SHA_DIGEST_LENGTH; n++) { - if(n == 0) { - snprintf(file_output.sha1output, 3, "%02x", sha1_digest[n]); - } else { - snprintf(file_output.sha1output, strnlen(file_output.sha1output, 65) + 3, "%s%02x", file_output.sha1output, sha1_digest[n]); + if(c_sha1 > 0) { + for (n = 0; n < SHA_DIGEST_LENGTH; n++) { + if(n == 0) { + snprintf(file_output.sha1output, 3, "%02x", sha1_digest[n]); + } else { + snprintf(file_output.sha1output, strnlen(file_output.sha1output, 65) + 3, "%s%02x", file_output.sha1output, sha1_digest[n]); + } } } #ifdef LIBSODIUM_ENABLED - for (n = 0; n < crypto_hash_sha256_BYTES; n++) { - if(n == 0) { - snprintf(file_output.sha256output, 3, "%02x", sha256_digest[n]); - } else { - snprintf(file_output.sha256output, strnlen(file_output.sha256output, 66) + 3, "%s%02x", file_output.sha256output, sha256_digest[n]); + /* Set output for SHA256 */ + if(c_sha256 > 0) { + for (n = 0; n < crypto_hash_sha256_BYTES; n++) { + if(n == 0) { + snprintf(file_output.sha256output, 3, "%02x", sha256_digest[n]); + } else { + snprintf(file_output.sha256output, strnlen(file_output.sha256output, 66) + 3, "%s%02x", file_output.sha256output, sha256_digest[n]); + } } } #endif @@ -241,3 +248,4 @@ int OS_Hash_File(const char *fname, const char *prefilter_cmd, struct hash_outpu return (0); } + From b728cf5454146932bfe5f2b0b4672fe522da7e8c Mon Sep 17 00:00:00 2001 From: ddpbsd Date: Wed, 14 Feb 2018 13:38:30 -0500 Subject: [PATCH 17/89] sprintf->snprintf --- src/analysisd/decoders/syscheck.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/analysisd/decoders/syscheck.c b/src/analysisd/decoders/syscheck.c index f63b3fb42..2f45df968 100644 --- a/src/analysisd/decoders/syscheck.c +++ b/src/analysisd/decoders/syscheck.c @@ -686,7 +686,7 @@ int DecodeSyscheck(Eventinfo *lf) return(0); } debug1("%s: Checking MD5 '%s' in %s", ARGV0, p, Config.md5_whitelist); - sprintf(stmt, "select md5sum from files where md5sum = \"%s\"", p); + snprintf(stmt, OS_MAXSTR, "select md5sum from files where md5sum = \"%s\"", p); error = sqlite3_prepare_v2(conn, stmt, 1000, &res, &tail); if (error == SQLITE_OK) { while (sqlite3_step(res) == SQLITE_ROW) { From da38953232cc1c1191fe6fe0ab91b6794425df6e Mon Sep 17 00:00:00 2001 From: ddpbsd Date: Thu, 15 Feb 2018 08:50:29 -0500 Subject: [PATCH 18/89] Don't run the check if the md5 is 'xxx' --- src/analysisd/decoders/syscheck.c | 37 ++++++++++++++++++------------- 1 file changed, 21 insertions(+), 16 deletions(-) diff --git a/src/analysisd/decoders/syscheck.c b/src/analysisd/decoders/syscheck.c index 2f45df968..537b5896e 100644 --- a/src/analysisd/decoders/syscheck.c +++ b/src/analysisd/decoders/syscheck.c @@ -681,25 +681,30 @@ int DecodeSyscheck(Eventinfo *lf) if (Config.md5_whitelist) { extern sqlite3 *conn; if ((p = extract_token(c_sum, ":", 4))) { - if (!validate_md5(p)) { /* Never trust input from other origin */ - merror("%s: Not a valid MD5 hash: '%s'", ARGV0, p); - return(0); - } - debug1("%s: Checking MD5 '%s' in %s", ARGV0, p, Config.md5_whitelist); - snprintf(stmt, OS_MAXSTR, "select md5sum from files where md5sum = \"%s\"", p); - error = sqlite3_prepare_v2(conn, stmt, 1000, &res, &tail); - if (error == SQLITE_OK) { - while (sqlite3_step(res) == SQLITE_ROW) { - rec_count++; - } - if (rec_count) { - sqlite3_finalize(res); - //sqlite3_close(conn); - merror(MD5_NOT_CHECKED, ARGV0, p); + if((stenlen(p, "xxx", 3)) != 0) { + if (!validate_md5(p)) { /* Never trust input from other origin */ + merror("%s: Not a valid MD5 hash: '%s'", ARGV0, p); return(0); } + debug1("%s: Checking MD5 '%s' in %s", ARGV0, p, Config.md5_whitelist); + if((snprintf(stmt, OS_MAXSTR, "select md5sum from files where md5sum = \"%s\"", p)) < 0) { + merror("ERROR: snprintf failed for md5sum: %s", p); + } + stmt[OS_MAXSTR] = '\0'; + error = sqlite3_prepare_v2(conn, stmt, 1000, &res, &tail); + if (error == SQLITE_OK) { + while (sqlite3_step(res) == SQLITE_ROW) { + rec_count++; + } + if (rec_count) { + sqlite3_finalize(res); + //sqlite3_close(conn); + merror(MD5_NOT_CHECKED, ARGV0, p); + return(0); + } + } + sqlite3_finalize(res); } - sqlite3_finalize(res); } } From 3dbaf31fcf56f5e6e6e26316d004103f13e915d8 Mon Sep 17 00:00:00 2001 From: ddpbsd Date: Thu, 15 Feb 2018 09:07:20 -0500 Subject: [PATCH 19/89] Not sure what I was thinking, but correct a stupid typo. --- src/analysisd/decoders/syscheck.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/analysisd/decoders/syscheck.c b/src/analysisd/decoders/syscheck.c index 537b5896e..1955b1d91 100644 --- a/src/analysisd/decoders/syscheck.c +++ b/src/analysisd/decoders/syscheck.c @@ -681,7 +681,7 @@ int DecodeSyscheck(Eventinfo *lf) if (Config.md5_whitelist) { extern sqlite3 *conn; if ((p = extract_token(c_sum, ":", 4))) { - if((stenlen(p, "xxx", 3)) != 0) { + if((strncmp(p, "xxx", 3)) != 0) { if (!validate_md5(p)) { /* Never trust input from other origin */ merror("%s: Not a valid MD5 hash: '%s'", ARGV0, p); return(0); From c75e25589467fcf169af11c943bb46b0809dd750 Mon Sep 17 00:00:00 2001 From: ddpbsd Date: Thu, 15 Feb 2018 09:08:42 -0500 Subject: [PATCH 20/89] Go about this in a slightly different way. --- src/config/syscheck-config.c | 16 +++++++++++++++- src/config/syscheck-config.h | 3 ++- 2 files changed, 17 insertions(+), 2 deletions(-) diff --git a/src/config/syscheck-config.c b/src/config/syscheck-config.c index e662a1dcf..9c4b9ad4c 100644 --- a/src/config/syscheck-config.c +++ b/src/config/syscheck-config.c @@ -555,13 +555,27 @@ int Read_Syscheck(XML_NODE node, void *configp, __attribute__((unused)) void *ma if(i < 2) { tokens[i++] = p; } + if(!p) { + merror("NOT p!"); + } + + /* remove spaces */ + if(*p == ' ') { + p++; + } #ifndef LIBSODIUM_ENABLED if((strncmp(p, "sha256", 6)) == 0) { merror("sha256 requires libsodium support."); return(OS_INVALID); // XXX What error here? } #endif - syscheck->alg[i] = p; + if(i == 1) { + syscheck->hash1_alg = p; + } else if(i == 2) { + syscheck->hash2_alg = p; + } else { + merror("XXX oops. %s", p); + } } } diff --git a/src/config/syscheck-config.h b/src/config/syscheck-config.h index 0dc8da6d9..858dfeb92 100644 --- a/src/config/syscheck-config.h +++ b/src/config/syscheck-config.h @@ -52,7 +52,8 @@ typedef struct _config { int *opts; /* attributes set in the tag element */ char *algorithms; /* Algorithms to use for FIM */ - char **alg; + char *hash1_alg; + char *hash2_alg; char *remote_db; char *db; From 98b4e6450c5dcb17de9f9a1ae69896b6948c3c75 Mon Sep 17 00:00:00 2001 From: ddpbsd Date: Thu, 15 Feb 2018 09:10:11 -0500 Subject: [PATCH 21/89] Closer to supporting sha256 --- src/os_crypto/md5_sha1/md5_sha1_op.c | 57 +++++++++++----------------- src/os_crypto/md5_sha1/md5_sha1_op.h | 5 ++- 2 files changed, 27 insertions(+), 35 deletions(-) diff --git a/src/os_crypto/md5_sha1/md5_sha1_op.c b/src/os_crypto/md5_sha1/md5_sha1_op.c index 51821223f..1f184e277 100644 --- a/src/os_crypto/md5_sha1/md5_sha1_op.c +++ b/src/os_crypto/md5_sha1/md5_sha1_op.c @@ -92,8 +92,8 @@ int OS_MD5_SHA1_File(const char *fname, const char *prefilter_cmd, os_md5 md5out return (0); } - -int OS_Hash_File(const char *fname, const char *prefilter_cmd, struct hash_output file_output, int mode, char **alg) +#ifdef LIBSODIUM_ENABLED +int OS_Hash_File(const char *fname, const char *prefilter_cmd, struct hash_output file_output, int mode, char *hash1_alg, char *hash2_alg) { size_t n; FILE *fp; @@ -102,38 +102,30 @@ int OS_Hash_File(const char *fname, const char *prefilter_cmd, struct hash_outpu unsigned char md5_digest[16]; int c_sha1 = 0, c_md5 = 0, c_sha256 = 0, al = 0; - while(alg[al]) { - if((strncmp(alg[al], "md5", 3) == 0 || strncmp(alg[al], - "MD5", 3) == 0)) { - c_md5 = 1; - } else if((strncmp(alg[al], "sha1", 4) == 0 || strncmp(alg[al], - "SHA1", 4) == 0)) { - c_sha1 = 1; - } else if((strncmp(alg[al], "sha256", 6) == 0 || strncmp(alg[al], - "SHA256", 6) == 0)) { -#ifdef LIBSODIUM_ENABLED - c_sha256 = 1; -#else - //merror("syscheck: Not compiled with libsodium support, enabling sha1"); - c_sha1 = 1; -#endif - } - al++; + if((strncmp(hash1_alg, "md5", 3) == 0 || strncmp(hash1_alg, + "MD5", 3) == 0)) { + c_md5 = 1; + file_output.md5output[0] = '\0'; + } else if((strncmp(hash2_alg, "sha1", 4) == 0 || strncmp(hash2_alg, + "SHA1", 4) == 0)) { + c_sha1 = 1; + file_output.sha1output[0] = '\0'; + } else if((strncmp(hash2_alg, "sha256", 6) == 0 || strncmp(hash2_alg, + "SHA256", 6) == 0)) { + c_sha256 = 1; + file_output.sha256output[0] = '\0'; } -#ifdef LIBSODIUM_ENABLED if(c_sha1 == 1 && c_sha256 == 1) { //merror("syscheckd: sha1 and sha256 enabled, disabling sha1."); c_sha1 = 0; } -#endif SHA_CTX sha1_ctx; MD5_CTX md5_ctx; -#ifdef LIBSODIUM_ENABLED - // Initialize libsodium and clear the sha256output + /* Initialize libsodium */ unsigned char sha256_digest[crypto_hash_sha256_BYTES]; if(sodium_init() < 0) { //merror("Hash failed: (%d) %s", errno, strerror(errno)); @@ -141,12 +133,7 @@ int OS_Hash_File(const char *fname, const char *prefilter_cmd, struct hash_outpu } crypto_hash_sha256_state sha256_state; crypto_hash_sha256_init(&sha256_state); - file_output.sha256output[0] = '\0'; -#endif - /* Clear the memory */ - file_output.md5output[0] = '\0'; - file_output.sha1output[0] = '\0'; buf[2048 + 1] = '\0'; /* Use prefilter_cmd if set */ @@ -171,9 +158,13 @@ int OS_Hash_File(const char *fname, const char *prefilter_cmd, struct hash_outpu /* Initialize both hashes */ if(c_md5 > 0) { MD5Init(&md5_ctx); + snprintf(file_output.hash1, 4, "MD5="); + file_output.hash1[4] = '\0'; } if(c_sha1 > 0) { SHA1_Init(&sha1_ctx); + snprintf(file_output.hash2, 5, "SHA1="); + file_output.hash2[5] = '\0'; } /* Update for each hash */ @@ -185,11 +176,9 @@ int OS_Hash_File(const char *fname, const char *prefilter_cmd, struct hash_outpu if(c_md5 > 0) { MD5Update(&md5_ctx, buf, (unsigned)n); } -#ifdef LIBSODIUM_ENABLED if(c_sha256 > 0) { crypto_hash_sha256_update(&sha256_state, buf, n); } -#endif } if(c_sha1 > 0) { @@ -198,11 +187,9 @@ int OS_Hash_File(const char *fname, const char *prefilter_cmd, struct hash_outpu if(c_md5 > 0) { MD5Final(md5_digest, &md5_ctx); } -#ifdef LIBSODIUM_ENABLED if(c_sha256 > 0) { crypto_hash_sha256_final(&sha256_state, sha256_digest); } -#endif /* Set output for MD5 */ if(c_md5 > 0) { @@ -212,6 +199,7 @@ int OS_Hash_File(const char *fname, const char *prefilter_cmd, struct hash_outpu } else { snprintf(file_output.md5output, strnlen(file_output.md5output, 33) + 3, "%s%02x", file_output.md5output, md5_digest[n]); } + snprintf(file_output.hash1, strnlen(file_output.hash1, 37) + 3, "%s%02x", file_output.hash1, md5_digest[n]); } } @@ -223,10 +211,10 @@ int OS_Hash_File(const char *fname, const char *prefilter_cmd, struct hash_outpu } else { snprintf(file_output.sha1output, strnlen(file_output.sha1output, 65) + 3, "%s%02x", file_output.sha1output, sha1_digest[n]); } + snprintf(file_output.hash2, strnlen(file_output.hash2, 65) + 3, "%s%02x", file_output.hash2, sha1_digest[n]); } } -#ifdef LIBSODIUM_ENABLED /* Set output for SHA256 */ if(c_sha256 > 0) { for (n = 0; n < crypto_hash_sha256_BYTES; n++) { @@ -235,9 +223,9 @@ int OS_Hash_File(const char *fname, const char *prefilter_cmd, struct hash_outpu } else { snprintf(file_output.sha256output, strnlen(file_output.sha256output, 66) + 3, "%s%02x", file_output.sha256output, sha256_digest[n]); } + snprintf(file_output.hash2, strnlen(file_output.hash2, 66) + 3, "%s%02x", file_output.hash2, sha256_digest[n]); } } -#endif /* Close it */ if (prefilter_cmd == NULL) { @@ -248,4 +236,5 @@ int OS_Hash_File(const char *fname, const char *prefilter_cmd, struct hash_outpu return (0); } +#endif // LIBSODIUM_ENABLED diff --git a/src/os_crypto/md5_sha1/md5_sha1_op.h b/src/os_crypto/md5_sha1/md5_sha1_op.h index fcc2c3ae9..8baba9fd5 100644 --- a/src/os_crypto/md5_sha1/md5_sha1_op.h +++ b/src/os_crypto/md5_sha1/md5_sha1_op.h @@ -24,7 +24,10 @@ struct hash_output { os_md5 md5output; os_sha1 sha1output; char sha256output[crypto_hash_sha256_BYTES]; + char hash1[523]; + char hash2[523]; }; -int OS_Hash_File(const char *fname, const char *prefilter_cmd, struct hash_output file_output, int mode, char **alg); + +int OS_Hash_File(const char *fname, const char *prefilter_cmd, struct hash_output file_output, int mode, char *hash1_alg, char *hash2_alg); #endif From 54cdbd44b649c11e2a37f61fdc102a747f50ca0e Mon Sep 17 00:00:00 2001 From: ddpbsd Date: Thu, 15 Feb 2018 09:11:29 -0500 Subject: [PATCH 22/89] The basic idea is to have hash1 and hash2. Then the hash strings will be prepended with the hash type followed by an '='. This will cause changes in analysisd, I think. It will have to handle the different hash strings and types. I can probably either change to a generic signature for "HASH changed," and maybe add the hash type into a field in the alert (like src_ip). Or continue with the way rules are currently written and add rules for the new hash types. --- src/syscheckd/run_check.c | 23 +++++++++++++++++++---- 1 file changed, 19 insertions(+), 4 deletions(-) diff --git a/src/syscheckd/run_check.c b/src/syscheckd/run_check.c index 5b1c67494..982c1cd9b 100644 --- a/src/syscheckd/run_check.c +++ b/src/syscheckd/run_check.c @@ -313,6 +313,7 @@ int c_read_file(const char *file_name, const char *oldsum, char *newsum) struct stat statbuf; os_md5 mf_sum; os_sha1 sf_sum; + #ifdef LIBSODIUM_ENABLED struct hash_output file_sums; @@ -320,7 +321,10 @@ int c_read_file(const char *file_name, const char *oldsum, char *newsum) strncpy(file_sums.md5output, "xxx", 4); strncpy(file_sums.sha1output, "xxx", 4); strncpy(file_sums.sha256output, "xxx", 4); + strncpy(file_sums.hash1, "xxx", 4); + strncpy(file_sums.hash2, "xxx", 4); #endif + /* Clean sums */ strncpy(mf_sum, "xxx", 4); strncpy(sf_sum, "xxx", 4); @@ -343,6 +347,11 @@ int c_read_file(const char *file_name, const char *oldsum, char *newsum) } /* Get the old sum values */ +#ifdef DEBUG + if(oldsum) { + merror("XXX oldsum: %s", oldsum); + } +#endif /* size */ if (oldsum[0] == '+') { @@ -384,10 +393,15 @@ int c_read_file(const char *file_name, const char *oldsum, char *newsum) if (sha1sum || md5sum) { /* Generate checksums of the file */ #ifdef LIBSODIUM_ENABLED - if (OS_Hash_File(file_name, syscheck.prefilter_cmd, file_sums, OS_BINARY, syscheck.alg) < 0) { + if (OS_Hash_File(file_name, syscheck.prefilter_cmd, file_sums, OS_BINARY, syscheck.hash1_alg, syscheck.hash2_alg) < 0) { strncpy(file_sums.md5output, "xxx", 4); strncpy(file_sums.sha1output, "xxx", 4); strncpy(file_sums.sha256output, "xxx", 4); + strncpy(file_sums.hash1, "xxx", 4); + strncpy(file_sums.hash2, "xxx", 4); + } else { + merror("XXX hash1: %s", file_sums.hash1); + merror("XXX hash2: %s", file_sums.hash2); } #else if (OS_MD5_SHA1_File(file_name, syscheck.prefilter_cmd, mf_sum, sf_sum, OS_BINARY) < 0) { @@ -406,10 +420,12 @@ int c_read_file(const char *file_name, const char *oldsum, char *newsum) if (sha1sum || md5sum) { /* Generate checksums of the file */ #ifdef LIBSODIUM_ENABLED - if (OS_Hash_File(file_name, syscheck.prefilter_cmd, file_sums, OS_BINARY, syscheck.alg) < 0) { + if (OS_Hash_File(file_name, syscheck.prefilter_cmd, file_sums, OS_BINARY, syscheck.hash1_alg, syscheck.hash2_alg) < 0) { strncpy(file_sums.md5output, "xxx", 4); strncpy(file_sums.sha1output, "xxx", 4); strncpy(file_sums.sha256output, "xxx", 4); + strncpy(file_sums.hash1, "xxx", 4); + strncpy(file_sums.hash2, "xxx", 4); } #else if (OS_MD5_SHA1_File(file_name, syscheck.prefilter_cmd, mf_sum, sf_sum, OS_BINARY) < 0) { @@ -425,9 +441,8 @@ int c_read_file(const char *file_name, const char *oldsum, char *newsum) newsum[0] = '\0'; newsum[255] = '\0'; -#ifdef LIBSODIUM_ENABLED - if( +#ifdef LIBSODIUM_ENABLED snprintf(newsum, 255, "%ld:%d:%d:%d:%s:%s", size == 0 ? 0 : (long)statbuf.st_size, perm == 0 ? 0 : (int)statbuf.st_mode, From 1134eaa1012f3a1e368e6c269739794b3e90444c Mon Sep 17 00:00:00 2001 From: ddpbsd Date: Tue, 6 Mar 2018 14:53:40 -0500 Subject: [PATCH 23/89] Add some more libsodium bits to create_db.c. --- src/config/syscheck-config.c | 1 + src/config/syscheck-config.h | 2 +- src/syscheckd/create_db.c | 59 ++++++++++++++++++++++++++++++------ 3 files changed, 51 insertions(+), 11 deletions(-) diff --git a/src/config/syscheck-config.c b/src/config/syscheck-config.c index 9c4b9ad4c..267bdf1d4 100644 --- a/src/config/syscheck-config.c +++ b/src/config/syscheck-config.c @@ -226,6 +226,7 @@ static int read_attr(syscheck_config *syscheck, const char *dirs, char **g_attrs if (strcmp(*values, "yes") == 0) { opts |= CHECK_MD5SUM; opts |= CHECK_SHA1SUM; + opts |= CHECK_SHA256SUM; opts |= CHECK_PERM; opts |= CHECK_SIZE; opts |= CHECK_OWNER; diff --git a/src/config/syscheck-config.h b/src/config/syscheck-config.h index 858dfeb92..e8fbb951f 100644 --- a/src/config/syscheck-config.h +++ b/src/config/syscheck-config.h @@ -23,7 +23,7 @@ #define CHECK_SHA1SUM 0000040 #define CHECK_REALTIME 0000100 #define CHECK_SEECHANGES 0000200 -#define CHECK_SHA256 0000400 +#define CHECK_SHA256SUM 0000400 #include diff --git a/src/syscheckd/create_db.c b/src/syscheckd/create_db.c index 20d6c914e..c7db44d10 100644 --- a/src/syscheckd/create_db.c +++ b/src/syscheckd/create_db.c @@ -60,16 +60,16 @@ static int read_file(const char *file_name, int opts, OSMatch *restriction) #endif { if(errno == ENOTDIR){ - /*Deletion message sending*/ - char alert_msg[PATH_MAX+4]; - alert_msg[PATH_MAX + 3] = '\0'; - snprintf(alert_msg, PATH_MAX + 4, "-1 %s", file_name); - send_syscheck_msg(alert_msg); - return (0); - }else{ - merror("%s: Error accessing '%s'.", ARGV0, file_name); - return (-1); - } + /*Deletion message sending*/ + char alert_msg[PATH_MAX+4]; + alert_msg[PATH_MAX + 3] = '\0'; + snprintf(alert_msg, PATH_MAX + 4, "-1 %s", file_name); + send_syscheck_msg(alert_msg); + return (0); + }else{ + merror("%s: Error accessing '%s'.", ARGV0, file_name); + return (-1); + } } if (S_ISDIR(statbuf.st_mode)) { @@ -114,20 +114,49 @@ static int read_file(const char *file_name, int opts, OSMatch *restriction) strncpy(sf_sum3, "xxx", 4); /* Generate checksums */ +#ifdef LIBSODIUM_ENABLED + /* Prep file_sums */ + struct hash_output file_sums; + strncpy(file_sums.md5output, "xxx", 4); + strncpy(file_sums.sha1output, "xxx", 4); + strncpy(file_sums.sha256output, "xxx", 4); + strncpy(file_sums.hash1, "xxx", 4); + strncpy(file_sums.hash2, "xxx", 4); + + if ((opts & CHECK_MD5SUM) || (opts & CHECK_SHA1SUM) || (opts & CHECK_SHA256SUM)) { +#else if ((opts & CHECK_MD5SUM) || (opts & CHECK_SHA1SUM)) { +#endif //LIBSODIUM_ENABLED /* If it is a link, check if dest is valid */ #ifndef WIN32 + + /* XXX This is all weird */ if (S_ISLNK(statbuf.st_mode)) { struct stat statbuf_lnk; if (stat(file_name, &statbuf_lnk) == 0) { if (S_ISREG(statbuf_lnk.st_mode)) { +#ifdef LIBSODIUM_ENABLED + if(OS_Hash_File(file_name, syscheck.prefilter_cmd, file_sums, OS_BINARY, syscheck.hash1_alg, syscheck.hash2_alg) < 0) { + strncpy(file_sums.md5output, "xxx", 4); + strncpy(file_sums.sha1output, "xxx", 4); + strncpy(file_sums.sha256output, "xxx", 4); + strncpy(file_sums.hash1, "xxx", 4); + strncpy(file_sums.hash2, "xxx", 4); + } + +#else //LIBSODIUM_ENABLED if (OS_MD5_SHA1_File(file_name, syscheck.prefilter_cmd, mf_sum, sf_sum, OS_BINARY) < 0) { strncpy(mf_sum, "xxx", 4); strncpy(sf_sum, "xxx", 4); } +#endif //LIBSODIUM_ENABLED } } +#ifdef LIBSODIUM_ENABLED + } else if(OS_Hash_File(file_name, syscheck.prefilter_cmd, file_sums, OS_BINARY, syscheck.hash1_alg, syscheck.hash2_alg) < 0) +#else //LIBSODIUM_ENABLED } else if (OS_MD5_SHA1_File(file_name, syscheck.prefilter_cmd, mf_sum, sf_sum, OS_BINARY) < 0) +#endif //LIBSODIUM_ENABLED #else if (OS_MD5_SHA1_File(file_name, syscheck.prefilter_cmd, mf_sum, sf_sum, OS_BINARY) < 0) #endif @@ -173,8 +202,13 @@ static int read_file(const char *file_name, int opts, OSMatch *restriction) opts & CHECK_PERM ? (int)statbuf.st_mode : 0, opts & CHECK_OWNER ? (int)statbuf.st_uid : 0, opts & CHECK_GROUP ? (int)statbuf.st_gid : 0, +#ifdef LIBSODIUM_ENABLED + opts & CHECK_MD5SUM ? file_sums.md5output : "xxx", + opts & CHECK_SHA256SUM ? file_sums.sha256output : "xxx"); +#else //LIBSODIUM_ENABLED opts & CHECK_MD5SUM ? mf_sum : "xxx", opts & CHECK_SHA1SUM ? sf_sum : "xxx"); +#endif //LIBSODIUM_ENABLED if (OSHash_Add(syscheck.fp, file_name, strdup(alert_msg)) <= 0) { merror("%s: ERROR: Unable to add file to db: %s", ARGV0, file_name); @@ -188,8 +222,13 @@ static int read_file(const char *file_name, int opts, OSMatch *restriction) opts & CHECK_PERM ? (int)statbuf.st_mode : 0, opts & CHECK_OWNER ? (int)statbuf.st_uid : 0, opts & CHECK_GROUP ? (int)statbuf.st_gid : 0, +#ifdef LIBSODIUM_ENABLED + opts & CHECK_MD5SUM ? file_sums.md5output : "xxx", + opts & CHECK_SHA256SUM ? file_sums.sha256output : "xxx", +#else //LIBSODIUM_ENABLED opts & CHECK_MD5SUM ? mf_sum : "xxx", opts & CHECK_SHA1SUM ? sf_sum : "xxx", +#endif //LIBSODIUM_ENABLED file_name); send_syscheck_msg(alert_msg); } else { From 9b1b3ebb9d69b0267ad79b921497bc3ba9ca8d53 Mon Sep 17 00:00:00 2001 From: ddpbsd Date: Tue, 6 Mar 2018 22:19:27 -0500 Subject: [PATCH 24/89] I think sha256 is working. lots of devug left in, need to free file_sums or change how it's being handled plenty of other cleanups available. sleep now. code later --- src/Makefile | 2 +- src/config/syscheck-config.c | 72 ++++++++----------- src/os_crypto/md5_sha1/md5_sha1_op.c | 102 ++++++--------------------- src/os_crypto/md5_sha1/md5_sha1_op.h | 3 +- src/syscheckd/create_db.c | 63 ++++++++++++----- src/syscheckd/run_check.c | 43 +++++------ 6 files changed, 123 insertions(+), 162 deletions(-) diff --git a/src/Makefile b/src/Makefile index 75c39af32..92a721726 100644 --- a/src/Makefile +++ b/src/Makefile @@ -120,7 +120,7 @@ OSSEC_CFLAGS=${CFLAGS} ANALYSISD_FLAGS="-lsqlite3" ifdef DEBUG - OSSEC_CFLAGS+=-g + OSSEC_CFLAGS+=-ggdb else OSSEC_CFLAGS+=-O2 endif #DEBUG diff --git a/src/config/syscheck-config.c b/src/config/syscheck-config.c index 267bdf1d4..0e326cf6f 100644 --- a/src/config/syscheck-config.c +++ b/src/config/syscheck-config.c @@ -160,7 +160,7 @@ static int read_attr(syscheck_config *syscheck, const char *dirs, char **g_attrs const char *xml_check_sum = "check_sum"; const char *xml_check_sha1sum = "check_sha1sum"; const char *xml_check_md5sum = "check_md5sum"; - //const char *xml_check_sha256sum = "check_sha256sum"; + const char *xml_check_sha256sum = "check_sha256sum"; const char *xml_check_size = "check_size"; const char *xml_check_owner = "check_owner"; const char *xml_check_group = "check_group"; @@ -224,16 +224,24 @@ static int read_attr(syscheck_config *syscheck, const char *dirs, char **g_attrs /* Check all */ if (strcmp(*attrs, xml_check_all) == 0) { if (strcmp(*values, "yes") == 0) { - opts |= CHECK_MD5SUM; - opts |= CHECK_SHA1SUM; +#ifdef LIBSODIUM_ENABLED opts |= CHECK_SHA256SUM; +#else //LIBSODIUM_ENABLED + opts |= CHECK_SHA1SUM; +#endif //LIBSODIUM_ENABLED + opts |= CHECK_MD5SUM; opts |= CHECK_PERM; opts |= CHECK_SIZE; opts |= CHECK_OWNER; opts |= CHECK_GROUP; } else if (strcmp(*values, "no") == 0) { +#ifdef LIBSODIUM_ENABLED + opts &= ~ ( CHECK_MD5SUM | CHECK_SHA1SUM | CHECK_PERM + | CHECK_SIZE | CHECK_OWNER | CHECK_GROUP | CHECK_SHA256SUM ); +#else //LIBSODIUM_ENABLED opts &= ~ ( CHECK_MD5SUM | CHECK_SHA1SUM | CHECK_PERM | CHECK_SIZE | CHECK_OWNER | CHECK_GROUP ); +#endif //LIBSODIUM_ENABLED } else { merror(SK_INV_OPT, __local_name, *values, *attrs); ret = 0; @@ -277,6 +285,20 @@ static int read_attr(syscheck_config *syscheck, const char *dirs, char **g_attrs goto out_free; } } +#ifdef LIBSODIUM_ENABLED + else if(strncmp(*attrs, xml_check_sha256sum, 15) == 0) { + if(strncmp(*values, "yes", 3) ==0) { + opts |= CHECK_SHA256SUM; + merror("ZZZ sha256 set"); + } else if(strncmp(*values, "no", 2) == 0) { + opts &= ~ CHECK_SHA256SUM; + } else { + merror(SK_INV_OPT, __local_name, *values, *attrs); + ret = 0; + goto out_free; + } + } +#endif //LIBSODIUM_ENABLED /* Check permission */ else if (strcmp(*attrs, xml_check_perm) == 0) { if (strcmp(*values, "yes") == 0) { @@ -460,7 +482,6 @@ int Read_Syscheck(XML_NODE node, void *configp, __attribute__((unused)) void *ma const char *xml_prefilter_cmd = "prefilter_cmd"; const char *xml_skip_nfs = "skip_nfs"; const char *xml_nodiff = "nodiff"; - const char *xml_algorithms = "algorithms"; /* Configuration example /etc,/usr/bin @@ -545,41 +566,6 @@ int Read_Syscheck(XML_NODE node, void *configp, __attribute__((unused)) void *ma } } - /* Set the algoritms to be used */ - else if(strcmp(node[i]->element, xml_algorithms) == 0) { - char alg[25]; - strncpy(alg, node[i]->content, 24); - char *p, *tokens[3]; - int i = 0; - char *last; - for ((p = strtok_r(alg, ",", &last)); p; (p = strtok_r(NULL, ",", &last))) { - if(i < 2) { - tokens[i++] = p; - } - if(!p) { - merror("NOT p!"); - } - - /* remove spaces */ - if(*p == ' ') { - p++; - } -#ifndef LIBSODIUM_ENABLED - if((strncmp(p, "sha256", 6)) == 0) { - merror("sha256 requires libsodium support."); - return(OS_INVALID); // XXX What error here? - } -#endif - if(i == 1) { - syscheck->hash1_alg = p; - } else if(i == 2) { - syscheck->hash2_alg = p; - } else { - merror("XXX oops. %s", p); - } - } - } - /* Get if disabled */ else if (strcmp(node[i]->element, xml_disabled) == 0) { if (strcmp(node[i]->content, "yes") == 0) { @@ -862,10 +848,13 @@ char *syscheck_opts2str(char *buf, int buflen, int opts) { CHECK_SIZE, CHECK_OWNER, CHECK_GROUP, - CHECK_MD5SUM, + CHECK_MD5SUM, CHECK_SHA1SUM, CHECK_REALTIME, CHECK_SEECHANGES, +#ifdef LIBSODIUM_ENABLED + CHECK_SHA256SUM, +#endif 0 }; char *check_strings[] = { @@ -873,7 +862,8 @@ char *syscheck_opts2str(char *buf, int buflen, int opts) { "size", "owner", "group", - "md5sum", + "md5sum", + "sha256sum", "sha1sum", "realtime", "report_changes", diff --git a/src/os_crypto/md5_sha1/md5_sha1_op.c b/src/os_crypto/md5_sha1/md5_sha1_op.c index 1f184e277..b8ddf963f 100644 --- a/src/os_crypto/md5_sha1/md5_sha1_op.c +++ b/src/os_crypto/md5_sha1/md5_sha1_op.c @@ -93,42 +93,19 @@ int OS_MD5_SHA1_File(const char *fname, const char *prefilter_cmd, os_md5 md5out } #ifdef LIBSODIUM_ENABLED -int OS_Hash_File(const char *fname, const char *prefilter_cmd, struct hash_output file_output, int mode, char *hash1_alg, char *hash2_alg) +int OS_Hash_File(const char *fname, const char *prefilter_cmd, struct hash_output *file_output, int mode) { + size_t n; FILE *fp; unsigned char buf[2048 + 2]; - unsigned char sha1_digest[SHA_DIGEST_LENGTH]; unsigned char md5_digest[16]; - int c_sha1 = 0, c_md5 = 0, c_sha256 = 0, al = 0; - if((strncmp(hash1_alg, "md5", 3) == 0 || strncmp(hash1_alg, - "MD5", 3) == 0)) { - c_md5 = 1; - file_output.md5output[0] = '\0'; - } else if((strncmp(hash2_alg, "sha1", 4) == 0 || strncmp(hash2_alg, - "SHA1", 4) == 0)) { - c_sha1 = 1; - file_output.sha1output[0] = '\0'; - } else if((strncmp(hash2_alg, "sha256", 6) == 0 || strncmp(hash2_alg, - "SHA256", 6) == 0)) { - c_sha256 = 1; - file_output.sha256output[0] = '\0'; - } - - if(c_sha1 == 1 && c_sha256 == 1) { - //merror("syscheckd: sha1 and sha256 enabled, disabling sha1."); - c_sha1 = 0; - } - - - SHA_CTX sha1_ctx; MD5_CTX md5_ctx; /* Initialize libsodium */ unsigned char sha256_digest[crypto_hash_sha256_BYTES]; if(sodium_init() < 0) { - //merror("Hash failed: (%d) %s", errno, strerror(errno)); exit(errno); // XXX - doesn't seem right } crypto_hash_sha256_state sha256_state; @@ -156,75 +133,38 @@ int OS_Hash_File(const char *fname, const char *prefilter_cmd, struct hash_outpu } /* Initialize both hashes */ - if(c_md5 > 0) { - MD5Init(&md5_ctx); - snprintf(file_output.hash1, 4, "MD5="); - file_output.hash1[4] = '\0'; - } - if(c_sha1 > 0) { - SHA1_Init(&sha1_ctx); - snprintf(file_output.hash2, 5, "SHA1="); - file_output.hash2[5] = '\0'; - } + MD5Init(&md5_ctx); + snprintf(file_output->hash1, 4, "MD5="); + file_output->hash1[4] = '\0'; /* Update for each hash */ while ((n = fread(buf, 1, 2048, fp)) > 0) { buf[n] = '\0'; - if(c_sha1 > 0) { - SHA1_Update(&sha1_ctx, buf, n); - } - if(c_md5 > 0) { - MD5Update(&md5_ctx, buf, (unsigned)n); - } - if(c_sha256 > 0) { - crypto_hash_sha256_update(&sha256_state, buf, n); - } + MD5Update(&md5_ctx, buf, (unsigned)n); + crypto_hash_sha256_update(&sha256_state, buf, n); } - if(c_sha1 > 0) { - SHA1_Final(&(sha1_digest[0]), &sha1_ctx); - } - if(c_md5 > 0) { - MD5Final(md5_digest, &md5_ctx); - } - if(c_sha256 > 0) { - crypto_hash_sha256_final(&sha256_state, sha256_digest); - } + MD5Final(md5_digest, &md5_ctx); + crypto_hash_sha256_final(&sha256_state, sha256_digest); /* Set output for MD5 */ - if(c_md5 > 0) { - for (n = 0; n < 16; n++) { - if(n == 0) { - snprintf(file_output.md5output, 3, "%02x", md5_digest[n]); - } else { - snprintf(file_output.md5output, strnlen(file_output.md5output, 33) + 3, "%s%02x", file_output.md5output, md5_digest[n]); - } - snprintf(file_output.hash1, strnlen(file_output.hash1, 37) + 3, "%s%02x", file_output.hash1, md5_digest[n]); - } - } - - /* Set output for SHA-1 */ - if(c_sha1 > 0) { - for (n = 0; n < SHA_DIGEST_LENGTH; n++) { - if(n == 0) { - snprintf(file_output.sha1output, 3, "%02x", sha1_digest[n]); - } else { - snprintf(file_output.sha1output, strnlen(file_output.sha1output, 65) + 3, "%s%02x", file_output.sha1output, sha1_digest[n]); - } - snprintf(file_output.hash2, strnlen(file_output.hash2, 65) + 3, "%s%02x", file_output.hash2, sha1_digest[n]); + for (n = 0; n < 16; n++) { + if(n == 0) { + snprintf(file_output->md5output, 3, "%02x", md5_digest[n]); + } else { + snprintf(file_output->md5output, strnlen(file_output->md5output, 33) + 3, "%s%02x", file_output->md5output, md5_digest[n]); } + snprintf(file_output->hash1, strnlen(file_output->hash1, 37) + 3, "%s%02x", file_output->hash1, md5_digest[n]); } /* Set output for SHA256 */ - if(c_sha256 > 0) { - for (n = 0; n < crypto_hash_sha256_BYTES; n++) { - if(n == 0) { - snprintf(file_output.sha256output, 3, "%02x", sha256_digest[n]); - } else { - snprintf(file_output.sha256output, strnlen(file_output.sha256output, 66) + 3, "%s%02x", file_output.sha256output, sha256_digest[n]); - } - snprintf(file_output.hash2, strnlen(file_output.hash2, 66) + 3, "%s%02x", file_output.hash2, sha256_digest[n]); + for (n = 0; n < crypto_hash_sha256_BYTES; n++) { + if(n == 0) { + snprintf(file_output->sha256output, 3, "%02x", sha256_digest[n]); + } else { + snprintf(file_output->sha256output, strnlen(file_output->sha256output, 66) + 3, "%s%02x", file_output->sha256output, sha256_digest[n]); } + snprintf(file_output->hash2, strnlen(file_output->hash2, 66) + 3, "%s%02x", file_output->hash2, sha256_digest[n]); } /* Close it */ diff --git a/src/os_crypto/md5_sha1/md5_sha1_op.h b/src/os_crypto/md5_sha1/md5_sha1_op.h index 8baba9fd5..489a0450e 100644 --- a/src/os_crypto/md5_sha1/md5_sha1_op.h +++ b/src/os_crypto/md5_sha1/md5_sha1_op.h @@ -22,12 +22,11 @@ int OS_MD5_SHA1_File(const char *fname, const char *prefilter_cmd, os_md5 md5out struct hash_output { os_md5 md5output; - os_sha1 sha1output; char sha256output[crypto_hash_sha256_BYTES]; char hash1[523]; char hash2[523]; }; -int OS_Hash_File(const char *fname, const char *prefilter_cmd, struct hash_output file_output, int mode, char *hash1_alg, char *hash2_alg); +int OS_Hash_File(const char *fname, const char *prefilter_cmd, struct hash_output *file_output, int mode); #endif diff --git a/src/syscheckd/create_db.c b/src/syscheckd/create_db.c index c7db44d10..8008e545c 100644 --- a/src/syscheckd/create_db.c +++ b/src/syscheckd/create_db.c @@ -64,6 +64,7 @@ static int read_file(const char *file_name, int opts, OSMatch *restriction) char alert_msg[PATH_MAX+4]; alert_msg[PATH_MAX + 3] = '\0'; snprintf(alert_msg, PATH_MAX + 4, "-1 %s", file_name); + merror("ZZZ1 Sending: %s", alert_msg); send_syscheck_msg(alert_msg); return (0); }else{ @@ -116,12 +117,22 @@ static int read_file(const char *file_name, int opts, OSMatch *restriction) /* Generate checksums */ #ifdef LIBSODIUM_ENABLED /* Prep file_sums */ - struct hash_output file_sums; - strncpy(file_sums.md5output, "xxx", 4); - strncpy(file_sums.sha1output, "xxx", 4); - strncpy(file_sums.sha256output, "xxx", 4); - strncpy(file_sums.hash1, "xxx", 4); - strncpy(file_sums.hash2, "xxx", 4); + struct hash_output *file_sums; + file_sums = malloc(sizeof(struct hash_output)); + if(file_sums == NULL) { + merror("file_sums malloc failed: %s", strerror(errno)); + } + strncpy(file_sums->md5output, "xxx", 4); + strncpy(file_sums->sha256output, "xxx", 4); + strncpy(file_sums->hash1, "xxx", 4); + strncpy(file_sums->hash2, "xxx", 4); + + int xxx = OS_Hash_File(file_name, syscheck.prefilter_cmd, file_sums, OS_BINARY); + if(xxx < 0) { + merror("xxx that sucks"); + } else { + merror("xxx file_sums->md5output: %s", file_sums->md5output); + } if ((opts & CHECK_MD5SUM) || (opts & CHECK_SHA1SUM) || (opts & CHECK_SHA256SUM)) { #else @@ -136,12 +147,13 @@ static int read_file(const char *file_name, int opts, OSMatch *restriction) if (stat(file_name, &statbuf_lnk) == 0) { if (S_ISREG(statbuf_lnk.st_mode)) { #ifdef LIBSODIUM_ENABLED - if(OS_Hash_File(file_name, syscheck.prefilter_cmd, file_sums, OS_BINARY, syscheck.hash1_alg, syscheck.hash2_alg) < 0) { - strncpy(file_sums.md5output, "xxx", 4); - strncpy(file_sums.sha1output, "xxx", 4); - strncpy(file_sums.sha256output, "xxx", 4); - strncpy(file_sums.hash1, "xxx", 4); - strncpy(file_sums.hash2, "xxx", 4); + merror("UUU1 OS_Hash_File: %s", file_name); + if(OS_Hash_File(file_name, syscheck.prefilter_cmd, file_sums, OS_BINARY) < 0) { + merror("AAA1"); + strncpy(file_sums->md5output, "xxx", 4); + strncpy(file_sums->sha256output, "xxx", 4); + strncpy(file_sums->hash1, "xxx", 4); + strncpy(file_sums->hash2, "xxx", 4); } #else //LIBSODIUM_ENABLED @@ -153,7 +165,7 @@ static int read_file(const char *file_name, int opts, OSMatch *restriction) } } #ifdef LIBSODIUM_ENABLED - } else if(OS_Hash_File(file_name, syscheck.prefilter_cmd, file_sums, OS_BINARY, syscheck.hash1_alg, syscheck.hash2_alg) < 0) + } else if(OS_Hash_File(file_name, syscheck.prefilter_cmd, file_sums, OS_BINARY) < 0) #else //LIBSODIUM_ENABLED } else if (OS_MD5_SHA1_File(file_name, syscheck.prefilter_cmd, mf_sum, sf_sum, OS_BINARY) < 0) #endif //LIBSODIUM_ENABLED @@ -203,8 +215,8 @@ static int read_file(const char *file_name, int opts, OSMatch *restriction) opts & CHECK_OWNER ? (int)statbuf.st_uid : 0, opts & CHECK_GROUP ? (int)statbuf.st_gid : 0, #ifdef LIBSODIUM_ENABLED - opts & CHECK_MD5SUM ? file_sums.md5output : "xxx", - opts & CHECK_SHA256SUM ? file_sums.sha256output : "xxx"); + opts & CHECK_MD5SUM ? file_sums->md5output : "xxx", + opts & CHECK_SHA256SUM ? file_sums->sha256output : "xxx"); #else //LIBSODIUM_ENABLED opts & CHECK_MD5SUM ? mf_sum : "xxx", opts & CHECK_SHA1SUM ? sf_sum : "xxx"); @@ -217,19 +229,35 @@ static int read_file(const char *file_name, int opts, OSMatch *restriction) /* Send the new checksum to the analysis server */ alert_msg[916] = '\0'; + if(opts & CHECK_MD5SUM) { + merror("HHH MD5"); + } else { + merror("HHH NO MD5"); + } +#ifdef LIBSODIUM_ENABLED + if(opts & CHECK_SHA256SUM) { + merror("HHH SHA256"); + } else { + merror("HHH NO SHA256"); + } + merror("UUU file_sums->md5output: %s", file_sums->md5output); +#endif + + snprintf(alert_msg, 916, "%ld:%d:%d:%d:%s:%s %s", opts & CHECK_SIZE ? (long)statbuf.st_size : 0, opts & CHECK_PERM ? (int)statbuf.st_mode : 0, opts & CHECK_OWNER ? (int)statbuf.st_uid : 0, opts & CHECK_GROUP ? (int)statbuf.st_gid : 0, #ifdef LIBSODIUM_ENABLED - opts & CHECK_MD5SUM ? file_sums.md5output : "xxx", - opts & CHECK_SHA256SUM ? file_sums.sha256output : "xxx", + opts & CHECK_MD5SUM ? file_sums->md5output : "xxx", + opts & CHECK_SHA256SUM ? file_sums->sha256output : "xxx", #else //LIBSODIUM_ENABLED opts & CHECK_MD5SUM ? mf_sum : "xxx", opts & CHECK_SHA1SUM ? sf_sum : "xxx", #endif //LIBSODIUM_ENABLED file_name); + merror("ZZZ2 Sending: %s", alert_msg); send_syscheck_msg(alert_msg); } else { char alert_msg[OS_MAXSTR + 1]; @@ -265,6 +293,7 @@ static int read_file(const char *file_name, int opts, OSMatch *restriction) snprintf(alert_msg, 916, "%s %s", c_sum, file_name); } #endif + merror("YYY3 sending: %s", alert_msg); send_syscheck_msg(alert_msg); } } diff --git a/src/syscheckd/run_check.c b/src/syscheckd/run_check.c index 982c1cd9b..2b0a8c041 100644 --- a/src/syscheckd/run_check.c +++ b/src/syscheckd/run_check.c @@ -260,6 +260,7 @@ void start_daemon() } /* Send database completed message */ + merror("ZZZ4 Sending db complete"); send_syscheck_msg(HC_SK_DB_COMPLETED); debug2("%s: DEBUG: Sending database completed message.", ARGV0); @@ -315,14 +316,17 @@ int c_read_file(const char *file_name, const char *oldsum, char *newsum) os_sha1 sf_sum; #ifdef LIBSODIUM_ENABLED - struct hash_output file_sums; + struct hash_output *file_sums; + file_sums = malloc(sizeof(struct hash_output)); + if(file_sums == NULL) { + merror("run_check file_sums malloc failed: %s", strerror(errno)); + } /* Clean sums */ - strncpy(file_sums.md5output, "xxx", 4); - strncpy(file_sums.sha1output, "xxx", 4); - strncpy(file_sums.sha256output, "xxx", 4); - strncpy(file_sums.hash1, "xxx", 4); - strncpy(file_sums.hash2, "xxx", 4); + strncpy(file_sums->md5output, "xxx", 4); + strncpy(file_sums->sha256output, "xxx", 4); + strncpy(file_sums->hash1, "xxx", 4); + strncpy(file_sums->hash2, "xxx", 4); #endif /* Clean sums */ @@ -341,6 +345,7 @@ int c_read_file(const char *file_name, const char *oldsum, char *newsum) alert_msg[PATH_MAX + 3] = '\0'; snprintf(alert_msg, PATH_MAX + 4, "-1 %s", file_name); + merror("ZZZ5 Sending: %s", alert_msg); send_syscheck_msg(alert_msg); return (-1); @@ -393,15 +398,14 @@ int c_read_file(const char *file_name, const char *oldsum, char *newsum) if (sha1sum || md5sum) { /* Generate checksums of the file */ #ifdef LIBSODIUM_ENABLED - if (OS_Hash_File(file_name, syscheck.prefilter_cmd, file_sums, OS_BINARY, syscheck.hash1_alg, syscheck.hash2_alg) < 0) { - strncpy(file_sums.md5output, "xxx", 4); - strncpy(file_sums.sha1output, "xxx", 4); - strncpy(file_sums.sha256output, "xxx", 4); - strncpy(file_sums.hash1, "xxx", 4); - strncpy(file_sums.hash2, "xxx", 4); + if (OS_Hash_File(file_name, syscheck.prefilter_cmd, file_sums, OS_BINARY) < 0) { + strncpy(file_sums->md5output, "xxx", 4); + strncpy(file_sums->sha256output, "xxx", 4); + strncpy(file_sums->hash1, "xxx", 4); + strncpy(file_sums->hash2, "xxx", 4); } else { - merror("XXX hash1: %s", file_sums.hash1); - merror("XXX hash2: %s", file_sums.hash2); + merror("XXX hash1: %s", file_sums->hash1); + merror("XXX hash2: %s", file_sums->hash2); } #else if (OS_MD5_SHA1_File(file_name, syscheck.prefilter_cmd, mf_sum, sf_sum, OS_BINARY) < 0) { @@ -420,12 +424,11 @@ int c_read_file(const char *file_name, const char *oldsum, char *newsum) if (sha1sum || md5sum) { /* Generate checksums of the file */ #ifdef LIBSODIUM_ENABLED - if (OS_Hash_File(file_name, syscheck.prefilter_cmd, file_sums, OS_BINARY, syscheck.hash1_alg, syscheck.hash2_alg) < 0) { - strncpy(file_sums.md5output, "xxx", 4); - strncpy(file_sums.sha1output, "xxx", 4); - strncpy(file_sums.sha256output, "xxx", 4); - strncpy(file_sums.hash1, "xxx", 4); - strncpy(file_sums.hash2, "xxx", 4); + if (OS_Hash_File(file_name, syscheck.prefilter_cmd, file_sums, OS_BINARY) < 0) { + strncpy(file_sums->md5output, "xxx", 4); + strncpy(file_sums->sha256output, "xxx", 4); + strncpy(file_sums->hash1, "xxx", 4); + strncpy(file_sums->hash2, "xxx", 4); } #else if (OS_MD5_SHA1_File(file_name, syscheck.prefilter_cmd, mf_sum, sf_sum, OS_BINARY) < 0) { From e7e4b1aaf4ec45edb8f56b07ba7587f33df8b032 Mon Sep 17 00:00:00 2001 From: ddpbsd Date: Wed, 7 Mar 2018 08:26:18 -0500 Subject: [PATCH 25/89] Remove some debugging printfs --- src/syscheckd/create_db.c | 26 -------------------------- src/syscheckd/run_check.c | 13 ++----------- 2 files changed, 2 insertions(+), 37 deletions(-) diff --git a/src/syscheckd/create_db.c b/src/syscheckd/create_db.c index 8008e545c..71e70eec2 100644 --- a/src/syscheckd/create_db.c +++ b/src/syscheckd/create_db.c @@ -64,7 +64,6 @@ static int read_file(const char *file_name, int opts, OSMatch *restriction) char alert_msg[PATH_MAX+4]; alert_msg[PATH_MAX + 3] = '\0'; snprintf(alert_msg, PATH_MAX + 4, "-1 %s", file_name); - merror("ZZZ1 Sending: %s", alert_msg); send_syscheck_msg(alert_msg); return (0); }else{ @@ -127,13 +126,6 @@ static int read_file(const char *file_name, int opts, OSMatch *restriction) strncpy(file_sums->hash1, "xxx", 4); strncpy(file_sums->hash2, "xxx", 4); - int xxx = OS_Hash_File(file_name, syscheck.prefilter_cmd, file_sums, OS_BINARY); - if(xxx < 0) { - merror("xxx that sucks"); - } else { - merror("xxx file_sums->md5output: %s", file_sums->md5output); - } - if ((opts & CHECK_MD5SUM) || (opts & CHECK_SHA1SUM) || (opts & CHECK_SHA256SUM)) { #else if ((opts & CHECK_MD5SUM) || (opts & CHECK_SHA1SUM)) { @@ -147,7 +139,6 @@ static int read_file(const char *file_name, int opts, OSMatch *restriction) if (stat(file_name, &statbuf_lnk) == 0) { if (S_ISREG(statbuf_lnk.st_mode)) { #ifdef LIBSODIUM_ENABLED - merror("UUU1 OS_Hash_File: %s", file_name); if(OS_Hash_File(file_name, syscheck.prefilter_cmd, file_sums, OS_BINARY) < 0) { merror("AAA1"); strncpy(file_sums->md5output, "xxx", 4); @@ -229,21 +220,6 @@ static int read_file(const char *file_name, int opts, OSMatch *restriction) /* Send the new checksum to the analysis server */ alert_msg[916] = '\0'; - if(opts & CHECK_MD5SUM) { - merror("HHH MD5"); - } else { - merror("HHH NO MD5"); - } -#ifdef LIBSODIUM_ENABLED - if(opts & CHECK_SHA256SUM) { - merror("HHH SHA256"); - } else { - merror("HHH NO SHA256"); - } - merror("UUU file_sums->md5output: %s", file_sums->md5output); -#endif - - snprintf(alert_msg, 916, "%ld:%d:%d:%d:%s:%s %s", opts & CHECK_SIZE ? (long)statbuf.st_size : 0, opts & CHECK_PERM ? (int)statbuf.st_mode : 0, @@ -257,7 +233,6 @@ static int read_file(const char *file_name, int opts, OSMatch *restriction) opts & CHECK_SHA1SUM ? sf_sum : "xxx", #endif //LIBSODIUM_ENABLED file_name); - merror("ZZZ2 Sending: %s", alert_msg); send_syscheck_msg(alert_msg); } else { char alert_msg[OS_MAXSTR + 1]; @@ -293,7 +268,6 @@ static int read_file(const char *file_name, int opts, OSMatch *restriction) snprintf(alert_msg, 916, "%s %s", c_sum, file_name); } #endif - merror("YYY3 sending: %s", alert_msg); send_syscheck_msg(alert_msg); } } diff --git a/src/syscheckd/run_check.c b/src/syscheckd/run_check.c index 2b0a8c041..a73dc31de 100644 --- a/src/syscheckd/run_check.c +++ b/src/syscheckd/run_check.c @@ -260,7 +260,6 @@ void start_daemon() } /* Send database completed message */ - merror("ZZZ4 Sending db complete"); send_syscheck_msg(HC_SK_DB_COMPLETED); debug2("%s: DEBUG: Sending database completed message.", ARGV0); @@ -345,19 +344,13 @@ int c_read_file(const char *file_name, const char *oldsum, char *newsum) alert_msg[PATH_MAX + 3] = '\0'; snprintf(alert_msg, PATH_MAX + 4, "-1 %s", file_name); - merror("ZZZ5 Sending: %s", alert_msg); send_syscheck_msg(alert_msg); + free(file_sums); return (-1); } /* Get the old sum values */ -#ifdef DEBUG - if(oldsum) { - merror("XXX oldsum: %s", oldsum); - } -#endif - /* size */ if (oldsum[0] == '+') { size = 1; @@ -403,9 +396,6 @@ int c_read_file(const char *file_name, const char *oldsum, char *newsum) strncpy(file_sums->sha256output, "xxx", 4); strncpy(file_sums->hash1, "xxx", 4); strncpy(file_sums->hash2, "xxx", 4); - } else { - merror("XXX hash1: %s", file_sums->hash1); - merror("XXX hash2: %s", file_sums->hash2); } #else if (OS_MD5_SHA1_File(file_name, syscheck.prefilter_cmd, mf_sum, sf_sum, OS_BINARY) < 0) { @@ -463,6 +453,7 @@ int c_read_file(const char *file_name, const char *oldsum, char *newsum) sha1sum == 0 ? "xxx" : sf_sum); #endif + free(file_sums); return (0); } From 2dfc8d6eb6f21c08743b841460b00a2fcd061c91 Mon Sep 17 00:00:00 2001 From: ddpbsd Date: Sun, 11 Mar 2018 12:02:07 -0400 Subject: [PATCH 26/89] Make this actually compile. --- src/syscheckd/run_check.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/src/syscheckd/run_check.c b/src/syscheckd/run_check.c index a73dc31de..0e80f33ba 100644 --- a/src/syscheckd/run_check.c +++ b/src/syscheckd/run_check.c @@ -345,8 +345,9 @@ int c_read_file(const char *file_name, const char *oldsum, char *newsum) alert_msg[PATH_MAX + 3] = '\0'; snprintf(alert_msg, PATH_MAX + 4, "-1 %s", file_name); send_syscheck_msg(alert_msg); - +#ifdef LIBSODIUM_ENABLED free(file_sums); +#endif return (-1); } @@ -453,7 +454,9 @@ int c_read_file(const char *file_name, const char *oldsum, char *newsum) sha1sum == 0 ? "xxx" : sf_sum); #endif +#ifdef LIBSODIUM_ENABLED free(file_sums); +#endif return (0); } From 4910ca6133aef26be7518d967f8a7a701f6a566b Mon Sep 17 00:00:00 2001 From: ddpbsd Date: Tue, 13 Mar 2018 08:08:54 -0400 Subject: [PATCH 27/89] sqlite --- src/analysisd/decoders/syscheck.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/analysisd/decoders/syscheck.c b/src/analysisd/decoders/syscheck.c index f02bb822d..520de7c6f 100644 --- a/src/analysisd/decoders/syscheck.c +++ b/src/analysisd/decoders/syscheck.c @@ -621,9 +621,9 @@ int DecodeSyscheck(Eventinfo *lf) const char *c_sum; char *f_name; +#ifdef SQLITE_ENABLED char *p; char stmt[OS_MAXSTR + 1]; -#ifdef SQLITE_ENABLED sqlite3_stmt *res; #endif int error = 0; From 80a960a037c911bd89219703472c777b28777f6e Mon Sep 17 00:00:00 2001 From: ddpbsd Date: Tue, 13 Mar 2018 10:04:45 -0400 Subject: [PATCH 28/89] Add some explicit nul terminators Add some debug messages --- src/config/syscheck-config.c | 24 ++++++++++++++++++++++-- src/syscheckd/create_db.c | 14 ++++++++++++++ 2 files changed, 36 insertions(+), 2 deletions(-) diff --git a/src/config/syscheck-config.c b/src/config/syscheck-config.c index 0e326cf6f..1d8932268 100644 --- a/src/config/syscheck-config.c +++ b/src/config/syscheck-config.c @@ -220,6 +220,12 @@ static int read_attr(syscheck_config *syscheck, const char *dirs, char **g_attrs attrs = g_attrs; values = g_values; +#ifdef LIBSODIUM_ENABLED +#ifdef DEBUG + merror("DEBUG: libsodium enabled"); +#endif //DEBUG +#endif //LIBSODIUM_ENABLED + while (*attrs && *values) { /* Check all */ if (strcmp(*attrs, xml_check_all) == 0) { @@ -252,9 +258,17 @@ static int read_attr(syscheck_config *syscheck, const char *dirs, char **g_attrs else if (strcmp(*attrs, xml_check_sum) == 0) { if (strcmp(*values, "yes") == 0) { opts |= CHECK_MD5SUM; +#ifdef LIBSODIUM_ENABLED + opts |= CHECK_SHA256SUM; +#else //LIBSODIUM_ENABLED opts |= CHECK_SHA1SUM; +#endif //LIBSODIUM_ENABLED } else if (strcmp(*values, "no") == 0) { +#ifdef LIBSODIUM_ENABLED + opts &= ~ ( CHECK_MD5SUM | CHECK_SHA256SUM ); +#else //LIBSODIUM_ENALBED opts &= ~ ( CHECK_MD5SUM | CHECK_SHA1SUM ); +#endif } else { merror(SK_INV_OPT, __local_name, *values, *attrs); ret = 0; @@ -510,6 +524,7 @@ int Read_Syscheck(XML_NODE node, void *configp, __attribute__((unused)) void *ma ExpandEnvironmentStrings(node[i]->content, dirs, sizeof(dirs) - 1); #else strncpy(dirs, node[i]->content, sizeof(dirs) - 1); + dirs[sizeof(dirs) - 1] = '\0'; #endif if (!read_attr(syscheck, @@ -808,12 +823,14 @@ int Read_Syscheck(XML_NODE node, void *configp, __attribute__((unused)) void *ma ExpandEnvironmentStrings(node[i]->content, cmd, sizeof(cmd) - 1); #else strncpy(cmd, node[i]->content, sizeof(cmd) - 1); + cmd[sizeof(cmd) - 1] = '\0'; #endif if (strlen(cmd) > 0) { char statcmd[OS_MAXSTR]; char *ix; strncpy(statcmd, cmd, sizeof(statcmd) - 1); + statcmd[sizeof(statcmd) - 1] = '\0'; if (NULL != (ix = strchr(statcmd, ' '))) { *ix = '\0'; } @@ -821,6 +838,7 @@ int Read_Syscheck(XML_NODE node, void *configp, __attribute__((unused)) void *ma /* More checks needed (perms, owner, etc.) */ os_calloc(1, strlen(cmd) + 1, syscheck->prefilter_cmd); strncpy(syscheck->prefilter_cmd, cmd, strlen(cmd)); + syscheck->prefilter_cmd[sizeof(syscheck->prefilter_cmd) - 1] = '\0'; } else { merror(XML_VALUEERR, __local_name, node[i]->element, node[i]->content); return (OS_INVALID); @@ -854,7 +872,7 @@ char *syscheck_opts2str(char *buf, int buflen, int opts) { CHECK_SEECHANGES, #ifdef LIBSODIUM_ENABLED CHECK_SHA256SUM, -#endif +#endif //LIBSODIUM_ENABLED 0 }; char *check_strings[] = { @@ -863,10 +881,12 @@ char *syscheck_opts2str(char *buf, int buflen, int opts) { "owner", "group", "md5sum", - "sha256sum", "sha1sum", "realtime", "report_changes", +#ifdef LIBSODIUM_ENABLED + "sha256sum", +#endif //LIBSODIUM_ENABLED NULL }; diff --git a/src/syscheckd/create_db.c b/src/syscheckd/create_db.c index 71e70eec2..35798dded 100644 --- a/src/syscheckd/create_db.c +++ b/src/syscheckd/create_db.c @@ -234,6 +234,13 @@ static int read_file(const char *file_name, int opts, OSMatch *restriction) #endif //LIBSODIUM_ENABLED file_name); send_syscheck_msg(alert_msg); +#ifdef LIBSODIUM_ENABLED +#ifdef DEBUG + if(file_sums->hash1) { + merror("DEBUG: file_sums->hash1: %s", file_sums->hash1); + } +#endif //DEBUG +#endif //LIBSODIUM_ENABLED } else { char alert_msg[OS_MAXSTR + 1]; char c_sum[256 + 2]; @@ -269,6 +276,13 @@ static int read_file(const char *file_name, int opts, OSMatch *restriction) } #endif send_syscheck_msg(alert_msg); +#ifdef LIBSODIUM_ENABLED +#ifdef DEBUG + if(file_sums->hash1) { + merror("DEBUG: file_sums->hash1: %s", file_sums->hash1); + } +#endif //DEBUG +#endif //LIBSODIUM_ENABLED } } From d0b0050f28217c63f8ae3d6a26685cd3c340ea40 Mon Sep 17 00:00:00 2001 From: ddpbsd Date: Wed, 14 Mar 2018 17:45:33 -0400 Subject: [PATCH 29/89] More sha256 work. Still lots of debug stuff. --- src/analysisd/decoders/syscheck.c | 5 +++ src/config/syscheck-config.c | 7 ++-- src/os_crypto/md5_sha1/md5_sha1_op.c | 2 ++ src/syscheckd/create_db.c | 53 ++++++++++++++++++++++------ src/syscheckd/run_check.c | 6 ++-- 5 files changed, 57 insertions(+), 16 deletions(-) diff --git a/src/analysisd/decoders/syscheck.c b/src/analysisd/decoders/syscheck.c index 520de7c6f..42714c076 100644 --- a/src/analysisd/decoders/syscheck.c +++ b/src/analysisd/decoders/syscheck.c @@ -539,8 +539,13 @@ static int DB_Search(const char *f_name, const char *c_sum, Eventinfo *lf) if (!newsha1 || !oldsha1 || strcmp(newsha1, oldsha1) == 0) { sdb.sha1[0] = '\0'; } else { +#ifdef LIBSODIUM_ENABLED + snprintf(sdb.sha1, OS_FLSIZE, "Old sha256sum was: '%s'\n" + "New sha256sum is : '%s'\n", +#else //LIBSODIUM_ENABLED snprintf(sdb.sha1, OS_FLSIZE, "Old sha1sum was: '%s'\n" "New sha1sum is : '%s'\n", +#endif //LIBSODIUM_ENABLED oldsha1, newsha1); os_strdup(oldsha1, lf->sha1_before); os_strdup(newsha1, lf->sha1_after); diff --git a/src/config/syscheck-config.c b/src/config/syscheck-config.c index 1d8932268..3cf522bea 100644 --- a/src/config/syscheck-config.c +++ b/src/config/syscheck-config.c @@ -230,9 +230,7 @@ static int read_attr(syscheck_config *syscheck, const char *dirs, char **g_attrs /* Check all */ if (strcmp(*attrs, xml_check_all) == 0) { if (strcmp(*values, "yes") == 0) { -#ifdef LIBSODIUM_ENABLED - opts |= CHECK_SHA256SUM; -#else //LIBSODIUM_ENABLED +#ifndef LIBSODIUM_ENABLED opts |= CHECK_SHA1SUM; #endif //LIBSODIUM_ENABLED opts |= CHECK_MD5SUM; @@ -240,6 +238,9 @@ static int read_attr(syscheck_config *syscheck, const char *dirs, char **g_attrs opts |= CHECK_SIZE; opts |= CHECK_OWNER; opts |= CHECK_GROUP; +#ifdef LIBSODIUM_ENABLED + opts |= CHECK_SHA256SUM; +#endif //LIBSODIUM_ENABLED } else if (strcmp(*values, "no") == 0) { #ifdef LIBSODIUM_ENABLED opts &= ~ ( CHECK_MD5SUM | CHECK_SHA1SUM | CHECK_PERM diff --git a/src/os_crypto/md5_sha1/md5_sha1_op.c b/src/os_crypto/md5_sha1/md5_sha1_op.c index b8ddf963f..22191b9a9 100644 --- a/src/os_crypto/md5_sha1/md5_sha1_op.c +++ b/src/os_crypto/md5_sha1/md5_sha1_op.c @@ -136,6 +136,8 @@ int OS_Hash_File(const char *fname, const char *prefilter_cmd, struct hash_outpu MD5Init(&md5_ctx); snprintf(file_output->hash1, 4, "MD5="); file_output->hash1[4] = '\0'; + snprintf(file_output->hash2, 7, "SHA256="); + file_output->hash2[7] = '\0'; /* Update for each hash */ while ((n = fread(buf, 1, 2048, fp)) > 0) { diff --git a/src/syscheckd/create_db.c b/src/syscheckd/create_db.c index 35798dded..ec3161fbc 100644 --- a/src/syscheckd/create_db.c +++ b/src/syscheckd/create_db.c @@ -98,9 +98,9 @@ static int read_file(const char *file_name, int opts, OSMatch *restriction) /* No S_ISLNK on Windows */ #ifdef WIN32 if (S_ISREG(statbuf.st_mode)) -#else +#else //WIN32 if (S_ISREG(statbuf.st_mode) || S_ISLNK(statbuf.st_mode)) -#endif +#endif //WIN32 { os_md5 mf_sum; os_sha1 sf_sum; @@ -135,11 +135,24 @@ static int read_file(const char *file_name, int opts, OSMatch *restriction) /* XXX This is all weird */ if (S_ISLNK(statbuf.st_mode)) { + merror("QQQ1: link: %s", file_name); + + /* Get the file the link points to */ + char new_file_name[255]; + ssize_t rlret = readlink(file_name, new_file_name, 254); + if(rlret < 0) { + merror("Cannot find the file: %s", strerror(errno)); + } else { + new_file_name[sizeof(new_file_name) - 1] = '\0'; + merror("QQQ3: new_file_name: %s", new_file_name); + } + struct stat statbuf_lnk; - if (stat(file_name, &statbuf_lnk) == 0) { + if (stat(new_file_name, &statbuf_lnk) == 0) { if (S_ISREG(statbuf_lnk.st_mode)) { + merror("QQQ2: not link: %s", file_name); #ifdef LIBSODIUM_ENABLED - if(OS_Hash_File(file_name, syscheck.prefilter_cmd, file_sums, OS_BINARY) < 0) { + if(OS_Hash_File(new_file_name, syscheck.prefilter_cmd, file_sums, OS_BINARY) < 0) { merror("AAA1"); strncpy(file_sums->md5output, "xxx", 4); strncpy(file_sums->sha256output, "xxx", 4); @@ -148,7 +161,7 @@ static int read_file(const char *file_name, int opts, OSMatch *restriction) } #else //LIBSODIUM_ENABLED - if (OS_MD5_SHA1_File(file_name, syscheck.prefilter_cmd, mf_sum, sf_sum, OS_BINARY) < 0) { + if (OS_MD5_SHA1_File(new_file_name, syscheck.prefilter_cmd, mf_sum, sf_sum, OS_BINARY) < 0) { strncpy(mf_sum, "xxx", 4); strncpy(sf_sum, "xxx", 4); } @@ -164,6 +177,7 @@ static int read_file(const char *file_name, int opts, OSMatch *restriction) if (OS_MD5_SHA1_File(file_name, syscheck.prefilter_cmd, mf_sum, sf_sum, OS_BINARY) < 0) #endif { + merror("AAA2"); strncpy(mf_sum, "xxx", 4); strncpy(sf_sum, "xxx", 4); } @@ -194,6 +208,16 @@ static int read_file(const char *file_name, int opts, OSMatch *restriction) } #endif + if(opts & CHECK_MD5SUM) { + merror("BBB1: MD5"); + } else { + merror("BBB1: NO MD5"); + } + if(opts & CHECK_SHA256SUM) { + merror("BBB1: SHA256"); + } else { + merror("BBB1: NO SHA256"); + } snprintf(alert_msg, 916, "%c%c%c%c%c%c%ld:%d:%d:%d:%s:%s", opts & CHECK_SIZE ? '+' : '-', opts & CHECK_PERM ? '+' : '-', @@ -213,6 +237,7 @@ static int read_file(const char *file_name, int opts, OSMatch *restriction) opts & CHECK_SHA1SUM ? sf_sum : "xxx"); #endif //LIBSODIUM_ENABLED + if (OSHash_Add(syscheck.fp, file_name, strdup(alert_msg)) <= 0) { merror("%s: ERROR: Unable to add file to db: %s", ARGV0, file_name); } @@ -220,6 +245,16 @@ static int read_file(const char *file_name, int opts, OSMatch *restriction) /* Send the new checksum to the analysis server */ alert_msg[916] = '\0'; + if(opts & CHECK_MD5SUM) { + merror("BBB2: MD5"); + } else { + merror("BBB2: NO MD5"); + } + if(opts & CHECK_SHA256SUM) { + merror("BBB2: SHA256"); + } else { + merror("BBB2: NO SHA256"); + } snprintf(alert_msg, 916, "%ld:%d:%d:%d:%s:%s %s", opts & CHECK_SIZE ? (long)statbuf.st_size : 0, opts & CHECK_PERM ? (int)statbuf.st_mode : 0, @@ -236,9 +271,7 @@ static int read_file(const char *file_name, int opts, OSMatch *restriction) send_syscheck_msg(alert_msg); #ifdef LIBSODIUM_ENABLED #ifdef DEBUG - if(file_sums->hash1) { - merror("DEBUG: file_sums->hash1: %s", file_sums->hash1); - } + merror("DEBUG1: file_sums->hash1: %s", file_sums->hash1); #endif //DEBUG #endif //LIBSODIUM_ENABLED } else { @@ -277,11 +310,9 @@ static int read_file(const char *file_name, int opts, OSMatch *restriction) #endif send_syscheck_msg(alert_msg); #ifdef LIBSODIUM_ENABLED -#ifdef DEBUG if(file_sums->hash1) { - merror("DEBUG: file_sums->hash1: %s", file_sums->hash1); + merror("DEBUG2: file_sums->hash1: %s", file_sums->hash1); } -#endif //DEBUG #endif //LIBSODIUM_ENABLED } } diff --git a/src/syscheckd/run_check.c b/src/syscheckd/run_check.c index 0e80f33ba..4679fd505 100644 --- a/src/syscheckd/run_check.c +++ b/src/syscheckd/run_check.c @@ -393,6 +393,7 @@ int c_read_file(const char *file_name, const char *oldsum, char *newsum) /* Generate checksums of the file */ #ifdef LIBSODIUM_ENABLED if (OS_Hash_File(file_name, syscheck.prefilter_cmd, file_sums, OS_BINARY) < 0) { + merror("AAA3"); strncpy(file_sums->md5output, "xxx", 4); strncpy(file_sums->sha256output, "xxx", 4); strncpy(file_sums->hash1, "xxx", 4); @@ -416,6 +417,7 @@ int c_read_file(const char *file_name, const char *oldsum, char *newsum) /* Generate checksums of the file */ #ifdef LIBSODIUM_ENABLED if (OS_Hash_File(file_name, syscheck.prefilter_cmd, file_sums, OS_BINARY) < 0) { + merror("AAA4"); strncpy(file_sums->md5output, "xxx", 4); strncpy(file_sums->sha256output, "xxx", 4); strncpy(file_sums->hash1, "xxx", 4); @@ -442,8 +444,8 @@ int c_read_file(const char *file_name, const char *oldsum, char *newsum) perm == 0 ? 0 : (int)statbuf.st_mode, owner == 0 ? 0 : (int)statbuf.st_uid, group == 0 ? 0 : (int)statbuf.st_gid, - md5sum == 0 ? "xxx" : mf_sum, - sha1sum == 0 ? "xxx" : sf_sum); + file_sums->md5output, + file_sums->sha256output); #else snprintf(newsum, 255, "%ld:%d:%d:%d:%s:%s", size == 0 ? 0 : (long)statbuf.st_size, From 69945bd52f8e5e28e532444774539a9e3e8e7f0f Mon Sep 17 00:00:00 2001 From: ddpbsd Date: Wed, 14 Mar 2018 18:46:41 -0400 Subject: [PATCH 30/89] Remove some debugging. --- src/syscheckd/create_db.c | 24 ++++++------------------ 1 file changed, 6 insertions(+), 18 deletions(-) diff --git a/src/syscheckd/create_db.c b/src/syscheckd/create_db.c index ec3161fbc..f0dbdd0d0 100644 --- a/src/syscheckd/create_db.c +++ b/src/syscheckd/create_db.c @@ -135,25 +135,24 @@ static int read_file(const char *file_name, int opts, OSMatch *restriction) /* XXX This is all weird */ if (S_ISLNK(statbuf.st_mode)) { - merror("QQQ1: link: %s", file_name); /* Get the file the link points to */ + /* XXX not working char new_file_name[255]; ssize_t rlret = readlink(file_name, new_file_name, 254); if(rlret < 0) { merror("Cannot find the file: %s", strerror(errno)); } else { new_file_name[sizeof(new_file_name) - 1] = '\0'; - merror("QQQ3: new_file_name: %s", new_file_name); } + */ struct stat statbuf_lnk; - if (stat(new_file_name, &statbuf_lnk) == 0) { + //if (stat(new_file_name, &statbuf_lnk) == 0) { + if (stat(file_name, &statbuf_lnk) == 0) { if (S_ISREG(statbuf_lnk.st_mode)) { - merror("QQQ2: not link: %s", file_name); #ifdef LIBSODIUM_ENABLED - if(OS_Hash_File(new_file_name, syscheck.prefilter_cmd, file_sums, OS_BINARY) < 0) { - merror("AAA1"); + if(OS_Hash_File(file_name, syscheck.prefilter_cmd, file_sums, OS_BINARY) < 0) { strncpy(file_sums->md5output, "xxx", 4); strncpy(file_sums->sha256output, "xxx", 4); strncpy(file_sums->hash1, "xxx", 4); @@ -161,7 +160,7 @@ static int read_file(const char *file_name, int opts, OSMatch *restriction) } #else //LIBSODIUM_ENABLED - if (OS_MD5_SHA1_File(new_file_name, syscheck.prefilter_cmd, mf_sum, sf_sum, OS_BINARY) < 0) { + if (OS_MD5_SHA1_File(file_name, syscheck.prefilter_cmd, mf_sum, sf_sum, OS_BINARY) < 0) { strncpy(mf_sum, "xxx", 4); strncpy(sf_sum, "xxx", 4); } @@ -177,7 +176,6 @@ static int read_file(const char *file_name, int opts, OSMatch *restriction) if (OS_MD5_SHA1_File(file_name, syscheck.prefilter_cmd, mf_sum, sf_sum, OS_BINARY) < 0) #endif { - merror("AAA2"); strncpy(mf_sum, "xxx", 4); strncpy(sf_sum, "xxx", 4); } @@ -269,11 +267,6 @@ static int read_file(const char *file_name, int opts, OSMatch *restriction) #endif //LIBSODIUM_ENABLED file_name); send_syscheck_msg(alert_msg); -#ifdef LIBSODIUM_ENABLED -#ifdef DEBUG - merror("DEBUG1: file_sums->hash1: %s", file_sums->hash1); -#endif //DEBUG -#endif //LIBSODIUM_ENABLED } else { char alert_msg[OS_MAXSTR + 1]; char c_sum[256 + 2]; @@ -309,11 +302,6 @@ static int read_file(const char *file_name, int opts, OSMatch *restriction) } #endif send_syscheck_msg(alert_msg); -#ifdef LIBSODIUM_ENABLED - if(file_sums->hash1) { - merror("DEBUG2: file_sums->hash1: %s", file_sums->hash1); - } -#endif //LIBSODIUM_ENABLED } } From de708344b0d71c6d4e93d163700b67e250589938 Mon Sep 17 00:00:00 2001 From: ddpbsd Date: Wed, 14 Mar 2018 18:48:19 -0400 Subject: [PATCH 31/89] Get rid of some debug stuff. --- .gitignore | 1 + src/Makefile | 1 + src/config/syscheck-config.c | 1 - 3 files changed, 2 insertions(+), 1 deletion(-) diff --git a/.gitignore b/.gitignore index 7f577fc92..bf117285c 100644 --- a/.gitignore +++ b/.gitignore @@ -5,6 +5,7 @@ .DS_Store *.dll *.exe +*.core # Auto generated build files src/LOCATION diff --git a/src/Makefile b/src/Makefile index b37120ee0..bc116b7f7 100644 --- a/src/Makefile +++ b/src/Makefile @@ -24,6 +24,7 @@ USE_PRELUDE?=no USE_ZEROMQ?=no USE_GEOIP?=no USE_INOTIFY=no +USE_SQLITE=no USE_LIBSODIUM=no ifneq (${TARGET},winagent) diff --git a/src/config/syscheck-config.c b/src/config/syscheck-config.c index 3cf522bea..68676746e 100644 --- a/src/config/syscheck-config.c +++ b/src/config/syscheck-config.c @@ -304,7 +304,6 @@ static int read_attr(syscheck_config *syscheck, const char *dirs, char **g_attrs else if(strncmp(*attrs, xml_check_sha256sum, 15) == 0) { if(strncmp(*values, "yes", 3) ==0) { opts |= CHECK_SHA256SUM; - merror("ZZZ sha256 set"); } else if(strncmp(*values, "no", 2) == 0) { opts &= ~ CHECK_SHA256SUM; } else { From 17470fd42dfc3ea0a30d72c9f4066e18a9ac318f Mon Sep 17 00:00:00 2001 From: ddpbsd Date: Wed, 14 Mar 2018 18:53:53 -0400 Subject: [PATCH 32/89] More debugging --- src/syscheckd/create_db.c | 20 -------------------- 1 file changed, 20 deletions(-) diff --git a/src/syscheckd/create_db.c b/src/syscheckd/create_db.c index f0dbdd0d0..f013bee08 100644 --- a/src/syscheckd/create_db.c +++ b/src/syscheckd/create_db.c @@ -206,16 +206,6 @@ static int read_file(const char *file_name, int opts, OSMatch *restriction) } #endif - if(opts & CHECK_MD5SUM) { - merror("BBB1: MD5"); - } else { - merror("BBB1: NO MD5"); - } - if(opts & CHECK_SHA256SUM) { - merror("BBB1: SHA256"); - } else { - merror("BBB1: NO SHA256"); - } snprintf(alert_msg, 916, "%c%c%c%c%c%c%ld:%d:%d:%d:%s:%s", opts & CHECK_SIZE ? '+' : '-', opts & CHECK_PERM ? '+' : '-', @@ -243,16 +233,6 @@ static int read_file(const char *file_name, int opts, OSMatch *restriction) /* Send the new checksum to the analysis server */ alert_msg[916] = '\0'; - if(opts & CHECK_MD5SUM) { - merror("BBB2: MD5"); - } else { - merror("BBB2: NO MD5"); - } - if(opts & CHECK_SHA256SUM) { - merror("BBB2: SHA256"); - } else { - merror("BBB2: NO SHA256"); - } snprintf(alert_msg, 916, "%ld:%d:%d:%d:%s:%s %s", opts & CHECK_SIZE ? (long)statbuf.st_size : 0, opts & CHECK_PERM ? (int)statbuf.st_mode : 0, From 2d488e10feb7eb81d3fae8b445571e81e8b2bdf6 Mon Sep 17 00:00:00 2001 From: ddpbsd Date: Thu, 15 Mar 2018 07:54:50 -0400 Subject: [PATCH 33/89] Correctly deal with these variables. --- src/Makefile | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/Makefile b/src/Makefile index bc116b7f7..837375c15 100644 --- a/src/Makefile +++ b/src/Makefile @@ -24,8 +24,8 @@ USE_PRELUDE?=no USE_ZEROMQ?=no USE_GEOIP?=no USE_INOTIFY=no -USE_SQLITE=no -USE_LIBSODIUM=no +USE_SQLITE?=no +USE_LIBSODIUM?=no ifneq (${TARGET},winagent) USE_OPENSSL?=auto From 6fe831ad33e3a0e4c543444f357ab4cfefdfba8f Mon Sep 17 00:00:00 2001 From: ddpbsd Date: Thu, 15 Mar 2018 07:57:11 -0400 Subject: [PATCH 34/89] Oops, I prefer -ggdb to -g, so I often change it and switch back before pushing. This one snuck through --- src/Makefile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/Makefile b/src/Makefile index 837375c15..0d497437d 100644 --- a/src/Makefile +++ b/src/Makefile @@ -121,7 +121,7 @@ OSSEC_CFLAGS=${CFLAGS} #ANALYSISD_FLAGS="-lsqlite3" ifdef DEBUG - OSSEC_CFLAGS+=-ggdb + OSSEC_CFLAGS+=-g else OSSEC_CFLAGS+=-O2 endif #DEBUG From 40815a305508c15265fc5aeba117e5e6d4314994 Mon Sep 17 00:00:00 2001 From: ddp Date: Thu, 15 Mar 2018 13:08:21 -0400 Subject: [PATCH 35/89] Linux didn't like writing a variable to itself with snprintf, so complicate this a bit to make it work. --- src/os_crypto/md5_sha1/md5_sha1_op.c | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) diff --git a/src/os_crypto/md5_sha1/md5_sha1_op.c b/src/os_crypto/md5_sha1/md5_sha1_op.c index 22191b9a9..a81e10e52 100644 --- a/src/os_crypto/md5_sha1/md5_sha1_op.c +++ b/src/os_crypto/md5_sha1/md5_sha1_op.c @@ -150,21 +150,28 @@ int OS_Hash_File(const char *fname, const char *prefilter_cmd, struct hash_outpu crypto_hash_sha256_final(&sha256_state, sha256_digest); /* Set output for MD5 */ + char md5tmp[3], sha256tmp[3]; + for (n = 0; n < 16; n++) { if(n == 0) { snprintf(file_output->md5output, 3, "%02x", md5_digest[n]); } else { - snprintf(file_output->md5output, strnlen(file_output->md5output, 33) + 3, "%s%02x", file_output->md5output, md5_digest[n]); + snprintf(md5tmp, 3, "%02x", md5_digest[n]); + strncat(file_output->md5output, md5tmp, sizeof(file_output->md5output) - 1 - strlen(file_output->md5output)); } snprintf(file_output->hash1, strnlen(file_output->hash1, 37) + 3, "%s%02x", file_output->hash1, md5_digest[n]); } + /* Set output for SHA256 */ for (n = 0; n < crypto_hash_sha256_BYTES; n++) { if(n == 0) { snprintf(file_output->sha256output, 3, "%02x", sha256_digest[n]); } else { - snprintf(file_output->sha256output, strnlen(file_output->sha256output, 66) + 3, "%s%02x", file_output->sha256output, sha256_digest[n]); + //snprintf(file_output->sha256output, strnlen(file_output->sha256output, 66) + 3, "%s%02x", file_output->sha256output, sha256_digest[n]); + sha256tmp[0] = '\0'; + snprintf(sha256tmp, 3, "%02x", sha256_digest[n]); + strncat(file_output->sha256output, sha256tmp, sizeof(file_output->sha256output) - 1 - strlen(file_output->md5output)); } snprintf(file_output->hash2, strnlen(file_output->hash2, 66) + 3, "%s%02x", file_output->hash2, sha256_digest[n]); } From 8e5401cd41d5cd64eb636aacd52f815cb63b9ea9 Mon Sep 17 00:00:00 2001 From: ddpbsd Date: Thu, 15 Mar 2018 13:22:33 -0400 Subject: [PATCH 36/89] Spacing --- src/config/syscheck-config.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/config/syscheck-config.c b/src/config/syscheck-config.c index 68676746e..3cebafa8f 100644 --- a/src/config/syscheck-config.c +++ b/src/config/syscheck-config.c @@ -866,7 +866,7 @@ char *syscheck_opts2str(char *buf, int buflen, int opts) { CHECK_SIZE, CHECK_OWNER, CHECK_GROUP, - CHECK_MD5SUM, + CHECK_MD5SUM, CHECK_SHA1SUM, CHECK_REALTIME, CHECK_SEECHANGES, @@ -880,7 +880,7 @@ char *syscheck_opts2str(char *buf, int buflen, int opts) { "size", "owner", "group", - "md5sum", + "md5sum", "sha1sum", "realtime", "report_changes", From 241817ef23701007ccdbd79aeb1aec75576eb78e Mon Sep 17 00:00:00 2001 From: ddpbsd Date: Thu, 15 Mar 2018 13:45:24 -0400 Subject: [PATCH 37/89] Make sure sodium.h isn't added if we're not in LIBSODIUM_ENABLED --- src/os_crypto/md5_sha1/md5_sha1_op.h | 3 +++ 1 file changed, 3 insertions(+) diff --git a/src/os_crypto/md5_sha1/md5_sha1_op.h b/src/os_crypto/md5_sha1/md5_sha1_op.h index 489a0450e..c43fef9f8 100644 --- a/src/os_crypto/md5_sha1/md5_sha1_op.h +++ b/src/os_crypto/md5_sha1/md5_sha1_op.h @@ -10,7 +10,10 @@ #ifndef __MD5SHA1_OP_H #define __MD5SHA1_OP_H +#ifdef LIBSODIUM_ENABLED #include +#endif //LIBSODIUM_ENABLED + #include "../md5/md5_op.h" #include "../sha1/sha1_op.h" From c323f46cc7253a8444cb0d255387564f714ac480 Mon Sep 17 00:00:00 2001 From: ddpbsd Date: Thu, 15 Mar 2018 13:51:35 -0400 Subject: [PATCH 38/89] Disable these for now. The idea isn't fully fleshed out yet. --- src/os_crypto/md5_sha1/md5_sha1_op.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/os_crypto/md5_sha1/md5_sha1_op.c b/src/os_crypto/md5_sha1/md5_sha1_op.c index a81e10e52..441c537de 100644 --- a/src/os_crypto/md5_sha1/md5_sha1_op.c +++ b/src/os_crypto/md5_sha1/md5_sha1_op.c @@ -159,7 +159,7 @@ int OS_Hash_File(const char *fname, const char *prefilter_cmd, struct hash_outpu snprintf(md5tmp, 3, "%02x", md5_digest[n]); strncat(file_output->md5output, md5tmp, sizeof(file_output->md5output) - 1 - strlen(file_output->md5output)); } - snprintf(file_output->hash1, strnlen(file_output->hash1, 37) + 3, "%s%02x", file_output->hash1, md5_digest[n]); + //snprintf(file_output->hash1, strnlen(file_output->hash1, 37) + 3, "%s%02x", file_output->hash1, md5_digest[n]); } @@ -173,7 +173,7 @@ int OS_Hash_File(const char *fname, const char *prefilter_cmd, struct hash_outpu snprintf(sha256tmp, 3, "%02x", sha256_digest[n]); strncat(file_output->sha256output, sha256tmp, sizeof(file_output->sha256output) - 1 - strlen(file_output->md5output)); } - snprintf(file_output->hash2, strnlen(file_output->hash2, 66) + 3, "%s%02x", file_output->hash2, sha256_digest[n]); + //snprintf(file_output->hash2, strnlen(file_output->hash2, 66) + 3, "%s%02x", file_output->hash2, sha256_digest[n]); } /* Close it */ From d1ca9f392e26887f9de7841fb4fc6d053d7d301d Mon Sep 17 00:00:00 2001 From: ddpbsd Date: Fri, 23 Mar 2018 07:10:28 -0400 Subject: [PATCH 39/89] Try to do tests for libsodium and sqlite --- .travis.yml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/.travis.yml b/.travis.yml index bbba33010..3bbf013b8 100644 --- a/.travis.yml +++ b/.travis.yml @@ -15,6 +15,7 @@ env: - DB=none OSSEC_TYPE=server GEOIP=no - DB=none OSSEC_TYPE=server PRELUDE=yes ZEROMQ=yes - DB=none OSSEC_TYPE=server ZLIB_SYSTEM=yes LUA_ENABLE=no +- DB=none OSSEC_TYPE=server USE_SQLITE=yes USE_LIBSODIUM=yes - DB=none OSSEC_TYPE=local GEOIP=no - DB=none OSSEC_TYPE=hybrid GEOIP=no - DB=none OSSEC_TYPE=agent GEOIP=no @@ -48,7 +49,8 @@ before_script: && ./configure && make all -j && sudo make install ); fi - if [[ "${OSSEC_TYPE}" == "winagent" ]]; then ( sudo apt-get install aptitude && sudo aptitude -y install mingw-w64 nsis ); fi -- if [[ "${OSSEC_TYPE}" == "server" ]]; then ( sudo apt-get install libsqlite3-dev sqlite3 ); fi +- if [[ "${USE_SQLITE}" == "yes" ]]; then ( sudo apt-get install libsqlite3-dev sqlite3 ); fi +- if [[ "${USE_LIBSODIUM}" == "yes" ]]; then ( sudo apt-get install libsodium-dev libsodium ); fi - if [[ "${OSSEC_TYPE}" == "test" ]]; then ( sudo apt-get update && sudo apt-get install check valgrind ); fi From 54b5df19b19f835e994986201f0fcda8cb039777 Mon Sep 17 00:00:00 2001 From: ddpbsd Date: Wed, 11 Apr 2018 08:08:49 -0400 Subject: [PATCH 40/89] CID 166736: Ignoring number of bytes read CID 166735: String not null terminated --- src/shared/file_op.c | 13 ++++++++++++- 1 file changed, 12 insertions(+), 1 deletion(-) diff --git a/src/shared/file_op.c b/src/shared/file_op.c index 7ac264810..b4e85ea2e 100644 --- a/src/shared/file_op.c +++ b/src/shared/file_op.c @@ -366,6 +366,7 @@ char *GetRandomNoise() { FILE *fp; char buf[2048 + 1]; + int frr = 0; /* Reading urandom */ fp = fopen("/dev/urandom", "r"); @@ -374,8 +375,18 @@ char *GetRandomNoise() return(NULL); } + frr = fread(buf, 1, 2048, fp); + if(frr == 0) { + if(errno == EOVERFLOW) { + merror("ERROR: GetRandomNoise() fread() overflow."); // XXX + return(NULL); + } else { + merror("ERROR: GetRandomNoise() fread() returned 0."); + return(NULL); + } + } + buf[2048] = '\0'; - fread(buf, 1, 2048, fp); return(strdup(buf)); } From 1df3fb79bd6141a068866d62d5c021004cede775 Mon Sep 17 00:00:00 2001 From: ddpbsd Date: Wed, 11 Apr 2018 08:10:03 -0400 Subject: [PATCH 41/89] CID 153424: Buffer not null terminated --- src/analysisd/decoders/syscheck.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/src/analysisd/decoders/syscheck.c b/src/analysisd/decoders/syscheck.c index 0333b8daa..ddda970d8 100644 --- a/src/analysisd/decoders/syscheck.c +++ b/src/analysisd/decoders/syscheck.c @@ -491,7 +491,9 @@ static int DB_Search(const char *f_name, const char *c_sum, Eventinfo *lf) char npstr[10]; strncpy(opstr, agent_file_perm(c_oldperm), sizeof(opstr)); + opstr[9] = '\0'; strncpy(npstr, agent_file_perm(c_newperm), sizeof(npstr)); + npstr[9] = '\0'; snprintf(sdb.perm, OS_FLSIZE, "Permissions changed from " "'%9.9s' to '%9.9s'\n", opstr, npstr); From 01a28e7ae75be9d557b921412574488dc8e8fc18 Mon Sep 17 00:00:00 2001 From: ddpbsd Date: Wed, 11 Apr 2018 08:30:52 -0400 Subject: [PATCH 42/89] CID 28500: Resource leak --- src/analysisd/rules.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/src/analysisd/rules.c b/src/analysisd/rules.c index 27d0023b1..e06d8bf66 100644 --- a/src/analysisd/rules.c +++ b/src/analysisd/rules.c @@ -183,6 +183,7 @@ int Rules_OP_ReadRules(const char *rulefile) merror("rules_op: Invalid root element \"%s\"." "Only \"group\" is allowed", node[i]->element); OS_ClearXML(&xml); + free(node); return (-1); } if ((!node[i]->attributes) || (!node[i]->values) || @@ -192,11 +193,13 @@ int Rules_OP_ReadRules(const char *rulefile) merror("rules_op: Invalid root element '%s'." "Only the group name is allowed", node[i]->element); OS_ClearXML(&xml); + free(node); return (-1); } } else { merror(XML_READ_ERROR, ARGV0); OS_ClearXML(&xml); + free(node); return (-1); } i++; From 53c586c9a80426e305fa2e270714782983745db2 Mon Sep 17 00:00:00 2001 From: ddpbsd Date: Wed, 11 Apr 2018 08:33:12 -0400 Subject: [PATCH 43/89] CID 28511: Resource leak --- src/shared/report_op.c | 1 + 1 file changed, 1 insertion(+) diff --git a/src/shared/report_op.c b/src/shared/report_op.c index fa0f93aae..973d8d6f5 100644 --- a/src/shared/report_op.c +++ b/src/shared/report_op.c @@ -533,6 +533,7 @@ void os_ReportdStart(report_filter *r_filter) al_data); } } + free(mgroup); } /* Add to the location top filter */ From a451d8e9b87183ad54ae90852237f4aab53a1c26 Mon Sep 17 00:00:00 2001 From: ddpbsd Date: Tue, 17 Apr 2018 14:22:36 -0400 Subject: [PATCH 44/89] spaces -> tabs --- src/analysisd/decoders/syscheck.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/analysisd/decoders/syscheck.c b/src/analysisd/decoders/syscheck.c index ddda970d8..8c85e3be1 100644 --- a/src/analysisd/decoders/syscheck.c +++ b/src/analysisd/decoders/syscheck.c @@ -491,9 +491,9 @@ static int DB_Search(const char *f_name, const char *c_sum, Eventinfo *lf) char npstr[10]; strncpy(opstr, agent_file_perm(c_oldperm), sizeof(opstr)); - opstr[9] = '\0'; + opstr[9] = '\0'; strncpy(npstr, agent_file_perm(c_newperm), sizeof(npstr)); - npstr[9] = '\0'; + npstr[9] = '\0'; snprintf(sdb.perm, OS_FLSIZE, "Permissions changed from " "'%9.9s' to '%9.9s'\n", opstr, npstr); From 4f044a3e670512e08212d1b7eab26049bcea0200 Mon Sep 17 00:00:00 2001 From: ddpbsd Date: Mon, 30 Apr 2018 11:28:09 -0400 Subject: [PATCH 45/89] Close fp before leaving GetRandomNoise() Spotted by Codacy --- src/shared/file_op.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/src/shared/file_op.c b/src/shared/file_op.c index b4e85ea2e..1ecb42a34 100644 --- a/src/shared/file_op.c +++ b/src/shared/file_op.c @@ -379,6 +379,7 @@ char *GetRandomNoise() if(frr == 0) { if(errno == EOVERFLOW) { merror("ERROR: GetRandomNoise() fread() overflow."); // XXX + fclose(fp); return(NULL); } else { merror("ERROR: GetRandomNoise() fread() returned 0."); @@ -387,6 +388,7 @@ char *GetRandomNoise() } buf[2048] = '\0'; + fclose(fp); return(strdup(buf)); } From e16624bb5fa6d10f5bc9b4008abc95b11ab8ce85 Mon Sep 17 00:00:00 2001 From: ddpbsd Date: Mon, 30 Apr 2018 11:30:50 -0400 Subject: [PATCH 46/89] Clarify calculation precedence for '&' and '?'. From codacy. More to come if this seems to work. --- src/syscheckd/create_db.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/src/syscheckd/create_db.c b/src/syscheckd/create_db.c index f013bee08..29d243e89 100644 --- a/src/syscheckd/create_db.c +++ b/src/syscheckd/create_db.c @@ -218,11 +218,11 @@ static int read_file(const char *file_name, int opts, OSMatch *restriction) opts & CHECK_OWNER ? (int)statbuf.st_uid : 0, opts & CHECK_GROUP ? (int)statbuf.st_gid : 0, #ifdef LIBSODIUM_ENABLED - opts & CHECK_MD5SUM ? file_sums->md5output : "xxx", - opts & CHECK_SHA256SUM ? file_sums->sha256output : "xxx"); + (opts & CHECK_MD5SUM) ? file_sums->md5output : "xxx", + (opts & CHECK_SHA256SUM) ? file_sums->sha256output : "xxx"); #else //LIBSODIUM_ENABLED - opts & CHECK_MD5SUM ? mf_sum : "xxx", - opts & CHECK_SHA1SUM ? sf_sum : "xxx"); + (opts & CHECK_MD5SUM) ? mf_sum : "xxx", + (opts & CHECK_SHA1SUM) ? sf_sum : "xxx"); #endif //LIBSODIUM_ENABLED From e98f71c1ca185a95a85bc1aec9807e18b49acc6a Mon Sep 17 00:00:00 2001 From: ddpbsd Date: Mon, 30 Apr 2018 14:40:18 -0400 Subject: [PATCH 47/89] The rest of the "Clarify calculation precedence for '&' and '?'" commit. From codacy. --- src/syscheckd/create_db.c | 34 +++++++++++++++++----------------- 1 file changed, 17 insertions(+), 17 deletions(-) diff --git a/src/syscheckd/create_db.c b/src/syscheckd/create_db.c index 29d243e89..55cb7b8d1 100644 --- a/src/syscheckd/create_db.c +++ b/src/syscheckd/create_db.c @@ -207,16 +207,16 @@ static int read_file(const char *file_name, int opts, OSMatch *restriction) #endif snprintf(alert_msg, 916, "%c%c%c%c%c%c%ld:%d:%d:%d:%s:%s", - opts & CHECK_SIZE ? '+' : '-', - opts & CHECK_PERM ? '+' : '-', - opts & CHECK_OWNER ? '+' : '-', - opts & CHECK_GROUP ? '+' : '-', - opts & CHECK_MD5SUM ? '+' : '-', + (opts & CHECK_SIZE) ? '+' : '-', + (opts & CHECK_PERM) ? '+' : '-', + (opts & CHECK_OWNER) ? '+' : '-', + (opts & CHECK_GROUP) ? '+' : '-', + (opts & CHECK_MD5SUM) ? '+' : '-', sha1s, - opts & CHECK_SIZE ? (long)statbuf.st_size : 0, - opts & CHECK_PERM ? (int)statbuf.st_mode : 0, - opts & CHECK_OWNER ? (int)statbuf.st_uid : 0, - opts & CHECK_GROUP ? (int)statbuf.st_gid : 0, + (opts & CHECK_SIZE) ? (long)statbuf.st_size : 0, + (opts & CHECK_PERM) ? (int)statbuf.st_mode : 0, + (opts & CHECK_OWNER) ? (int)statbuf.st_uid : 0, + (opts & CHECK_GROUP) ? (int)statbuf.st_gid : 0, #ifdef LIBSODIUM_ENABLED (opts & CHECK_MD5SUM) ? file_sums->md5output : "xxx", (opts & CHECK_SHA256SUM) ? file_sums->sha256output : "xxx"); @@ -234,16 +234,16 @@ static int read_file(const char *file_name, int opts, OSMatch *restriction) alert_msg[916] = '\0'; snprintf(alert_msg, 916, "%ld:%d:%d:%d:%s:%s %s", - opts & CHECK_SIZE ? (long)statbuf.st_size : 0, - opts & CHECK_PERM ? (int)statbuf.st_mode : 0, - opts & CHECK_OWNER ? (int)statbuf.st_uid : 0, - opts & CHECK_GROUP ? (int)statbuf.st_gid : 0, + (opts & CHECK_SIZE) ? (long)statbuf.st_size : 0, + (opts & CHECK_PERM) ? (int)statbuf.st_mode : 0, + (opts & CHECK_OWNER) ? (int)statbuf.st_uid : 0, + (opts & CHECK_GROUP) ? (int)statbuf.st_gid : 0, #ifdef LIBSODIUM_ENABLED - opts & CHECK_MD5SUM ? file_sums->md5output : "xxx", - opts & CHECK_SHA256SUM ? file_sums->sha256output : "xxx", + (opts & CHECK_MD5SUM) ? file_sums->md5output : "xxx", + (opts & CHECK_SHA256SUM) ? file_sums->sha256output : "xxx", #else //LIBSODIUM_ENABLED - opts & CHECK_MD5SUM ? mf_sum : "xxx", - opts & CHECK_SHA1SUM ? sf_sum : "xxx", + (opts & CHECK_MD5SUM) ? mf_sum : "xxx", + (opts & CHECK_SHA1SUM) ? sf_sum : "xxx", #endif //LIBSODIUM_ENABLED file_name); send_syscheck_msg(alert_msg); From 02ff1ba1deaa97506b73805b0b2dddd210d8cb62 Mon Sep 17 00:00:00 2001 From: ddpbsd Date: Tue, 1 May 2018 09:48:13 -0400 Subject: [PATCH 48/89] No libsodium-dev or libsodium in Trusty? There's a ppa for that! --- .travis.yml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/.travis.yml b/.travis.yml index 3bbf013b8..5be2d1c5a 100644 --- a/.travis.yml +++ b/.travis.yml @@ -50,7 +50,9 @@ before_script: ); fi - if [[ "${OSSEC_TYPE}" == "winagent" ]]; then ( sudo apt-get install aptitude && sudo aptitude -y install mingw-w64 nsis ); fi - if [[ "${USE_SQLITE}" == "yes" ]]; then ( sudo apt-get install libsqlite3-dev sqlite3 ); fi -- if [[ "${USE_LIBSODIUM}" == "yes" ]]; then ( sudo apt-get install libsodium-dev libsodium ); fi +- if [[ "${USE_LIBSODIUM}" == "yes" ]]; then ( sudo add-apt-repository ppa:chris-lea/libsodium + && sudo apt-get install libsodium-dev libsodium + ); fi - if [[ "${OSSEC_TYPE}" == "test" ]]; then ( sudo apt-get update && sudo apt-get install check valgrind ); fi From 274b56b7c3ad10e5501cb712fbf98a5a27812b08 Mon Sep 17 00:00:00 2001 From: ddpbsd Date: Fri, 25 May 2018 09:13:51 -0400 Subject: [PATCH 49/89] md5->sha256 --- src/os_crypto/md5_sha1/md5_sha1_op.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/os_crypto/md5_sha1/md5_sha1_op.c b/src/os_crypto/md5_sha1/md5_sha1_op.c index 441c537de..d44437e79 100644 --- a/src/os_crypto/md5_sha1/md5_sha1_op.c +++ b/src/os_crypto/md5_sha1/md5_sha1_op.c @@ -171,7 +171,7 @@ int OS_Hash_File(const char *fname, const char *prefilter_cmd, struct hash_outpu //snprintf(file_output->sha256output, strnlen(file_output->sha256output, 66) + 3, "%s%02x", file_output->sha256output, sha256_digest[n]); sha256tmp[0] = '\0'; snprintf(sha256tmp, 3, "%02x", sha256_digest[n]); - strncat(file_output->sha256output, sha256tmp, sizeof(file_output->sha256output) - 1 - strlen(file_output->md5output)); + strncat(file_output->sha256output, sha256tmp, sizeof(file_output->sha256output) - 1 - strlen(file_output->sha256output)); } //snprintf(file_output->hash2, strnlen(file_output->hash2, 66) + 3, "%s%02x", file_output->hash2, sha256_digest[n]); } From 7990e9ee0945290e39fbcc9c1939774f19ad515d Mon Sep 17 00:00:00 2001 From: ddpbsd Date: Fri, 25 May 2018 09:14:40 -0400 Subject: [PATCH 50/89] Get rid of hash1 and hash2. Bad idea. --- src/os_crypto/md5_sha1/md5_sha1_op.c | 6 ------ 1 file changed, 6 deletions(-) diff --git a/src/os_crypto/md5_sha1/md5_sha1_op.c b/src/os_crypto/md5_sha1/md5_sha1_op.c index d44437e79..5434d7783 100644 --- a/src/os_crypto/md5_sha1/md5_sha1_op.c +++ b/src/os_crypto/md5_sha1/md5_sha1_op.c @@ -134,10 +134,6 @@ int OS_Hash_File(const char *fname, const char *prefilter_cmd, struct hash_outpu /* Initialize both hashes */ MD5Init(&md5_ctx); - snprintf(file_output->hash1, 4, "MD5="); - file_output->hash1[4] = '\0'; - snprintf(file_output->hash2, 7, "SHA256="); - file_output->hash2[7] = '\0'; /* Update for each hash */ while ((n = fread(buf, 1, 2048, fp)) > 0) { @@ -159,7 +155,6 @@ int OS_Hash_File(const char *fname, const char *prefilter_cmd, struct hash_outpu snprintf(md5tmp, 3, "%02x", md5_digest[n]); strncat(file_output->md5output, md5tmp, sizeof(file_output->md5output) - 1 - strlen(file_output->md5output)); } - //snprintf(file_output->hash1, strnlen(file_output->hash1, 37) + 3, "%s%02x", file_output->hash1, md5_digest[n]); } @@ -173,7 +168,6 @@ int OS_Hash_File(const char *fname, const char *prefilter_cmd, struct hash_outpu snprintf(sha256tmp, 3, "%02x", sha256_digest[n]); strncat(file_output->sha256output, sha256tmp, sizeof(file_output->sha256output) - 1 - strlen(file_output->sha256output)); } - //snprintf(file_output->hash2, strnlen(file_output->hash2, 66) + 3, "%s%02x", file_output->hash2, sha256_digest[n]); } /* Close it */ From 7a9f8a87a521e94f60564f248ed66f0b026bd9b2 Mon Sep 17 00:00:00 2001 From: ddpbsd Date: Wed, 30 May 2018 13:07:23 -0400 Subject: [PATCH 51/89] From codacy --- src/shared/file_op.c | 1 + 1 file changed, 1 insertion(+) diff --git a/src/shared/file_op.c b/src/shared/file_op.c index 1ecb42a34..6242fa8c0 100644 --- a/src/shared/file_op.c +++ b/src/shared/file_op.c @@ -383,6 +383,7 @@ char *GetRandomNoise() return(NULL); } else { merror("ERROR: GetRandomNoise() fread() returned 0."); + fclose(fp); return(NULL); } } From fc54a34e249e75e132ec3125309692b9e82d2f2a Mon Sep 17 00:00:00 2001 From: ddpbsd Date: Thu, 31 May 2018 09:53:14 -0400 Subject: [PATCH 52/89] Get rid of hash1, hash2. Introduce the blake2b hash output --- src/os_crypto/md5_sha1/md5_sha1_op.h | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/os_crypto/md5_sha1/md5_sha1_op.h b/src/os_crypto/md5_sha1/md5_sha1_op.h index c43fef9f8..fabca7a4b 100644 --- a/src/os_crypto/md5_sha1/md5_sha1_op.h +++ b/src/os_crypto/md5_sha1/md5_sha1_op.h @@ -25,9 +25,9 @@ int OS_MD5_SHA1_File(const char *fname, const char *prefilter_cmd, os_md5 md5out struct hash_output { os_md5 md5output; + os_sha1 sha1output; + char blake2boutput[crypto_generichash_BYTES]; char sha256output[crypto_hash_sha256_BYTES]; - char hash1[523]; - char hash2[523]; }; int OS_Hash_File(const char *fname, const char *prefilter_cmd, struct hash_output *file_output, int mode); From cd7831cbc393f1e01b644ca3fa5caf25d57c2904 Mon Sep 17 00:00:00 2001 From: ddpbsd Date: Tue, 5 Jun 2018 16:54:36 -0400 Subject: [PATCH 53/89] Adjust --- src/os_crypto/md5_sha1/md5_sha1_op.h | 2 +- src/syscheckd/run_check.c | 6 ------ 2 files changed, 1 insertion(+), 7 deletions(-) diff --git a/src/os_crypto/md5_sha1/md5_sha1_op.h b/src/os_crypto/md5_sha1/md5_sha1_op.h index fabca7a4b..6344ec034 100644 --- a/src/os_crypto/md5_sha1/md5_sha1_op.h +++ b/src/os_crypto/md5_sha1/md5_sha1_op.h @@ -26,7 +26,7 @@ int OS_MD5_SHA1_File(const char *fname, const char *prefilter_cmd, os_md5 md5out struct hash_output { os_md5 md5output; os_sha1 sha1output; - char blake2boutput[crypto_generichash_BYTES]; + char blake2boutput[130]; char sha256output[crypto_hash_sha256_BYTES]; }; diff --git a/src/syscheckd/run_check.c b/src/syscheckd/run_check.c index a76a51300..3a9b73cec 100644 --- a/src/syscheckd/run_check.c +++ b/src/syscheckd/run_check.c @@ -328,8 +328,6 @@ int c_read_file(const char *file_name, const char *oldsum, char *newsum) /* Clean sums */ strncpy(file_sums->md5output, "xxx", 4); strncpy(file_sums->sha256output, "xxx", 4); - strncpy(file_sums->hash1, "xxx", 4); - strncpy(file_sums->hash2, "xxx", 4); #endif /* Clean sums */ @@ -400,8 +398,6 @@ int c_read_file(const char *file_name, const char *oldsum, char *newsum) merror("AAA3"); strncpy(file_sums->md5output, "xxx", 4); strncpy(file_sums->sha256output, "xxx", 4); - strncpy(file_sums->hash1, "xxx", 4); - strncpy(file_sums->hash2, "xxx", 4); } #else if (OS_MD5_SHA1_File(file_name, syscheck.prefilter_cmd, mf_sum, sf_sum, OS_BINARY) < 0) { @@ -424,8 +420,6 @@ int c_read_file(const char *file_name, const char *oldsum, char *newsum) merror("AAA4"); strncpy(file_sums->md5output, "xxx", 4); strncpy(file_sums->sha256output, "xxx", 4); - strncpy(file_sums->hash1, "xxx", 4); - strncpy(file_sums->hash2, "xxx", 4); } #else if (OS_MD5_SHA1_File(file_name, syscheck.prefilter_cmd, mf_sum, sf_sum, OS_BINARY) < 0) { From 6dfc1113c22ba6937f7361495507342d8e31e658 Mon Sep 17 00:00:00 2001 From: ddpbsd Date: Wed, 6 Jun 2018 07:49:48 -0400 Subject: [PATCH 54/89] Force add the libsodium repository --- .travis.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.travis.yml b/.travis.yml index 5be2d1c5a..f09d744ea 100644 --- a/.travis.yml +++ b/.travis.yml @@ -50,7 +50,7 @@ before_script: ); fi - if [[ "${OSSEC_TYPE}" == "winagent" ]]; then ( sudo apt-get install aptitude && sudo aptitude -y install mingw-w64 nsis ); fi - if [[ "${USE_SQLITE}" == "yes" ]]; then ( sudo apt-get install libsqlite3-dev sqlite3 ); fi -- if [[ "${USE_LIBSODIUM}" == "yes" ]]; then ( sudo add-apt-repository ppa:chris-lea/libsodium +- if [[ "${USE_LIBSODIUM}" == "yes" ]]; then ( sudo add-apt-repository -y ppa:chris-lea/libsodium && sudo apt-get install libsodium-dev libsodium ); fi - if [[ "${OSSEC_TYPE}" == "test" ]]; then ( sudo apt-get update && sudo apt-get install check valgrind ); fi From 827a62ae8636029d838a6e92a2ae492a2e818b54 Mon Sep 17 00:00:00 2001 From: ddpbsd Date: Wed, 6 Jun 2018 08:39:01 -0400 Subject: [PATCH 55/89] I'll get this right eventually. --- .travis.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.travis.yml b/.travis.yml index f09d744ea..f5d2b95b9 100644 --- a/.travis.yml +++ b/.travis.yml @@ -50,7 +50,7 @@ before_script: ); fi - if [[ "${OSSEC_TYPE}" == "winagent" ]]; then ( sudo apt-get install aptitude && sudo aptitude -y install mingw-w64 nsis ); fi - if [[ "${USE_SQLITE}" == "yes" ]]; then ( sudo apt-get install libsqlite3-dev sqlite3 ); fi -- if [[ "${USE_LIBSODIUM}" == "yes" ]]; then ( sudo add-apt-repository -y ppa:chris-lea/libsodium +- if [[ "${USE_LIBSODIUM}" == "yes" ]]; then ( sudo add-apt-repository -y ppa:chris-lea/libsodium && sudo apt-get update && sudo apt-get install libsodium-dev libsodium ); fi - if [[ "${OSSEC_TYPE}" == "test" ]]; then ( sudo apt-get update && sudo apt-get install check valgrind ); fi From a157c31fe436b0ab83e89a52132a77cc0dfb26e8 Mon Sep 17 00:00:00 2001 From: ddpbsd Date: Wed, 6 Jun 2018 08:52:55 -0400 Subject: [PATCH 56/89] Try this again. --- .travis.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.travis.yml b/.travis.yml index f5d2b95b9..cb7feb3ef 100644 --- a/.travis.yml +++ b/.travis.yml @@ -51,7 +51,7 @@ before_script: - if [[ "${OSSEC_TYPE}" == "winagent" ]]; then ( sudo apt-get install aptitude && sudo aptitude -y install mingw-w64 nsis ); fi - if [[ "${USE_SQLITE}" == "yes" ]]; then ( sudo apt-get install libsqlite3-dev sqlite3 ); fi - if [[ "${USE_LIBSODIUM}" == "yes" ]]; then ( sudo add-apt-repository -y ppa:chris-lea/libsodium && sudo apt-get update - && sudo apt-get install libsodium-dev libsodium + && sudo apt-get install libsodium-dev libsodium13 ); fi - if [[ "${OSSEC_TYPE}" == "test" ]]; then ( sudo apt-get update && sudo apt-get install check valgrind ); fi From db2c5b76e10a7353d391326970aaa421cf5b84ac Mon Sep 17 00:00:00 2001 From: ddpbsd Date: Wed, 6 Jun 2018 15:01:54 -0400 Subject: [PATCH 57/89] Makes testing easier --- src/Makefile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/Makefile b/src/Makefile index 2e8ccd2bd..518abea9a 100644 --- a/src/Makefile +++ b/src/Makefile @@ -25,7 +25,7 @@ USE_ZEROMQ?=no USE_GEOIP?=no USE_INOTIFY=no USE_SQLITE?=no -USE_LIBSODIUM?=no +USE_LIBSODIUM?=yes ifneq (${TARGET},winagent) USE_OPENSSL?=auto From e8d7873953c6f435bc7e78446ff3257bd585dff0 Mon Sep 17 00:00:00 2001 From: ddpbsd Date: Fri, 8 Jun 2018 07:55:00 -0400 Subject: [PATCH 58/89] Don't mention blake2b in case libsodium changes their generic algorithm. Make room for the libsodium generic hash algorithm. Make it easier to see which hashes will be checked. --- src/os_crypto/md5_sha1/md5_sha1_op.h | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/src/os_crypto/md5_sha1/md5_sha1_op.h b/src/os_crypto/md5_sha1/md5_sha1_op.h index 6344ec034..7eb8de891 100644 --- a/src/os_crypto/md5_sha1/md5_sha1_op.h +++ b/src/os_crypto/md5_sha1/md5_sha1_op.h @@ -24,9 +24,16 @@ int OS_MD5_SHA1_File(const char *fname, const char *prefilter_cmd, os_md5 md5out #ifdef LIBSODIUM_ENABLED struct hash_output { + // What are we looking for? + int check_md5; + int check_sha1; + int check_sha256; + int check_generic; + + // Here's where we put it. os_md5 md5output; os_sha1 sha1output; - char blake2boutput[130]; + char genericoutput[130]; char sha256output[crypto_hash_sha256_BYTES]; }; From b2923f65c4b0b92971f99946eb6fab939af06561 Mon Sep 17 00:00:00 2001 From: ddpbsd Date: Fri, 8 Jun 2018 11:46:14 -0400 Subject: [PATCH 59/89] Add libsodium's generichash (blake2b right now) --- src/config/syscheck-config.h | 1 + src/os_crypto/md5_sha1/md5_sha1_op.c | 111 ++++++++++++++++++++------- src/syscheckd/create_db.c | 71 +++++++++++++++-- 3 files changed, 147 insertions(+), 36 deletions(-) diff --git a/src/config/syscheck-config.h b/src/config/syscheck-config.h index e8fbb951f..3d84a2577 100644 --- a/src/config/syscheck-config.h +++ b/src/config/syscheck-config.h @@ -24,6 +24,7 @@ #define CHECK_REALTIME 0000100 #define CHECK_SEECHANGES 0000200 #define CHECK_SHA256SUM 0000400 +#define CHECK_GENERIC 0001000 #include diff --git a/src/os_crypto/md5_sha1/md5_sha1_op.c b/src/os_crypto/md5_sha1/md5_sha1_op.c index 5434d7783..e7ae89e6d 100644 --- a/src/os_crypto/md5_sha1/md5_sha1_op.c +++ b/src/os_crypto/md5_sha1/md5_sha1_op.c @@ -100,16 +100,37 @@ int OS_Hash_File(const char *fname, const char *prefilter_cmd, struct hash_outpu FILE *fp; unsigned char buf[2048 + 2]; unsigned char md5_digest[16]; + unsigned char sha1_digest[SHA_DIGEST_LENGTH]; + unsigned char generic_digest[crypto_generichash_BYTES_MAX]; + unsigned char sha256_digest[crypto_hash_sha256_BYTES]; + /* Declare and init the hashes */ MD5_CTX md5_ctx; + if(file_output->check_md5) { + MD5Init(&md5_ctx); + } - /* Initialize libsodium */ - unsigned char sha256_digest[crypto_hash_sha256_BYTES]; - if(sodium_init() < 0) { - exit(errno); // XXX - doesn't seem right + SHA_CTX sha1_ctx; + if(file_output->check_sha1) { + SHA1_Init(&sha1_ctx); } + crypto_hash_sha256_state sha256_state; - crypto_hash_sha256_init(&sha256_state); + crypto_generichash_state generic_state; + + /* Initialize libsodium */ + if((file_output->check_sha256 > 0) || (file_output->check_generic) > 0) { + if(sodium_init() < 0) { + exit(errno); // XXX - doesn't seem right + } + } + if(file_output->check_sha256) { + crypto_hash_sha256_init(&sha256_state); + } + + if(file_output->check_generic) { + crypto_generichash_init(&generic_state, NULL, 0, sizeof(generic_digest)); + } buf[2048 + 1] = '\0'; @@ -132,44 +153,78 @@ int OS_Hash_File(const char *fname, const char *prefilter_cmd, struct hash_outpu } } - /* Initialize both hashes */ - MD5Init(&md5_ctx); - /* Update for each hash */ while ((n = fread(buf, 1, 2048, fp)) > 0) { buf[n] = '\0'; - MD5Update(&md5_ctx, buf, (unsigned)n); - crypto_hash_sha256_update(&sha256_state, buf, n); + if(file_output->check_md5) { + MD5Update(&md5_ctx, buf, (unsigned)n); + } + if(file_output->check_sha256) { + crypto_hash_sha256_update(&sha256_state, buf, n); + } + if(file_output->check_sha1) { + SHA1_Update(&sha1_ctx, buf, n); + } + if(file_output->check_generic) { + crypto_generichash_update(&generic_state, buf, n); + } } - MD5Final(md5_digest, &md5_ctx); - crypto_hash_sha256_final(&sha256_state, sha256_digest); + if(file_output->check_md5) { + MD5Final(md5_digest, &md5_ctx); + } + if(file_output->check_sha256) { + crypto_hash_sha256_final(&sha256_state, sha256_digest); + } + if(file_output->check_sha1) { + SHA1_Final(&(sha1_digest[0]), &sha1_ctx); + } + if(file_output->check_generic) { + crypto_generichash_final(&generic_state, generic_digest, crypto_generichash_BYTES_MAX); + } /* Set output for MD5 */ - char md5tmp[3], sha256tmp[3]; + char hashtmp[3]; for (n = 0; n < 16; n++) { if(n == 0) { - snprintf(file_output->md5output, 3, "%02x", md5_digest[n]); + if(file_output->check_md5) { + snprintf(file_output->md5output, 3, "%02x", md5_digest[n]); + } + if(file_output->check_sha256) { + snprintf(file_output->sha256output, 3, "%02x", sha256_digest[n]); + } + if(file_output->check_sha1) { + snprintf(file_output->sha1output, 3, "%02x", sha1_digest[n]); + } + if(file_output->check_generic) { + snprintf(file_output->genericoutput, 3, "%02x", generic_digest[n]); + } } else { - snprintf(md5tmp, 3, "%02x", md5_digest[n]); - strncat(file_output->md5output, md5tmp, sizeof(file_output->md5output) - 1 - strlen(file_output->md5output)); + if(file_output->check_md5) { + hashtmp[0] = '\0'; + snprintf(hashtmp, 3, "%02x", md5_digest[n]); + strncat(file_output->md5output, hashtmp, sizeof(file_output->md5output) - 1 - strlen(file_output->md5output)); + } + if(file_output->check_sha256) { + hashtmp[0] = '\0'; + snprintf(hashtmp, 3, "%02x", sha256_digest[n]); + strncat(file_output->sha256output, hashtmp, sizeof(file_output->sha256output) - 1 - strlen(file_output->sha256output)); + } + if(file_output->check_sha256) { + hashtmp[0] = '\0'; + snprintf(hashtmp, 3, "%02x", sha1_digest[n]); + strncat(file_output->sha1output, hashtmp, sizeof(file_output->sha1output) - 1 - strlen(file_output->sha1output)); + } + if(file_output->check_generic) { + hashtmp[0] = '\0'; + snprintf(hashtmp, 3, "%02x", generic_digest[n]); + strncat(file_output->genericoutput, hashtmp, sizeof(file_output->genericoutput) - 1 - strlen(file_output->genericoutput)); + } } } - /* Set output for SHA256 */ - for (n = 0; n < crypto_hash_sha256_BYTES; n++) { - if(n == 0) { - snprintf(file_output->sha256output, 3, "%02x", sha256_digest[n]); - } else { - //snprintf(file_output->sha256output, strnlen(file_output->sha256output, 66) + 3, "%s%02x", file_output->sha256output, sha256_digest[n]); - sha256tmp[0] = '\0'; - snprintf(sha256tmp, 3, "%02x", sha256_digest[n]); - strncat(file_output->sha256output, sha256tmp, sizeof(file_output->sha256output) - 1 - strlen(file_output->sha256output)); - } - } - /* Close it */ if (prefilter_cmd == NULL) { fclose(fp); diff --git a/src/syscheckd/create_db.c b/src/syscheckd/create_db.c index c8c6a67d3..bee6cdb4a 100644 --- a/src/syscheckd/create_db.c +++ b/src/syscheckd/create_db.c @@ -127,8 +127,22 @@ static int read_file(const char *file_name, int opts, OSMatch *restriction) } strncpy(file_sums->md5output, "xxx", 4); strncpy(file_sums->sha256output, "xxx", 4); - strncpy(file_sums->hash1, "xxx", 4); - strncpy(file_sums->hash2, "xxx", 4); + strncpy(file_sums->sha1output, "xxx", 4); + strncpy(file_sums->genericoutput, "xxx", 4); + + /* set the checks */ + if(opts & CHECK_MD5SUM) { + file_sums->check_md5 = 1; + } + if(opts & CHECK_SHA1SUM) { + file_sums->check_sha1 = 1; + } + if(opts & CHECK_SHA256SUM) { + file_sums->check_sha256 = 1; + } + if(opts & CHECK_GENERIC) { + file_sums->check_generic = 1; + } if ((opts & CHECK_MD5SUM) || (opts & CHECK_SHA1SUM) || (opts & CHECK_SHA256SUM)) { #else @@ -159,8 +173,6 @@ static int read_file(const char *file_name, int opts, OSMatch *restriction) if(OS_Hash_File(file_name, syscheck.prefilter_cmd, file_sums, OS_BINARY) < 0) { strncpy(file_sums->md5output, "xxx", 4); strncpy(file_sums->sha256output, "xxx", 4); - strncpy(file_sums->hash1, "xxx", 4); - strncpy(file_sums->hash2, "xxx", 4); } #else //LIBSODIUM_ENABLED @@ -210,7 +222,48 @@ static int read_file(const char *file_name, int opts, OSMatch *restriction) } #endif +#ifdef LIBSODIUM_ENABLED + char new_hashes[512], new_hashes_tmp[512]; + int hashc = 0; + if(opts & CHECK_SHA256SUM) { + snprintf(new_hashes, 511, "%s", file_sums->sha256output); + hashc++; + } + if((opts & CHECK_SHA1SUM) && hashc < 2) { + if(hashc > 0) { + snprintf(new_hashes_tmp, 511, "%s:%s", new_hashes, file_sums->sha1output); + strncpy(new_hashes, new_hashes_tmp, 511); + hashc++; + } else if(hashc == 0) { + snprintf(new_hashes, 511, "%s", file_sums->sha1output); + hashc++; + } + } + if((opts & CHECK_MD5SUM) && hashc < 2) { + if(hashc > 0) { + snprintf(new_hashes_tmp, 511, "%s:%s", new_hashes, file_sums->md5output); + strncpy(new_hashes, new_hashes_tmp, 511); + hashc++; + } else if(hashc == 0) { + snprintf(new_hashes, 511, "%s", file_sums->md5output); + hashc++; + } + } + if(hashc < 2) { + if(hashc == 0) { + strncpy(new_hashes, "xxx:xxx", 8); + } else if (hashc == 1) { + snprintf(new_hashes_tmp, 511, "%s:xxx", new_hashes); + strncpy(new_hashes, new_hashes_tmp, 511); + } + } + + + + snprintf(alert_msg, 916, "%c%c%c%c%c%c%ld:%d:%d:%d:%s", +#else // LIBSODIUM_ENABLED snprintf(alert_msg, 916, "%c%c%c%c%c%c%ld:%d:%d:%d:%s:%s", +#endif // LIBSODIUM_ENABLED (opts & CHECK_SIZE) ? '+' : '-', (opts & CHECK_PERM) ? '+' : '-', (opts & CHECK_OWNER) ? '+' : '-', @@ -222,8 +275,7 @@ static int read_file(const char *file_name, int opts, OSMatch *restriction) (opts & CHECK_OWNER) ? (int)statbuf.st_uid : 0, (opts & CHECK_GROUP) ? (int)statbuf.st_gid : 0, #ifdef LIBSODIUM_ENABLED - (opts & CHECK_MD5SUM) ? file_sums->md5output : "xxx", - (opts & CHECK_SHA256SUM) ? file_sums->sha256output : "xxx"); + new_hashes); #else //LIBSODIUM_ENABLED (opts & CHECK_MD5SUM) ? mf_sum : "xxx", (opts & CHECK_SHA1SUM) ? sf_sum : "xxx"); @@ -238,14 +290,17 @@ static int read_file(const char *file_name, int opts, OSMatch *restriction) alert_msg[916] = '\0'; #ifndef WIN32 +#ifdef LIBSODIUM_ENABLED + snprintf(alert_msg, 916, "%ld:%d:%d:%d:%s %s", +#else // LIBSODIUM_ENABLED snprintf(alert_msg, 916, "%ld:%d:%d:%d:%s:%s %s", +#endif (opts & CHECK_SIZE) ? (long)statbuf.st_size : 0, (opts & CHECK_PERM) ? (int)statbuf.st_mode : 0, (opts & CHECK_OWNER) ? (int)statbuf.st_uid : 0, (opts & CHECK_GROUP) ? (int)statbuf.st_gid : 0, #ifdef LIBSODIUM_ENABLED - (opts & CHECK_MD5SUM) ? file_sums->md5output : "xxx", - (opts & CHECK_SHA256SUM) ? file_sums->sha256output : "xxx", + new_hashes, #else //LIBSODIUM_ENABLED (opts & CHECK_MD5SUM) ? mf_sum : "xxx", (opts & CHECK_SHA1SUM) ? sf_sum : "xxx", From bb3a7e72c1ce3352221d19804f9fdc9ff8981918 Mon Sep 17 00:00:00 2001 From: ddpbsd Date: Sat, 9 Jun 2018 12:46:48 -0400 Subject: [PATCH 60/89] Start to add blake2b --- src/config/syscheck-config.c | 24 ++++++++++++++++++++---- 1 file changed, 20 insertions(+), 4 deletions(-) diff --git a/src/config/syscheck-config.c b/src/config/syscheck-config.c index 3cebafa8f..57a291ca9 100644 --- a/src/config/syscheck-config.c +++ b/src/config/syscheck-config.c @@ -161,6 +161,7 @@ static int read_attr(syscheck_config *syscheck, const char *dirs, char **g_attrs const char *xml_check_sha1sum = "check_sha1sum"; const char *xml_check_md5sum = "check_md5sum"; const char *xml_check_sha256sum = "check_sha256sum"; + const char *xml_check_genericsum = "check_genericsum"; const char *xml_check_size = "check_size"; const char *xml_check_owner = "check_owner"; const char *xml_check_group = "check_group"; @@ -232,19 +233,20 @@ static int read_attr(syscheck_config *syscheck, const char *dirs, char **g_attrs if (strcmp(*values, "yes") == 0) { #ifndef LIBSODIUM_ENABLED opts |= CHECK_SHA1SUM; -#endif //LIBSODIUM_ENABLED opts |= CHECK_MD5SUM; +#endif //LIBSODIUM_ENABLED opts |= CHECK_PERM; opts |= CHECK_SIZE; opts |= CHECK_OWNER; opts |= CHECK_GROUP; #ifdef LIBSODIUM_ENABLED opts |= CHECK_SHA256SUM; + opts |= CHECK_GENERIC; #endif //LIBSODIUM_ENABLED } else if (strcmp(*values, "no") == 0) { #ifdef LIBSODIUM_ENABLED opts &= ~ ( CHECK_MD5SUM | CHECK_SHA1SUM | CHECK_PERM - | CHECK_SIZE | CHECK_OWNER | CHECK_GROUP | CHECK_SHA256SUM ); + | CHECK_SIZE | CHECK_OWNER | CHECK_GROUP | CHECK_SHA256SUM | CHECK_GENERIC ); #else //LIBSODIUM_ENABLED opts &= ~ ( CHECK_MD5SUM | CHECK_SHA1SUM | CHECK_PERM | CHECK_SIZE | CHECK_OWNER | CHECK_GROUP ); @@ -258,15 +260,18 @@ static int read_attr(syscheck_config *syscheck, const char *dirs, char **g_attrs /* Check sum */ else if (strcmp(*attrs, xml_check_sum) == 0) { if (strcmp(*values, "yes") == 0) { +#ifndef LIBSODIUM_ENALBED opts |= CHECK_MD5SUM; +#endif // LIBSODIUM_ENABLED #ifdef LIBSODIUM_ENABLED opts |= CHECK_SHA256SUM; + opts |= CHECK_GENERIC; #else //LIBSODIUM_ENABLED opts |= CHECK_SHA1SUM; #endif //LIBSODIUM_ENABLED } else if (strcmp(*values, "no") == 0) { #ifdef LIBSODIUM_ENABLED - opts &= ~ ( CHECK_MD5SUM | CHECK_SHA256SUM ); + opts &= ~ ( CHECK_GENERIC | CHECK_SHA256SUM ); #else //LIBSODIUM_ENALBED opts &= ~ ( CHECK_MD5SUM | CHECK_SHA1SUM ); #endif @@ -302,7 +307,7 @@ static int read_attr(syscheck_config *syscheck, const char *dirs, char **g_attrs } #ifdef LIBSODIUM_ENABLED else if(strncmp(*attrs, xml_check_sha256sum, 15) == 0) { - if(strncmp(*values, "yes", 3) ==0) { + if(strncmp(*values, "yes", 3) == 0) { opts |= CHECK_SHA256SUM; } else if(strncmp(*values, "no", 2) == 0) { opts &= ~ CHECK_SHA256SUM; @@ -312,6 +317,17 @@ static int read_attr(syscheck_config *syscheck, const char *dirs, char **g_attrs goto out_free; } } + else if(strncmp(*attrs, xml_check_genericsum, 16) == 0) { + if(strncmp(*values, "yes", 3) == 0) { + opts |= CHECK_GENERIC; + } else if(strncmp(*values, "no", 2) == 0) { + opts &= ~ CHECK_GENERIC; + } else { + merror(SK_INV_OPT, __local_name, *values, *attrs); + ret = 0; + goto out_free; + } + } #endif //LIBSODIUM_ENABLED /* Check permission */ else if (strcmp(*attrs, xml_check_perm) == 0) { From 51f61eebf5f324301f12e521672cf018a8c64dd1 Mon Sep 17 00:00:00 2001 From: ddpbsd Date: Sat, 9 Jun 2018 12:47:35 -0400 Subject: [PATCH 61/89] Make opts available everywhere. --- src/syscheckd/syscheck.c | 2 ++ src/syscheckd/syscheck.h | 2 ++ 2 files changed, 4 insertions(+) diff --git a/src/syscheckd/syscheck.c b/src/syscheckd/syscheck.c index 6c07aaa0e..2f070c6b8 100644 --- a/src/syscheckd/syscheck.c +++ b/src/syscheckd/syscheck.c @@ -105,6 +105,8 @@ int Start_win32_Syscheck() merror("%s: WARN: Syscheck disabled.", ARGV0); } + extern int syscheck_opts = syscheck.opts; + /* Rootcheck config */ if (rootcheck_init(0) == 0) { syscheck.rootcheck = 1; diff --git a/src/syscheckd/syscheck.h b/src/syscheckd/syscheck.h index b40882ff0..8aeb816c8 100644 --- a/src/syscheckd/syscheck.h +++ b/src/syscheckd/syscheck.h @@ -57,5 +57,7 @@ int c_read_file(const char *file_name, const char *oldsum, char *newsum) __attri int send_syscheck_msg(const char *msg) __attribute__((nonnull)); int send_rootcheck_msg(const char *msg) __attribute__((nonnull)); +int syscheck_opts; + #endif From 1edbff1e18af9bf5e2b06b140aa4d236cd7ea713 Mon Sep 17 00:00:00 2001 From: ddpbsd Date: Sat, 9 Jun 2018 12:48:34 -0400 Subject: [PATCH 62/89] Start to make sure this reports everything properly. --- src/syscheckd/run_check.c | 54 ++++++++++++++++++++++++++++++++++++--- 1 file changed, 50 insertions(+), 4 deletions(-) diff --git a/src/syscheckd/run_check.c b/src/syscheckd/run_check.c index 3a9b73cec..c93985c64 100644 --- a/src/syscheckd/run_check.c +++ b/src/syscheckd/run_check.c @@ -317,6 +317,7 @@ int c_read_file(const char *file_name, const char *oldsum, char *newsum) struct stat statbuf; os_md5 mf_sum; os_sha1 sf_sum; + extern int syscheck_opts; #ifdef LIBSODIUM_ENABLED struct hash_output *file_sums; @@ -328,7 +329,23 @@ int c_read_file(const char *file_name, const char *oldsum, char *newsum) /* Clean sums */ strncpy(file_sums->md5output, "xxx", 4); strncpy(file_sums->sha256output, "xxx", 4); -#endif + strncpy(file_sums->sha1output, "xxx", 4); + strncpy(file_sums->genericoutput, "xxx", 4); + /* set the checks */ + if(syscheck_opts & CHECK_MD5SUM) { + file_sums->check_md5 = 1; + } + if(syscheck_opts & CHECK_SHA1SUM) { + file_sums->check_sha1 = 1; + } + if(syscheck_opts & CHECK_SHA256SUM) { + file_sums->check_sha256 = 1; + } + if(syscheck_opts & CHECK_GENERIC) { + file_sums->check_generic = 1; + } + +#endif // LIBSODIUM_ENABLED /* Clean sums */ strncpy(mf_sum, "xxx", 4); @@ -437,13 +454,42 @@ int c_read_file(const char *file_name, const char *oldsum, char *newsum) newsum[255] = '\0'; #ifdef LIBSODIUM_ENABLED - snprintf(newsum, 255, "%ld:%d:%d:%d:%s:%s", + char new_hashes[512], new_hashes_tmp[512]; + int hashc = 0; + if(syscheck_opts & CHECK_SHA256SUM) { + snprintf(new_hashes, 511, "%s", file_sums->sha256output); + hashc++; + } + if((syscheck_opts & CHECK_SHA1SUM) && hashc < 2) { + if(hashc > 0) { + snprintf(new_hashes_tmp, 511, "%s:%s", new_hashes, file_sums->sha1output); + strncpy(new_hashes, new_hashes_tmp, 511); + hashc++; + } else if(hashc == 0) { snprintf(new_hashes, 511, "%s", file_sums->sha1output); + hashc++; + } + } + if((syscheck_opts & CHECK_MD5SUM) && hashc < 2) { + if(hashc > 0) { snprintf(new_hashes_tmp, 511, "%s:%s", new_hashes, file_sums->md5output); + strncpy(new_hashes, new_hashes_tmp, 511); + hashc++; + } else if(hashc == 0) { + snprintf(new_hashes, 511, "%s", file_sums->md5output); hashc++; + } + } + if(hashc < 2) { + if(hashc == 0) { + strncpy(new_hashes, "xxx:xxx", 8); + } else if (hashc == 1) { snprintf(new_hashes_tmp, 511, "%s:xxx", new_hashes); + strncpy(new_hashes, new_hashes_tmp, 511); + } } + + snprintf(newsum, 255, "%ld:%d:%d:%d:%s", size == 0 ? 0 : (long)statbuf.st_size, perm == 0 ? 0 : (int)statbuf.st_mode, owner == 0 ? 0 : (int)statbuf.st_uid, group == 0 ? 0 : (int)statbuf.st_gid, - file_sums->md5output, - file_sums->sha256output); + new_hashes); #else //LIBSODIUM_ENABLED #ifndef WIN32 snprintf(newsum, 255, "%ld:%d:%d:%d:%s:%s", From 028ac284898e94272c8a8414b0550a32b591adfd Mon Sep 17 00:00:00 2001 From: ddpbsd Date: Fri, 22 Jun 2018 07:54:19 -0400 Subject: [PATCH 63/89] Caused a crash in reportd --- src/shared/report_op.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/shared/report_op.c b/src/shared/report_op.c index 973d8d6f5..efaddb2f1 100644 --- a/src/shared/report_op.c +++ b/src/shared/report_op.c @@ -533,7 +533,7 @@ void os_ReportdStart(report_filter *r_filter) al_data); } } - free(mgroup); + //free(mgroup); } /* Add to the location top filter */ From 992f532e1cb33fabdbec8c59b8cacdbb781de100 Mon Sep 17 00:00:00 2001 From: ddpbsd Date: Fri, 22 Jun 2018 07:55:25 -0400 Subject: [PATCH 64/89] I need these right now --- src/Makefile | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/src/Makefile b/src/Makefile index 518abea9a..99d298edd 100644 --- a/src/Makefile +++ b/src/Makefile @@ -27,6 +27,8 @@ USE_INOTIFY=no USE_SQLITE?=no USE_LIBSODIUM?=yes +DEBUG?=yes + ifneq (${TARGET},winagent) USE_OPENSSL?=auto else @@ -121,7 +123,7 @@ OSSEC_CFLAGS=${CFLAGS} #ANALYSISD_FLAGS="-lsqlite3" ifdef DEBUG - OSSEC_CFLAGS+=-g + OSSEC_CFLAGS+=-ggdb else OSSEC_CFLAGS+=-O2 endif #DEBUG From fdadbef3f61dfd0e7ff5fcb2832ff68a42fd14e9 Mon Sep 17 00:00:00 2001 From: ddpbsd Date: Fri, 22 Jun 2018 09:54:58 -0400 Subject: [PATCH 65/89] Looks like I was previously truncating the SHA256 and GENERIC hash outputs, oops. Make sure to traverse the entire hash to translate from unsigned char to signed char. --- src/os_crypto/md5_sha1/md5_sha1_op.c | 54 ++++++++++++++++------------ 1 file changed, 32 insertions(+), 22 deletions(-) diff --git a/src/os_crypto/md5_sha1/md5_sha1_op.c b/src/os_crypto/md5_sha1/md5_sha1_op.c index e7ae89e6d..38b869d3c 100644 --- a/src/os_crypto/md5_sha1/md5_sha1_op.c +++ b/src/os_crypto/md5_sha1/md5_sha1_op.c @@ -186,43 +186,53 @@ int OS_Hash_File(const char *fname, const char *prefilter_cmd, struct hash_outpu /* Set output for MD5 */ char hashtmp[3]; - for (n = 0; n < 16; n++) { - if(n == 0) { - if(file_output->check_md5) { + if(file_output->check_md5) { + for (n = 0; n < 16; n++) { + if(n == 0) { snprintf(file_output->md5output, 3, "%02x", md5_digest[n]); - } - if(file_output->check_sha256) { - snprintf(file_output->sha256output, 3, "%02x", sha256_digest[n]); - } - if(file_output->check_sha1) { - snprintf(file_output->sha1output, 3, "%02x", sha1_digest[n]); - } - if(file_output->check_generic) { - snprintf(file_output->genericoutput, 3, "%02x", generic_digest[n]); - } - } else { - if(file_output->check_md5) { + } else { hashtmp[0] = '\0'; snprintf(hashtmp, 3, "%02x", md5_digest[n]); strncat(file_output->md5output, hashtmp, sizeof(file_output->md5output) - 1 - strlen(file_output->md5output)); } - if(file_output->check_sha256) { - hashtmp[0] = '\0'; - snprintf(hashtmp, 3, "%02x", sha256_digest[n]); - strncat(file_output->sha256output, hashtmp, sizeof(file_output->sha256output) - 1 - strlen(file_output->sha256output)); - } - if(file_output->check_sha256) { + } + } + if(file_output->check_sha1) { + for (n = 0; n < 16; n++) { + if(n == 0) { + snprintf(file_output->sha1output, 3, "%02x", sha1_digest[n]); + } else { hashtmp[0] = '\0'; snprintf(hashtmp, 3, "%02x", sha1_digest[n]); strncat(file_output->sha1output, hashtmp, sizeof(file_output->sha1output) - 1 - strlen(file_output->sha1output)); } - if(file_output->check_generic) { + } + } + if(file_output->check_generic) { + for (n = 0; n < crypto_generichash_BYTES_MAX; ++n) { + if(n == 0) { + snprintf(file_output->genericoutput, 3, "%02x", generic_digest[n]); + } else { hashtmp[0] = '\0'; snprintf(hashtmp, 3, "%02x", generic_digest[n]); strncat(file_output->genericoutput, hashtmp, sizeof(file_output->genericoutput) - 1 - strlen(file_output->genericoutput)); } } } + if(file_output->check_sha256) { + for (n = 0; n < crypto_hash_sha256_BYTES; ++n) { + if(n == 0) { + snprintf(file_output->sha256output, 3, "%02x", sha256_digest[n]); + } else { + hashtmp[0] = '\0'; + snprintf(hashtmp, 3, "%02x", sha256_digest[n]); + strncat(file_output->sha256output, hashtmp, sizeof(file_output->sha256output) - 1 - strlen(file_output->genericoutput)); + } + } + } + + + /* Close it */ From b3088db5eedeabb8cf897722c909973ad57e1af5 Mon Sep 17 00:00:00 2001 From: ddpbsd Date: Fri, 22 Jun 2018 09:56:55 -0400 Subject: [PATCH 66/89] Generichash wasn't named in the log output. simplify some of the ifdefs. --- src/config/syscheck-config.c | 20 ++++++++++++-------- 1 file changed, 12 insertions(+), 8 deletions(-) diff --git a/src/config/syscheck-config.c b/src/config/syscheck-config.c index 57a291ca9..ee1dfceed 100644 --- a/src/config/syscheck-config.c +++ b/src/config/syscheck-config.c @@ -231,17 +231,20 @@ static int read_attr(syscheck_config *syscheck, const char *dirs, char **g_attrs /* Check all */ if (strcmp(*attrs, xml_check_all) == 0) { if (strcmp(*values, "yes") == 0) { -#ifndef LIBSODIUM_ENABLED - opts |= CHECK_SHA1SUM; - opts |= CHECK_MD5SUM; -#endif //LIBSODIUM_ENABLED +#ifdef LIBSODIUM_ENABLED opts |= CHECK_PERM; opts |= CHECK_SIZE; opts |= CHECK_OWNER; opts |= CHECK_GROUP; -#ifdef LIBSODIUM_ENABLED opts |= CHECK_SHA256SUM; opts |= CHECK_GENERIC; +#else //LIBSODIUM_ENABLED + opts |= CHECK_SHA1SUM; + opts |= CHECK_MD5SUM; + opts |= CHECK_PERM; + opts |= CHECK_SIZE; + opts |= CHECK_OWNER; + opts |= CHECK_GROUP; #endif //LIBSODIUM_ENABLED } else if (strcmp(*values, "no") == 0) { #ifdef LIBSODIUM_ENABLED @@ -260,15 +263,14 @@ static int read_attr(syscheck_config *syscheck, const char *dirs, char **g_attrs /* Check sum */ else if (strcmp(*attrs, xml_check_sum) == 0) { if (strcmp(*values, "yes") == 0) { -#ifndef LIBSODIUM_ENALBED - opts |= CHECK_MD5SUM; -#endif // LIBSODIUM_ENABLED #ifdef LIBSODIUM_ENABLED opts |= CHECK_SHA256SUM; opts |= CHECK_GENERIC; #else //LIBSODIUM_ENABLED + opts |= CHECK_MD5SUM; opts |= CHECK_SHA1SUM; #endif //LIBSODIUM_ENABLED + } else if (strcmp(*values, "no") == 0) { #ifdef LIBSODIUM_ENABLED opts &= ~ ( CHECK_GENERIC | CHECK_SHA256SUM ); @@ -888,6 +890,7 @@ char *syscheck_opts2str(char *buf, int buflen, int opts) { CHECK_SEECHANGES, #ifdef LIBSODIUM_ENABLED CHECK_SHA256SUM, + CHECK_GENERIC, #endif //LIBSODIUM_ENABLED 0 }; @@ -902,6 +905,7 @@ char *syscheck_opts2str(char *buf, int buflen, int opts) { "report_changes", #ifdef LIBSODIUM_ENABLED "sha256sum", + "genericsum", #endif //LIBSODIUM_ENABLED NULL }; From 50aa92393aca5df993a23244e8e1924f886f8037 Mon Sep 17 00:00:00 2001 From: ddpbsd Date: Fri, 22 Jun 2018 09:58:52 -0400 Subject: [PATCH 67/89] Make sure the generic hash is written to new_hashes. LOTS of debugging stuff that will be removed shortly. --- src/syscheckd/create_db.c | 28 +++++++++++++++++++++++++--- 1 file changed, 25 insertions(+), 3 deletions(-) diff --git a/src/syscheckd/create_db.c b/src/syscheckd/create_db.c index bee6cdb4a..f71d7cd50 100644 --- a/src/syscheckd/create_db.c +++ b/src/syscheckd/create_db.c @@ -171,12 +171,14 @@ static int read_file(const char *file_name, int opts, OSMatch *restriction) if (S_ISREG(statbuf_lnk.st_mode)) { #ifdef LIBSODIUM_ENABLED if(OS_Hash_File(file_name, syscheck.prefilter_cmd, file_sums, OS_BINARY) < 0) { + merror("AAA1"); strncpy(file_sums->md5output, "xxx", 4); strncpy(file_sums->sha256output, "xxx", 4); - } + } else { merror("XXX %s", file_sums->sha256output); } #else //LIBSODIUM_ENABLED if (OS_MD5_SHA1_File(file_name, syscheck.prefilter_cmd, mf_sum, sf_sum, OS_BINARY) < 0) { + merror("BBB1"); strncpy(mf_sum, "xxx", 4); strncpy(sf_sum, "xxx", 4); } @@ -192,9 +194,10 @@ static int read_file(const char *file_name, int opts, OSMatch *restriction) if (OS_MD5_SHA1_File(file_name, syscheck.prefilter_cmd, mf_sum, sf_sum, OS_BINARY) < 0) #endif { + merror("AAA2"); strncpy(mf_sum, "xxx", 4); strncpy(sf_sum, "xxx", 4); - } + } else { merror("XXX2 %s", file_sums->sha256output); } if (opts & CHECK_SEECHANGES) { sha1s = 's'; @@ -226,33 +229,52 @@ static int read_file(const char *file_name, int opts, OSMatch *restriction) char new_hashes[512], new_hashes_tmp[512]; int hashc = 0; if(opts & CHECK_SHA256SUM) { + merror("CCC CHECK_SHA256: %s", file_sums->sha256output); snprintf(new_hashes, 511, "%s", file_sums->sha256output); hashc++; } if((opts & CHECK_SHA1SUM) && hashc < 2) { if(hashc > 0) { + merror("CCC CHECK_SHA1 1"); snprintf(new_hashes_tmp, 511, "%s:%s", new_hashes, file_sums->sha1output); strncpy(new_hashes, new_hashes_tmp, 511); hashc++; } else if(hashc == 0) { + merror("CCC CHECK_SHA1 2"); snprintf(new_hashes, 511, "%s", file_sums->sha1output); hashc++; } } if((opts & CHECK_MD5SUM) && hashc < 2) { if(hashc > 0) { + merror("CCC CHECK_MD5 1"); snprintf(new_hashes_tmp, 511, "%s:%s", new_hashes, file_sums->md5output); strncpy(new_hashes, new_hashes_tmp, 511); hashc++; } else if(hashc == 0) { + merror("CCC CHECK_MD5 2"); snprintf(new_hashes, 511, "%s", file_sums->md5output); hashc++; } } + if((opts & CHECK_GENERIC) && hashc < 2) { + if(hashc > 0) { + merror("CCC CHECK_GENERIC 1: %s", file_sums->genericoutput); + snprintf(new_hashes_tmp, 511, "%s:%s", new_hashes, file_sums->genericoutput); + strncpy(new_hashes, new_hashes_tmp, 511); + hashc++; + } else if(hashc == 0) { + merror("CCC CHECK_GENERIC 2"); + snprintf(new_hashes, 511, "%s", file_sums->genericoutput); + hashc++; + } + } if(hashc < 2) { if(hashc == 0) { + merror("CCC1"); strncpy(new_hashes, "xxx:xxx", 8); } else if (hashc == 1) { + merror("CCC2"); snprintf(new_hashes_tmp, 511, "%s:xxx", new_hashes); strncpy(new_hashes, new_hashes_tmp, 511); } @@ -350,7 +372,7 @@ static int read_file(const char *file_name, int opts, OSMatch *restriction) opts & CHECK_SHA1SUM ? sf_sum : "xxx", file_name); free(st_uid); -#endif +#endif // WIN32 send_syscheck_msg(alert_msg); } else { char alert_msg[OS_MAXSTR + 1]; From 4347d845152ccb9c00d0b59e43731ad9303d9b47 Mon Sep 17 00:00:00 2001 From: ddpbsd Date: Fri, 22 Jun 2018 10:17:40 -0400 Subject: [PATCH 68/89] Remove my debug stuff. --- src/Makefile | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/src/Makefile b/src/Makefile index 99d298edd..ddb78b4b8 100644 --- a/src/Makefile +++ b/src/Makefile @@ -25,9 +25,7 @@ USE_ZEROMQ?=no USE_GEOIP?=no USE_INOTIFY=no USE_SQLITE?=no -USE_LIBSODIUM?=yes - -DEBUG?=yes +USE_LIBSODIUM?=no ifneq (${TARGET},winagent) USE_OPENSSL?=auto From 3a230d7b3b01383225b3357584a7c81e7e762eb2 Mon Sep 17 00:00:00 2001 From: ddpbsd Date: Fri, 22 Jun 2018 10:44:31 -0400 Subject: [PATCH 69/89] Remove some debugging stuff. --- src/syscheckd/create_db.c | 16 ++-------------- src/syscheckd/run_check.c | 2 -- 2 files changed, 2 insertions(+), 16 deletions(-) diff --git a/src/syscheckd/create_db.c b/src/syscheckd/create_db.c index f71d7cd50..de487dac4 100644 --- a/src/syscheckd/create_db.c +++ b/src/syscheckd/create_db.c @@ -171,14 +171,12 @@ static int read_file(const char *file_name, int opts, OSMatch *restriction) if (S_ISREG(statbuf_lnk.st_mode)) { #ifdef LIBSODIUM_ENABLED if(OS_Hash_File(file_name, syscheck.prefilter_cmd, file_sums, OS_BINARY) < 0) { - merror("AAA1"); strncpy(file_sums->md5output, "xxx", 4); strncpy(file_sums->sha256output, "xxx", 4); - } else { merror("XXX %s", file_sums->sha256output); } + } #else //LIBSODIUM_ENABLED if (OS_MD5_SHA1_File(file_name, syscheck.prefilter_cmd, mf_sum, sf_sum, OS_BINARY) < 0) { - merror("BBB1"); strncpy(mf_sum, "xxx", 4); strncpy(sf_sum, "xxx", 4); } @@ -194,10 +192,9 @@ static int read_file(const char *file_name, int opts, OSMatch *restriction) if (OS_MD5_SHA1_File(file_name, syscheck.prefilter_cmd, mf_sum, sf_sum, OS_BINARY) < 0) #endif { - merror("AAA2"); strncpy(mf_sum, "xxx", 4); strncpy(sf_sum, "xxx", 4); - } else { merror("XXX2 %s", file_sums->sha256output); } + } if (opts & CHECK_SEECHANGES) { sha1s = 's'; @@ -229,52 +226,43 @@ static int read_file(const char *file_name, int opts, OSMatch *restriction) char new_hashes[512], new_hashes_tmp[512]; int hashc = 0; if(opts & CHECK_SHA256SUM) { - merror("CCC CHECK_SHA256: %s", file_sums->sha256output); snprintf(new_hashes, 511, "%s", file_sums->sha256output); hashc++; } if((opts & CHECK_SHA1SUM) && hashc < 2) { if(hashc > 0) { - merror("CCC CHECK_SHA1 1"); snprintf(new_hashes_tmp, 511, "%s:%s", new_hashes, file_sums->sha1output); strncpy(new_hashes, new_hashes_tmp, 511); hashc++; } else if(hashc == 0) { - merror("CCC CHECK_SHA1 2"); snprintf(new_hashes, 511, "%s", file_sums->sha1output); hashc++; } } if((opts & CHECK_MD5SUM) && hashc < 2) { if(hashc > 0) { - merror("CCC CHECK_MD5 1"); snprintf(new_hashes_tmp, 511, "%s:%s", new_hashes, file_sums->md5output); strncpy(new_hashes, new_hashes_tmp, 511); hashc++; } else if(hashc == 0) { - merror("CCC CHECK_MD5 2"); snprintf(new_hashes, 511, "%s", file_sums->md5output); hashc++; } } if((opts & CHECK_GENERIC) && hashc < 2) { if(hashc > 0) { - merror("CCC CHECK_GENERIC 1: %s", file_sums->genericoutput); snprintf(new_hashes_tmp, 511, "%s:%s", new_hashes, file_sums->genericoutput); strncpy(new_hashes, new_hashes_tmp, 511); hashc++; } else if(hashc == 0) { - merror("CCC CHECK_GENERIC 2"); snprintf(new_hashes, 511, "%s", file_sums->genericoutput); hashc++; } } if(hashc < 2) { if(hashc == 0) { - merror("CCC1"); strncpy(new_hashes, "xxx:xxx", 8); } else if (hashc == 1) { - merror("CCC2"); snprintf(new_hashes_tmp, 511, "%s:xxx", new_hashes); strncpy(new_hashes, new_hashes_tmp, 511); } diff --git a/src/syscheckd/run_check.c b/src/syscheckd/run_check.c index c93985c64..cc1196c5d 100644 --- a/src/syscheckd/run_check.c +++ b/src/syscheckd/run_check.c @@ -412,7 +412,6 @@ int c_read_file(const char *file_name, const char *oldsum, char *newsum) /* Generate checksums of the file */ #ifdef LIBSODIUM_ENABLED if (OS_Hash_File(file_name, syscheck.prefilter_cmd, file_sums, OS_BINARY) < 0) { - merror("AAA3"); strncpy(file_sums->md5output, "xxx", 4); strncpy(file_sums->sha256output, "xxx", 4); } @@ -434,7 +433,6 @@ int c_read_file(const char *file_name, const char *oldsum, char *newsum) /* Generate checksums of the file */ #ifdef LIBSODIUM_ENABLED if (OS_Hash_File(file_name, syscheck.prefilter_cmd, file_sums, OS_BINARY) < 0) { - merror("AAA4"); strncpy(file_sums->md5output, "xxx", 4); strncpy(file_sums->sha256output, "xxx", 4); } From a36f047432d7067694c42aa9af553235c34053ee Mon Sep 17 00:00:00 2001 From: ddpbsd Date: Fri, 22 Jun 2018 11:14:16 -0400 Subject: [PATCH 70/89] This doesn't have to be extern here --- src/syscheckd/syscheck.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/syscheckd/syscheck.c b/src/syscheckd/syscheck.c index 2f070c6b8..607c9d79b 100644 --- a/src/syscheckd/syscheck.c +++ b/src/syscheckd/syscheck.c @@ -105,7 +105,7 @@ int Start_win32_Syscheck() merror("%s: WARN: Syscheck disabled.", ARGV0); } - extern int syscheck_opts = syscheck.opts; + syscheck_opts = syscheck.opts; /* Rootcheck config */ if (rootcheck_init(0) == 0) { From e63681a6a5dcd290d01014668feb02af8cd695a9 Mon Sep 17 00:00:00 2001 From: ddpbsd Date: Wed, 27 Jun 2018 13:36:43 -0400 Subject: [PATCH 71/89] The variable should be sha256 not generic. --- src/os_crypto/md5_sha1/md5_sha1_op.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/os_crypto/md5_sha1/md5_sha1_op.c b/src/os_crypto/md5_sha1/md5_sha1_op.c index 38b869d3c..75e13d85e 100644 --- a/src/os_crypto/md5_sha1/md5_sha1_op.c +++ b/src/os_crypto/md5_sha1/md5_sha1_op.c @@ -226,7 +226,7 @@ int OS_Hash_File(const char *fname, const char *prefilter_cmd, struct hash_outpu } else { hashtmp[0] = '\0'; snprintf(hashtmp, 3, "%02x", sha256_digest[n]); - strncat(file_output->sha256output, hashtmp, sizeof(file_output->sha256output) - 1 - strlen(file_output->genericoutput)); + strncat(file_output->sha256output, hashtmp, sizeof(file_output->sha256output) - 1 - strlen(file_output->sha256output)); } } } From ae89927015dccdfe0c5e627cd41065ae0bc47a4a Mon Sep 17 00:00:00 2001 From: ddpbsd Date: Thu, 28 Jun 2018 14:12:34 -0400 Subject: [PATCH 72/89] Increase the alert_msg size from 916 to 2048 in some places. The instances that are MAC_PATH stayed the same. --- src/syscheckd/create_db.c | 19 +++++++++++-------- 1 file changed, 11 insertions(+), 8 deletions(-) diff --git a/src/syscheckd/create_db.c b/src/syscheckd/create_db.c index de487dac4..8586275a8 100644 --- a/src/syscheckd/create_db.c +++ b/src/syscheckd/create_db.c @@ -17,6 +17,9 @@ #include #endif +/* Make this big enough for most things. Might adjust later */ +#define ALERT_MSG_LEN 2048 + /* Prototypes */ static int read_file(const char *dir_name, int opts, OSMatch *restriction) __attribute__((nonnull(1))); static int read_dir(const char *dir_name, int opts, OSMatch *restriction) __attribute__((nonnull(1))); @@ -209,8 +212,8 @@ static int read_file(const char *file_name, int opts, OSMatch *restriction) buf = (char *) OSHash_Get(syscheck.fp, file_name); if (!buf) { - char alert_msg[916 + 1]; /* to accommodate a long */ - alert_msg[916] = '\0'; + char alert_msg[ALERT_MSG_LEN]; + alert_msg[ALERT_MSG_LEN - 1] = '\0'; #ifndef WIN32 if (opts & CHECK_SEECHANGES) { @@ -270,9 +273,9 @@ static int read_file(const char *file_name, int opts, OSMatch *restriction) - snprintf(alert_msg, 916, "%c%c%c%c%c%c%ld:%d:%d:%d:%s", + snprintf(alert_msg, (ALERT_MSG_LEN - 1), "%c%c%c%c%c%c%ld:%d:%d:%d:%s", #else // LIBSODIUM_ENABLED - snprintf(alert_msg, 916, "%c%c%c%c%c%c%ld:%d:%d:%d:%s:%s", + snprintf(alert_msg, (ALERT_MSG_LEN - 1), "%c%c%c%c%c%c%ld:%d:%d:%d:%s:%s", #endif // LIBSODIUM_ENABLED (opts & CHECK_SIZE) ? '+' : '-', (opts & CHECK_PERM) ? '+' : '-', @@ -297,13 +300,13 @@ static int read_file(const char *file_name, int opts, OSMatch *restriction) } /* Send the new checksum to the analysis server */ - alert_msg[916] = '\0'; + alert_msg[ALERT_MSG_LEN - 1] = '\0'; #ifndef WIN32 #ifdef LIBSODIUM_ENABLED - snprintf(alert_msg, 916, "%ld:%d:%d:%d:%s %s", + snprintf(alert_msg, (ALERT_MSG_LEN - 1), "%ld:%d:%d:%d:%s %s", #else // LIBSODIUM_ENABLED - snprintf(alert_msg, 916, "%ld:%d:%d:%d:%s:%s %s", + snprintf(alert_msg, (ALERT_MSG_LEN - 1), "%ld:%d:%d:%d:%s:%s %s", #endif (opts & CHECK_SIZE) ? (long)statbuf.st_size : 0, (opts & CHECK_PERM) ? (int)statbuf.st_mode : 0, @@ -351,7 +354,7 @@ static int read_file(const char *file_name, int opts, OSMatch *restriction) LocalFree(szSID); CloseHandle(hFile); - snprintf(alert_msg, 916, "%ld:%d:%s:%d:%s:%s %s", + snprintf(alert_msg, (ALERT_MSG_LEN - 1), "%ld:%d:%s:%d:%s:%s %s", opts & CHECK_SIZE ? (long)statbuf.st_size : 0, opts & CHECK_PERM ? (int)statbuf.st_mode : 0, (opts & CHECK_OWNER) ? st_uid : "0", From 6835e83bf635fe489d6ba115c92a7d9dcabd9a14 Mon Sep 17 00:00:00 2001 From: ddpbsd Date: Thu, 12 Jul 2018 09:50:00 -0400 Subject: [PATCH 73/89] Try to push the correct sums to run_check. --- src/syscheckd/create_db.c | 33 ++++++++++++++--------- src/syscheckd/run_check.c | 55 +++++++++++++++++++++++++++------------ 2 files changed, 58 insertions(+), 30 deletions(-) diff --git a/src/syscheckd/create_db.c b/src/syscheckd/create_db.c index 8586275a8..a7f776e5b 100644 --- a/src/syscheckd/create_db.c +++ b/src/syscheckd/create_db.c @@ -270,13 +270,10 @@ static int read_file(const char *file_name, int opts, OSMatch *restriction) strncpy(new_hashes, new_hashes_tmp, 511); } } - +merror("XXX new_hashes(create_db): %s", new_hashes); snprintf(alert_msg, (ALERT_MSG_LEN - 1), "%c%c%c%c%c%c%ld:%d:%d:%d:%s", -#else // LIBSODIUM_ENABLED - snprintf(alert_msg, (ALERT_MSG_LEN - 1), "%c%c%c%c%c%c%ld:%d:%d:%d:%s:%s", -#endif // LIBSODIUM_ENABLED (opts & CHECK_SIZE) ? '+' : '-', (opts & CHECK_PERM) ? '+' : '-', (opts & CHECK_OWNER) ? '+' : '-', @@ -287,12 +284,21 @@ static int read_file(const char *file_name, int opts, OSMatch *restriction) (opts & CHECK_PERM) ? (int)statbuf.st_mode : 0, (opts & CHECK_OWNER) ? (int)statbuf.st_uid : 0, (opts & CHECK_GROUP) ? (int)statbuf.st_gid : 0, -#ifdef LIBSODIUM_ENABLED new_hashes); -#else //LIBSODIUM_ENABLED +#endif // LIBSODIUM_ENABLED + snprintf(alert_msg, (ALERT_MSG_LEN - 1), "%c%c%c%c%c%c%ld:%d:%d:%d:%s:%s", + (opts & CHECK_SIZE) ? '+' : '-', + (opts & CHECK_PERM) ? '+' : '-', + (opts & CHECK_OWNER) ? '+' : '-', + (opts & CHECK_GROUP) ? '+' : '-', + (opts & CHECK_MD5SUM) ? '+' : '-', + sha1s, + (opts & CHECK_SIZE) ? (long)statbuf.st_size : 0, + (opts & CHECK_PERM) ? (int)statbuf.st_mode : 0, + (opts & CHECK_OWNER) ? (int)statbuf.st_uid : 0, + (opts & CHECK_GROUP) ? (int)statbuf.st_gid : 0, (opts & CHECK_MD5SUM) ? mf_sum : "xxx", (opts & CHECK_SHA1SUM) ? sf_sum : "xxx"); -#endif //LIBSODIUM_ENABLED if (OSHash_Add(syscheck.fp, file_name, strdup(alert_msg)) <= 0) { @@ -305,19 +311,20 @@ static int read_file(const char *file_name, int opts, OSMatch *restriction) #ifndef WIN32 #ifdef LIBSODIUM_ENABLED snprintf(alert_msg, (ALERT_MSG_LEN - 1), "%ld:%d:%d:%d:%s %s", -#else // LIBSODIUM_ENABLED - snprintf(alert_msg, (ALERT_MSG_LEN - 1), "%ld:%d:%d:%d:%s:%s %s", -#endif (opts & CHECK_SIZE) ? (long)statbuf.st_size : 0, (opts & CHECK_PERM) ? (int)statbuf.st_mode : 0, (opts & CHECK_OWNER) ? (int)statbuf.st_uid : 0, (opts & CHECK_GROUP) ? (int)statbuf.st_gid : 0, -#ifdef LIBSODIUM_ENABLED new_hashes, -#else //LIBSODIUM_ENABLED + file_name); +#endif // LIBSODIUM_ENABLED + snprintf(alert_msg, (ALERT_MSG_LEN - 1), "%ld:%d:%d:%d:%s:%s %s", + (opts & CHECK_SIZE) ? (long)statbuf.st_size : 0, + (opts & CHECK_PERM) ? (int)statbuf.st_mode : 0, + (opts & CHECK_OWNER) ? (int)statbuf.st_uid : 0, + (opts & CHECK_GROUP) ? (int)statbuf.st_gid : 0, (opts & CHECK_MD5SUM) ? mf_sum : "xxx", (opts & CHECK_SHA1SUM) ? sf_sum : "xxx", -#endif //LIBSODIUM_ENABLED file_name); #else diff --git a/src/syscheckd/run_check.c b/src/syscheckd/run_check.c index cc1196c5d..4c4252644 100644 --- a/src/syscheckd/run_check.c +++ b/src/syscheckd/run_check.c @@ -317,11 +317,13 @@ int c_read_file(const char *file_name, const char *oldsum, char *newsum) struct stat statbuf; os_md5 mf_sum; os_sha1 sf_sum; - extern int syscheck_opts; #ifdef LIBSODIUM_ENABLED + extern int syscheck_opts; + struct hash_output *file_sums; - file_sums = malloc(sizeof(struct hash_output)); + //file_sums = malloc(sizeof(struct hash_output)); + file_sums = calloc(1, sizeof(file_sums)); if(file_sums == NULL) { merror("run_check file_sums malloc failed: %s", strerror(errno)); } @@ -334,15 +336,23 @@ int c_read_file(const char *file_name, const char *oldsum, char *newsum) /* set the checks */ if(syscheck_opts & CHECK_MD5SUM) { file_sums->check_md5 = 1; +merror("XXX check_md5"); } if(syscheck_opts & CHECK_SHA1SUM) { file_sums->check_sha1 = 1; +merror("XXX check_sha1"); } if(syscheck_opts & CHECK_SHA256SUM) { file_sums->check_sha256 = 1; +merror("XXX check_sha256"); } if(syscheck_opts & CHECK_GENERIC) { file_sums->check_generic = 1; +merror("XXX check_generic"); + } + + if(file_sums->check_md5 != 1 && file_sums->check_sha1 != 1 && file_sums->check_sha256 != 1 && file_sums->check_generic != 1) { + merror("XXX DOES NOT COMPUTER!"); } #endif // LIBSODIUM_ENABLED @@ -454,11 +464,20 @@ int c_read_file(const char *file_name, const char *oldsum, char *newsum) #ifdef LIBSODIUM_ENABLED char new_hashes[512], new_hashes_tmp[512]; int hashc = 0; - if(syscheck_opts & CHECK_SHA256SUM) { + if(file_sums->check_sha256 > 0) { snprintf(new_hashes, 511, "%s", file_sums->sha256output); hashc++; } - if((syscheck_opts & CHECK_SHA1SUM) && hashc < 2) { + if(file_sums->check_generic > 0) { + if(hashc > 0) { + snprintf(new_hashes_tmp, 511, "%s:%s", new_hashes, file_sums->genericoutput); + hashc++; + } else if(hashc == 0) { + snprintf(new_hashes, 511, "%s", file_sums->genericoutput); + hashc++; + } + } + if(file_sums->check_sha1 > 0 && hashc < 2) { if(hashc > 0) { snprintf(new_hashes_tmp, 511, "%s:%s", new_hashes, file_sums->sha1output); strncpy(new_hashes, new_hashes_tmp, 511); @@ -467,20 +486,22 @@ int c_read_file(const char *file_name, const char *oldsum, char *newsum) hashc++; } } - if((syscheck_opts & CHECK_MD5SUM) && hashc < 2) { - if(hashc > 0) { snprintf(new_hashes_tmp, 511, "%s:%s", new_hashes, file_sums->md5output); - strncpy(new_hashes, new_hashes_tmp, 511); - hashc++; - } else if(hashc == 0) { - snprintf(new_hashes, 511, "%s", file_sums->md5output); hashc++; - } + if(file_sums->check_md5 > 0 && hashc < 2) { + if(hashc > 0) { snprintf(new_hashes_tmp, 511, "%s:%s", new_hashes, file_sums->md5output); + strncpy(new_hashes, new_hashes_tmp, 511); + hashc++; + } else if(hashc == 0) { + snprintf(new_hashes, 511, "%s", file_sums->md5output); hashc++; } - if(hashc < 2) { - if(hashc == 0) { - strncpy(new_hashes, "xxx:xxx", 8); - } else if (hashc == 1) { snprintf(new_hashes_tmp, 511, "%s:xxx", new_hashes); - strncpy(new_hashes, new_hashes_tmp, 511); - } } + } + if(hashc < 2) { + if(hashc == 0) { + strncpy(new_hashes, "xxx:xxx", 8); + } else if (hashc == 1) { snprintf(new_hashes_tmp, 511, "%s:xxx", new_hashes); + strncpy(new_hashes, new_hashes_tmp, 511); + } } + +merror("XXX new_hashes: %s\n", new_hashes); snprintf(newsum, 255, "%ld:%d:%d:%d:%s", size == 0 ? 0 : (long)statbuf.st_size, From a5244f9e9be7d580a47d0e06543f236c1b719f00 Mon Sep 17 00:00:00 2001 From: ddpbsd Date: Thu, 12 Jul 2018 10:17:58 -0400 Subject: [PATCH 74/89] Add some more debugging. Get rid of a free that was apparently not ok. --- src/syscheckd/create_db.c | 1 + src/syscheckd/run_check.c | 2 ++ 2 files changed, 3 insertions(+) diff --git a/src/syscheckd/create_db.c b/src/syscheckd/create_db.c index a7f776e5b..8e7980d3a 100644 --- a/src/syscheckd/create_db.c +++ b/src/syscheckd/create_db.c @@ -285,6 +285,7 @@ merror("XXX new_hashes(create_db): %s", new_hashes); (opts & CHECK_OWNER) ? (int)statbuf.st_uid : 0, (opts & CHECK_GROUP) ? (int)statbuf.st_gid : 0, new_hashes); +merror("YYY alert_msg: %s\n", alert_msg); #endif // LIBSODIUM_ENABLED snprintf(alert_msg, (ALERT_MSG_LEN - 1), "%c%c%c%c%c%c%ld:%d:%d:%d:%s:%s", (opts & CHECK_SIZE) ? '+' : '-', diff --git a/src/syscheckd/run_check.c b/src/syscheckd/run_check.c index 4c4252644..59d425632 100644 --- a/src/syscheckd/run_check.c +++ b/src/syscheckd/run_check.c @@ -564,8 +564,10 @@ merror("XXX new_hashes: %s\n", new_hashes); #endif //WIN32 #endif //LIBSODIUM_ENABLED +/* #ifdef LIBSODIUM_ENABLED free(file_sums); #endif +*/ return (0); } From 16effe52efa6b25bb7d843a5c94fe5411c97b735 Mon Sep 17 00:00:00 2001 From: ddpbsd Date: Thu, 12 Jul 2018 12:09:54 -0400 Subject: [PATCH 75/89] Instead of passing syscheck_opts around (which I didn't do correctly) pass the opts in the function. --- src/syscheckd/create_db.c | 8 ++++++-- src/syscheckd/run_check.c | 18 ++++++++---------- src/syscheckd/run_realtime.c | 2 +- src/syscheckd/syscheck.h | 2 +- 4 files changed, 16 insertions(+), 14 deletions(-) diff --git a/src/syscheckd/create_db.c b/src/syscheckd/create_db.c index 8e7980d3a..40fc17923 100644 --- a/src/syscheckd/create_db.c +++ b/src/syscheckd/create_db.c @@ -136,18 +136,22 @@ static int read_file(const char *file_name, int opts, OSMatch *restriction) /* set the checks */ if(opts & CHECK_MD5SUM) { file_sums->check_md5 = 1; + verbose("QQQ CHECK_MD5"); } if(opts & CHECK_SHA1SUM) { file_sums->check_sha1 = 1; + verbose("QQQ CHECK_SHA1"); } if(opts & CHECK_SHA256SUM) { file_sums->check_sha256 = 1; + verbose("QQQ CHECK_SHA256"); } if(opts & CHECK_GENERIC) { file_sums->check_generic = 1; + verbose("QQQ CHECK_GENERIC"); } - if ((opts & CHECK_MD5SUM) || (opts & CHECK_SHA1SUM) || (opts & CHECK_SHA256SUM)) { + if ((opts & CHECK_MD5SUM) || (opts & CHECK_SHA1SUM) || (opts & CHECK_SHA256SUM) || (opts & CHECK_GENERIC)) { #else if ((opts & CHECK_MD5SUM) || (opts & CHECK_SHA1SUM)) { #endif //LIBSODIUM_ENABLED @@ -383,7 +387,7 @@ merror("YYY alert_msg: %s\n", alert_msg); alert_msg[OS_MAXSTR] = '\0'; /* If it returns < 0, we have already alerted */ - if (c_read_file(file_name, buf, c_sum) < 0) { + if (c_read_file(file_name, buf, c_sum, opts) < 0) { return (0); } diff --git a/src/syscheckd/run_check.c b/src/syscheckd/run_check.c index 59d425632..6b127e20b 100644 --- a/src/syscheckd/run_check.c +++ b/src/syscheckd/run_check.c @@ -310,7 +310,7 @@ void start_daemon() } /* Read file information and return a pointer to the checksum */ -int c_read_file(const char *file_name, const char *oldsum, char *newsum) +int c_read_file(const char *file_name, const char *oldsum, char *newsum, int sysopts) { int size = 0, perm = 0, owner = 0, group = 0, md5sum = 0, sha1sum = 0; int return_error = 0; @@ -319,11 +319,8 @@ int c_read_file(const char *file_name, const char *oldsum, char *newsum) os_sha1 sf_sum; #ifdef LIBSODIUM_ENABLED - extern int syscheck_opts; - struct hash_output *file_sums; - //file_sums = malloc(sizeof(struct hash_output)); - file_sums = calloc(1, sizeof(file_sums)); + file_sums = malloc(sizeof(struct hash_output)); if(file_sums == NULL) { merror("run_check file_sums malloc failed: %s", strerror(errno)); } @@ -334,19 +331,20 @@ int c_read_file(const char *file_name, const char *oldsum, char *newsum) strncpy(file_sums->sha1output, "xxx", 4); strncpy(file_sums->genericoutput, "xxx", 4); /* set the checks */ - if(syscheck_opts & CHECK_MD5SUM) { + if(sysopts & CHECK_MD5SUM) { file_sums->check_md5 = 1; merror("XXX check_md5"); } - if(syscheck_opts & CHECK_SHA1SUM) { + if(sysopts & CHECK_SHA1SUM) { file_sums->check_sha1 = 1; merror("XXX check_sha1"); } - if(syscheck_opts & CHECK_SHA256SUM) { + if(sysopts & CHECK_SHA256SUM) { file_sums->check_sha256 = 1; merror("XXX check_sha256"); - } - if(syscheck_opts & CHECK_GENERIC) { + } else { merror("XXX NOPE256\n"); } + + if(sysopts & CHECK_GENERIC) { file_sums->check_generic = 1; merror("XXX check_generic"); } diff --git a/src/syscheckd/run_realtime.c b/src/syscheckd/run_realtime.c index ecb4f34fe..36ce809e5 100644 --- a/src/syscheckd/run_realtime.c +++ b/src/syscheckd/run_realtime.c @@ -50,7 +50,7 @@ int realtime_checksumfile(const char *file_name) c_sum[255] = '\0'; /* If it returns < 0, we have already alerted */ - if (c_read_file(file_name, buf, c_sum) < 0) { + if (c_read_file(file_name, buf, c_sum, syscheck.opts) < 0) { return (0); } diff --git a/src/syscheckd/syscheck.h b/src/syscheckd/syscheck.h index 8aeb816c8..5b094b7be 100644 --- a/src/syscheckd/syscheck.h +++ b/src/syscheckd/syscheck.h @@ -52,7 +52,7 @@ int realtime_process(void); char *seechanges_addfile(const char *filename) __attribute__((nonnull)); /* Get checksum changes */ -int c_read_file(const char *file_name, const char *oldsum, char *newsum) __attribute__((nonnull)); +int c_read_file(const char *file_name, const char *oldsum, char *newsum, int sysopts) __attribute__((nonnull)); int send_syscheck_msg(const char *msg) __attribute__((nonnull)); int send_rootcheck_msg(const char *msg) __attribute__((nonnull)); From 72d0ffb9964963186f9d61a69f1643943554578e Mon Sep 17 00:00:00 2001 From: ddpbsd Date: Fri, 13 Jul 2018 08:01:14 -0400 Subject: [PATCH 76/89] I forgot to copy new_hashes_tmp to new_hashes like a moron. Also remove some debugging. --- src/syscheckd/run_check.c | 10 +++------- 1 file changed, 3 insertions(+), 7 deletions(-) diff --git a/src/syscheckd/run_check.c b/src/syscheckd/run_check.c index 6b127e20b..ffafd40b1 100644 --- a/src/syscheckd/run_check.c +++ b/src/syscheckd/run_check.c @@ -319,6 +319,7 @@ int c_read_file(const char *file_name, const char *oldsum, char *newsum, int sys os_sha1 sf_sum; #ifdef LIBSODIUM_ENABLED + struct hash_output *file_sums; file_sums = malloc(sizeof(struct hash_output)); if(file_sums == NULL) { @@ -333,20 +334,16 @@ int c_read_file(const char *file_name, const char *oldsum, char *newsum, int sys /* set the checks */ if(sysopts & CHECK_MD5SUM) { file_sums->check_md5 = 1; -merror("XXX check_md5"); } if(sysopts & CHECK_SHA1SUM) { file_sums->check_sha1 = 1; -merror("XXX check_sha1"); } if(sysopts & CHECK_SHA256SUM) { file_sums->check_sha256 = 1; -merror("XXX check_sha256"); - } else { merror("XXX NOPE256\n"); } + } if(sysopts & CHECK_GENERIC) { file_sums->check_generic = 1; -merror("XXX check_generic"); } if(file_sums->check_md5 != 1 && file_sums->check_sha1 != 1 && file_sums->check_sha256 != 1 && file_sums->check_generic != 1) { @@ -469,6 +466,7 @@ merror("XXX check_generic"); if(file_sums->check_generic > 0) { if(hashc > 0) { snprintf(new_hashes_tmp, 511, "%s:%s", new_hashes, file_sums->genericoutput); + strncpy(new_hashes, new_hashes_tmp, 511); hashc++; } else if(hashc == 0) { snprintf(new_hashes, 511, "%s", file_sums->genericoutput); @@ -499,8 +497,6 @@ merror("XXX check_generic"); strncpy(new_hashes, new_hashes_tmp, 511); } } -merror("XXX new_hashes: %s\n", new_hashes); - snprintf(newsum, 255, "%ld:%d:%d:%d:%s", size == 0 ? 0 : (long)statbuf.st_size, perm == 0 ? 0 : (int)statbuf.st_mode, From 62524741b1b54febc0795ff076ac88c696cd7c19 Mon Sep 17 00:00:00 2001 From: ddpbsd Date: Fri, 13 Jul 2018 08:01:54 -0400 Subject: [PATCH 77/89] Remove the poorly done syscheck_opts idea. I switched to passing the opts to the functions that needed it instead. Much cleaner. --- src/syscheckd/syscheck.c | 2 -- src/syscheckd/syscheck.h | 2 -- 2 files changed, 4 deletions(-) diff --git a/src/syscheckd/syscheck.c b/src/syscheckd/syscheck.c index 607c9d79b..6c07aaa0e 100644 --- a/src/syscheckd/syscheck.c +++ b/src/syscheckd/syscheck.c @@ -105,8 +105,6 @@ int Start_win32_Syscheck() merror("%s: WARN: Syscheck disabled.", ARGV0); } - syscheck_opts = syscheck.opts; - /* Rootcheck config */ if (rootcheck_init(0) == 0) { syscheck.rootcheck = 1; diff --git a/src/syscheckd/syscheck.h b/src/syscheckd/syscheck.h index 5b094b7be..2125bf4a5 100644 --- a/src/syscheckd/syscheck.h +++ b/src/syscheckd/syscheck.h @@ -57,7 +57,5 @@ int c_read_file(const char *file_name, const char *oldsum, char *newsum, int sys int send_syscheck_msg(const char *msg) __attribute__((nonnull)); int send_rootcheck_msg(const char *msg) __attribute__((nonnull)); -int syscheck_opts; - #endif From 6302c1cb12f319510e0902674d6c3f5a88a8ce87 Mon Sep 17 00:00:00 2001 From: ddpbsd Date: Fri, 13 Jul 2018 08:43:26 -0400 Subject: [PATCH 78/89] Remove more debugging stuff. --- src/syscheckd/create_db.c | 9 +-------- 1 file changed, 1 insertion(+), 8 deletions(-) diff --git a/src/syscheckd/create_db.c b/src/syscheckd/create_db.c index 40fc17923..a92d9280a 100644 --- a/src/syscheckd/create_db.c +++ b/src/syscheckd/create_db.c @@ -136,19 +136,15 @@ static int read_file(const char *file_name, int opts, OSMatch *restriction) /* set the checks */ if(opts & CHECK_MD5SUM) { file_sums->check_md5 = 1; - verbose("QQQ CHECK_MD5"); } if(opts & CHECK_SHA1SUM) { file_sums->check_sha1 = 1; - verbose("QQQ CHECK_SHA1"); } if(opts & CHECK_SHA256SUM) { file_sums->check_sha256 = 1; - verbose("QQQ CHECK_SHA256"); } if(opts & CHECK_GENERIC) { file_sums->check_generic = 1; - verbose("QQQ CHECK_GENERIC"); } if ((opts & CHECK_MD5SUM) || (opts & CHECK_SHA1SUM) || (opts & CHECK_SHA256SUM) || (opts & CHECK_GENERIC)) { @@ -162,7 +158,7 @@ static int read_file(const char *file_name, int opts, OSMatch *restriction) if (S_ISLNK(statbuf.st_mode)) { /* Get the file the link points to */ - /* XXX not working + /* XXX not working? char new_file_name[255]; ssize_t rlret = readlink(file_name, new_file_name, 254); if(rlret < 0) { @@ -274,8 +270,6 @@ static int read_file(const char *file_name, int opts, OSMatch *restriction) strncpy(new_hashes, new_hashes_tmp, 511); } } -merror("XXX new_hashes(create_db): %s", new_hashes); - snprintf(alert_msg, (ALERT_MSG_LEN - 1), "%c%c%c%c%c%c%ld:%d:%d:%d:%s", (opts & CHECK_SIZE) ? '+' : '-', @@ -289,7 +283,6 @@ merror("XXX new_hashes(create_db): %s", new_hashes); (opts & CHECK_OWNER) ? (int)statbuf.st_uid : 0, (opts & CHECK_GROUP) ? (int)statbuf.st_gid : 0, new_hashes); -merror("YYY alert_msg: %s\n", alert_msg); #endif // LIBSODIUM_ENABLED snprintf(alert_msg, (ALERT_MSG_LEN - 1), "%c%c%c%c%c%c%ld:%d:%d:%d:%s:%s", (opts & CHECK_SIZE) ? '+' : '-', From 5d5e80679594b97270f1faf8a8412e9aca908b46 Mon Sep 17 00:00:00 2001 From: ddpbsd Date: Thu, 19 Jul 2018 08:24:21 -0400 Subject: [PATCH 79/89] Add the hash names into the hash output so that we know what we're looking at when investigating later. I'm not sure if I should use GENERIC or BLAKE2B for the "generic" hash. It's set to GENERIC for now. Hopefully correct some ifdef/else/endif LIBSODIUM stuff. I think alert_msg was being overwritten in a few places making my actual hashes to be written as "xxx:xxx" (no value, basically) instead of the actual computed hashes. Also a bunch of debugging stuff that will be removed later. --- src/os_crypto/md5_sha1/md5_sha1_op.c | 40 +++++++++------------------- src/os_crypto/md5_sha1/md5_sha1_op.h | 8 +++--- src/syscheckd/create_db.c | 27 ++++++++++++------- src/syscheckd/run_check.c | 25 ++++++++++------- 4 files changed, 49 insertions(+), 51 deletions(-) diff --git a/src/os_crypto/md5_sha1/md5_sha1_op.c b/src/os_crypto/md5_sha1/md5_sha1_op.c index 75e13d85e..0fdaacb9b 100644 --- a/src/os_crypto/md5_sha1/md5_sha1_op.c +++ b/src/os_crypto/md5_sha1/md5_sha1_op.c @@ -188,46 +188,30 @@ int OS_Hash_File(const char *fname, const char *prefilter_cmd, struct hash_outpu if(file_output->check_md5) { for (n = 0; n < 16; n++) { - if(n == 0) { - snprintf(file_output->md5output, 3, "%02x", md5_digest[n]); - } else { - hashtmp[0] = '\0'; - snprintf(hashtmp, 3, "%02x", md5_digest[n]); - strncat(file_output->md5output, hashtmp, sizeof(file_output->md5output) - 1 - strlen(file_output->md5output)); - } + hashtmp[0] = '\0'; + snprintf(hashtmp, 3, "%02x", md5_digest[n]); + strncat(file_output->md5output, hashtmp, sizeof(file_output->md5output) - 1 - strlen(file_output->md5output)); } } if(file_output->check_sha1) { for (n = 0; n < 16; n++) { - if(n == 0) { - snprintf(file_output->sha1output, 3, "%02x", sha1_digest[n]); - } else { - hashtmp[0] = '\0'; - snprintf(hashtmp, 3, "%02x", sha1_digest[n]); - strncat(file_output->sha1output, hashtmp, sizeof(file_output->sha1output) - 1 - strlen(file_output->sha1output)); - } + hashtmp[0] = '\0'; + snprintf(hashtmp, 3, "%02x", sha1_digest[n]); + strncat(file_output->sha1output, hashtmp, sizeof(file_output->sha1output) - 1 - strlen(file_output->sha1output)); } } if(file_output->check_generic) { for (n = 0; n < crypto_generichash_BYTES_MAX; ++n) { - if(n == 0) { - snprintf(file_output->genericoutput, 3, "%02x", generic_digest[n]); - } else { - hashtmp[0] = '\0'; - snprintf(hashtmp, 3, "%02x", generic_digest[n]); - strncat(file_output->genericoutput, hashtmp, sizeof(file_output->genericoutput) - 1 - strlen(file_output->genericoutput)); - } + hashtmp[0] = '\0'; + snprintf(hashtmp, 3, "%02x", generic_digest[n]); + strncat(file_output->genericoutput, hashtmp, sizeof(file_output->genericoutput) - 1 - strlen(file_output->genericoutput)); } } if(file_output->check_sha256) { for (n = 0; n < crypto_hash_sha256_BYTES; ++n) { - if(n == 0) { - snprintf(file_output->sha256output, 3, "%02x", sha256_digest[n]); - } else { - hashtmp[0] = '\0'; - snprintf(hashtmp, 3, "%02x", sha256_digest[n]); - strncat(file_output->sha256output, hashtmp, sizeof(file_output->sha256output) - 1 - strlen(file_output->sha256output)); - } + hashtmp[0] = '\0'; + snprintf(hashtmp, 3, "%02x", sha256_digest[n]); + strncat(file_output->sha256output, hashtmp, sizeof(file_output->sha256output) - 1 - strlen(file_output->sha256output)); } } diff --git a/src/os_crypto/md5_sha1/md5_sha1_op.h b/src/os_crypto/md5_sha1/md5_sha1_op.h index 7eb8de891..41c1bb5de 100644 --- a/src/os_crypto/md5_sha1/md5_sha1_op.h +++ b/src/os_crypto/md5_sha1/md5_sha1_op.h @@ -31,10 +31,10 @@ struct hash_output { int check_generic; // Here's where we put it. - os_md5 md5output; - os_sha1 sha1output; - char genericoutput[130]; - char sha256output[crypto_hash_sha256_BYTES]; + char md5output[37]; + char sha1output[70]; + char genericoutput[138]; + char sha256output[crypto_hash_sha256_BYTES + 7]; }; int OS_Hash_File(const char *fname, const char *prefilter_cmd, struct hash_output *file_output, int mode); diff --git a/src/syscheckd/create_db.c b/src/syscheckd/create_db.c index a92d9280a..835bf5ced 100644 --- a/src/syscheckd/create_db.c +++ b/src/syscheckd/create_db.c @@ -128,10 +128,10 @@ static int read_file(const char *file_name, int opts, OSMatch *restriction) if(file_sums == NULL) { merror("file_sums malloc failed: %s", strerror(errno)); } - strncpy(file_sums->md5output, "xxx", 4); - strncpy(file_sums->sha256output, "xxx", 4); - strncpy(file_sums->sha1output, "xxx", 4); - strncpy(file_sums->genericoutput, "xxx", 4); + strncpy(file_sums->md5output, "MD5=", 5); + strncpy(file_sums->sha256output, "SHA256=", 8); + strncpy(file_sums->sha1output, "SHA1=", 5); + strncpy(file_sums->genericoutput, "GENERIC=", 9); /* set the checks */ if(opts & CHECK_MD5SUM) { @@ -174,8 +174,7 @@ static int read_file(const char *file_name, int opts, OSMatch *restriction) if (S_ISREG(statbuf_lnk.st_mode)) { #ifdef LIBSODIUM_ENABLED if(OS_Hash_File(file_name, syscheck.prefilter_cmd, file_sums, OS_BINARY) < 0) { - strncpy(file_sums->md5output, "xxx", 4); - strncpy(file_sums->sha256output, "xxx", 4); + merror("ossec-syscheckd: ERROR: OS_Hash_File() failed (0x00)"); } #else //LIBSODIUM_ENABLED @@ -231,6 +230,7 @@ static int read_file(const char *file_name, int opts, OSMatch *restriction) if(opts & CHECK_SHA256SUM) { snprintf(new_hashes, 511, "%s", file_sums->sha256output); hashc++; +merror("XXX sha256! %s", new_hashes); } if((opts & CHECK_SHA1SUM) && hashc < 2) { if(hashc > 0) { @@ -241,6 +241,7 @@ static int read_file(const char *file_name, int opts, OSMatch *restriction) snprintf(new_hashes, 511, "%s", file_sums->sha1output); hashc++; } +merror("XXX sha1! %s", new_hashes); } if((opts & CHECK_MD5SUM) && hashc < 2) { if(hashc > 0) { @@ -251,6 +252,7 @@ static int read_file(const char *file_name, int opts, OSMatch *restriction) snprintf(new_hashes, 511, "%s", file_sums->md5output); hashc++; } +merror("XXX md5! %s", new_hashes); } if((opts & CHECK_GENERIC) && hashc < 2) { if(hashc > 0) { @@ -261,8 +263,10 @@ static int read_file(const char *file_name, int opts, OSMatch *restriction) snprintf(new_hashes, 511, "%s", file_sums->genericoutput); hashc++; } +merror("XXX generic! %s", new_hashes); } if(hashc < 2) { +merror("XXX uh-oh"); if(hashc == 0) { strncpy(new_hashes, "xxx:xxx", 8); } else if (hashc == 1) { @@ -283,7 +287,8 @@ static int read_file(const char *file_name, int opts, OSMatch *restriction) (opts & CHECK_OWNER) ? (int)statbuf.st_uid : 0, (opts & CHECK_GROUP) ? (int)statbuf.st_gid : 0, new_hashes); -#endif // LIBSODIUM_ENABLED +merror("AAA alert_msg: %s (0x00)", alert_msg); +#else // LIBSODIUM_ENABLED XXX - is this the source of my xxxes? snprintf(alert_msg, (ALERT_MSG_LEN - 1), "%c%c%c%c%c%c%ld:%d:%d:%d:%s:%s", (opts & CHECK_SIZE) ? '+' : '-', (opts & CHECK_PERM) ? '+' : '-', @@ -297,7 +302,7 @@ static int read_file(const char *file_name, int opts, OSMatch *restriction) (opts & CHECK_GROUP) ? (int)statbuf.st_gid : 0, (opts & CHECK_MD5SUM) ? mf_sum : "xxx", (opts & CHECK_SHA1SUM) ? sf_sum : "xxx"); - +#endif // LIBSODIUM_ENABLED if (OSHash_Add(syscheck.fp, file_name, strdup(alert_msg)) <= 0) { merror("%s: ERROR: Unable to add file to db: %s", ARGV0, file_name); @@ -315,7 +320,8 @@ static int read_file(const char *file_name, int opts, OSMatch *restriction) (opts & CHECK_GROUP) ? (int)statbuf.st_gid : 0, new_hashes, file_name); -#endif // LIBSODIUM_ENABLED +merror("AAA alert_msg: %s (0x01)", alert_msg); +#else // LIBSODIUM_ENABLED snprintf(alert_msg, (ALERT_MSG_LEN - 1), "%ld:%d:%d:%d:%s:%s %s", (opts & CHECK_SIZE) ? (long)statbuf.st_size : 0, (opts & CHECK_PERM) ? (int)statbuf.st_mode : 0, @@ -324,6 +330,7 @@ static int read_file(const char *file_name, int opts, OSMatch *restriction) (opts & CHECK_MD5SUM) ? mf_sum : "xxx", (opts & CHECK_SHA1SUM) ? sf_sum : "xxx", file_name); +#endif // LIBSODIUM_ENABLED #else HANDLE hFile = CreateFile(file_name, GENERIC_READ, FILE_SHARE_READ, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL); @@ -369,6 +376,7 @@ static int read_file(const char *file_name, int opts, OSMatch *restriction) file_name); free(st_uid); #endif // WIN32 + merror("AAA alert_msg: %s (0x02)", alert_msg); send_syscheck_msg(alert_msg); } else { char alert_msg[OS_MAXSTR + 1]; @@ -404,6 +412,7 @@ static int read_file(const char *file_name, int opts, OSMatch *restriction) snprintf(alert_msg, 916, "%s %s", c_sum, file_name); } #endif + merror("AAA alert_msg: %s (0x03)", alert_msg); send_syscheck_msg(alert_msg); } } diff --git a/src/syscheckd/run_check.c b/src/syscheckd/run_check.c index ffafd40b1..05afcd975 100644 --- a/src/syscheckd/run_check.c +++ b/src/syscheckd/run_check.c @@ -327,10 +327,10 @@ int c_read_file(const char *file_name, const char *oldsum, char *newsum, int sys } /* Clean sums */ - strncpy(file_sums->md5output, "xxx", 4); - strncpy(file_sums->sha256output, "xxx", 4); - strncpy(file_sums->sha1output, "xxx", 4); - strncpy(file_sums->genericoutput, "xxx", 4); + strncpy(file_sums->md5output, "MD5=", 5); + strncpy(file_sums->sha256output, "SHA256=", 8); + strncpy(file_sums->sha1output, "SHA1=", 5); + strncpy(file_sums->genericoutput, "GENERIC=", 9); /* set the checks */ if(sysopts & CHECK_MD5SUM) { file_sums->check_md5 = 1; @@ -417,8 +417,7 @@ int c_read_file(const char *file_name, const char *oldsum, char *newsum, int sys /* Generate checksums of the file */ #ifdef LIBSODIUM_ENABLED if (OS_Hash_File(file_name, syscheck.prefilter_cmd, file_sums, OS_BINARY) < 0) { - strncpy(file_sums->md5output, "xxx", 4); - strncpy(file_sums->sha256output, "xxx", 4); + merror("syscheckd: ERROR: OS_Hash_File() failed. (0x01)"); } #else if (OS_MD5_SHA1_File(file_name, syscheck.prefilter_cmd, mf_sum, sf_sum, OS_BINARY) < 0) { @@ -438,8 +437,7 @@ int c_read_file(const char *file_name, const char *oldsum, char *newsum, int sys /* Generate checksums of the file */ #ifdef LIBSODIUM_ENABLED if (OS_Hash_File(file_name, syscheck.prefilter_cmd, file_sums, OS_BINARY) < 0) { - strncpy(file_sums->md5output, "xxx", 4); - strncpy(file_sums->sha256output, "xxx", 4); + merror("syscheckd: ERROR: OS_Hash_File() failed. (0x02)"); } #else if (OS_MD5_SHA1_File(file_name, syscheck.prefilter_cmd, mf_sum, sf_sum, OS_BINARY) < 0) { @@ -462,6 +460,7 @@ int c_read_file(const char *file_name, const char *oldsum, char *newsum, int sys if(file_sums->check_sha256 > 0) { snprintf(new_hashes, 511, "%s", file_sums->sha256output); hashc++; + merror("YYY sha256! %s", new_hashes); } if(file_sums->check_generic > 0) { if(hashc > 0) { @@ -472,6 +471,7 @@ int c_read_file(const char *file_name, const char *oldsum, char *newsum, int sys snprintf(new_hashes, 511, "%s", file_sums->genericoutput); hashc++; } + merror("YYY generic! %s", new_hashes); } if(file_sums->check_sha1 > 0 && hashc < 2) { if(hashc > 0) { @@ -481,21 +481,26 @@ int c_read_file(const char *file_name, const char *oldsum, char *newsum, int sys } else if(hashc == 0) { snprintf(new_hashes, 511, "%s", file_sums->sha1output); hashc++; } + merror("YYY sha1! %s", new_hashes); } if(file_sums->check_md5 > 0 && hashc < 2) { - if(hashc > 0) { snprintf(new_hashes_tmp, 511, "%s:%s", new_hashes, file_sums->md5output); + if(hashc > 0) { + snprintf(new_hashes_tmp, 511, "%s:%s", new_hashes, file_sums->md5output); strncpy(new_hashes, new_hashes_tmp, 511); hashc++; } else if(hashc == 0) { snprintf(new_hashes, 511, "%s", file_sums->md5output); hashc++; } + merror("YYY md5! %s", new_hashes); } if(hashc < 2) { if(hashc == 0) { strncpy(new_hashes, "xxx:xxx", 8); } else if (hashc == 1) { snprintf(new_hashes_tmp, 511, "%s:xxx", new_hashes); strncpy(new_hashes, new_hashes_tmp, 511); - } } + } + merror("YYY uh-oh! %s", new_hashes); + } snprintf(newsum, 255, "%ld:%d:%d:%d:%s", size == 0 ? 0 : (long)statbuf.st_size, From a38f439d20a9a61c7e0baa9b958df65b9a461ee5 Mon Sep 17 00:00:00 2001 From: ddpbsd Date: Wed, 25 Jul 2018 09:39:48 -0400 Subject: [PATCH 80/89] Get rid of some debugging. --- src/syscheckd/create_db.c | 9 --------- 1 file changed, 9 deletions(-) diff --git a/src/syscheckd/create_db.c b/src/syscheckd/create_db.c index 835bf5ced..7691e804c 100644 --- a/src/syscheckd/create_db.c +++ b/src/syscheckd/create_db.c @@ -230,7 +230,6 @@ static int read_file(const char *file_name, int opts, OSMatch *restriction) if(opts & CHECK_SHA256SUM) { snprintf(new_hashes, 511, "%s", file_sums->sha256output); hashc++; -merror("XXX sha256! %s", new_hashes); } if((opts & CHECK_SHA1SUM) && hashc < 2) { if(hashc > 0) { @@ -241,7 +240,6 @@ merror("XXX sha256! %s", new_hashes); snprintf(new_hashes, 511, "%s", file_sums->sha1output); hashc++; } -merror("XXX sha1! %s", new_hashes); } if((opts & CHECK_MD5SUM) && hashc < 2) { if(hashc > 0) { @@ -252,7 +250,6 @@ merror("XXX sha1! %s", new_hashes); snprintf(new_hashes, 511, "%s", file_sums->md5output); hashc++; } -merror("XXX md5! %s", new_hashes); } if((opts & CHECK_GENERIC) && hashc < 2) { if(hashc > 0) { @@ -263,10 +260,8 @@ merror("XXX md5! %s", new_hashes); snprintf(new_hashes, 511, "%s", file_sums->genericoutput); hashc++; } -merror("XXX generic! %s", new_hashes); } if(hashc < 2) { -merror("XXX uh-oh"); if(hashc == 0) { strncpy(new_hashes, "xxx:xxx", 8); } else if (hashc == 1) { @@ -287,7 +282,6 @@ merror("XXX uh-oh"); (opts & CHECK_OWNER) ? (int)statbuf.st_uid : 0, (opts & CHECK_GROUP) ? (int)statbuf.st_gid : 0, new_hashes); -merror("AAA alert_msg: %s (0x00)", alert_msg); #else // LIBSODIUM_ENABLED XXX - is this the source of my xxxes? snprintf(alert_msg, (ALERT_MSG_LEN - 1), "%c%c%c%c%c%c%ld:%d:%d:%d:%s:%s", (opts & CHECK_SIZE) ? '+' : '-', @@ -320,7 +314,6 @@ merror("AAA alert_msg: %s (0x00)", alert_msg); (opts & CHECK_GROUP) ? (int)statbuf.st_gid : 0, new_hashes, file_name); -merror("AAA alert_msg: %s (0x01)", alert_msg); #else // LIBSODIUM_ENABLED snprintf(alert_msg, (ALERT_MSG_LEN - 1), "%ld:%d:%d:%d:%s:%s %s", (opts & CHECK_SIZE) ? (long)statbuf.st_size : 0, @@ -376,7 +369,6 @@ merror("AAA alert_msg: %s (0x01)", alert_msg); file_name); free(st_uid); #endif // WIN32 - merror("AAA alert_msg: %s (0x02)", alert_msg); send_syscheck_msg(alert_msg); } else { char alert_msg[OS_MAXSTR + 1]; @@ -412,7 +404,6 @@ merror("AAA alert_msg: %s (0x01)", alert_msg); snprintf(alert_msg, 916, "%s %s", c_sum, file_name); } #endif - merror("AAA alert_msg: %s (0x03)", alert_msg); send_syscheck_msg(alert_msg); } } From 9b5ddc71471d80db4c7f4594459b5002131ed00b Mon Sep 17 00:00:00 2001 From: ddpbsd Date: Tue, 16 Oct 2018 10:45:01 -0400 Subject: [PATCH 81/89] Missed a conflict. --- src/shared/file_op.c | 1 - 1 file changed, 1 deletion(-) diff --git a/src/shared/file_op.c b/src/shared/file_op.c index 027515fde..db96d13cf 100644 --- a/src/shared/file_op.c +++ b/src/shared/file_op.c @@ -396,7 +396,6 @@ char *GetRandomNoise() return(NULL); } buf[2048] = '\0'; ->>>>>>> 897c7872535b185d912ad19eca18016496150474 fclose(fp); return(strdup(buf)); } From 5b6f6735ce68848799331e8df81f7ec78bc9c06f Mon Sep 17 00:00:00 2001 From: ddpbsd Date: Mon, 5 Nov 2018 07:38:53 -0500 Subject: [PATCH 82/89] Fix this reference. --- src/syscheckd/run_realtime.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/syscheckd/run_realtime.c b/src/syscheckd/run_realtime.c index 1b6df5839..6e4145fb2 100644 --- a/src/syscheckd/run_realtime.c +++ b/src/syscheckd/run_realtime.c @@ -50,7 +50,7 @@ int realtime_checksumfile(const char *file_name) c_sum[255] = '\0'; /* If it returns < 0, we have already alerted */ - if (c_read_file(file_name, buf, c_sum, syscheck.opts) < 0) { + if (c_read_file(file_name, buf, c_sum, syscheck.opts[0]) < 0) { return (0); } From fe1dd8f9d510389870ab25f8f82997af5c84a934 Mon Sep 17 00:00:00 2001 From: ddpbsd Date: Mon, 5 Nov 2018 09:27:36 -0500 Subject: [PATCH 83/89] Handle the different hash types better. Also try not to truncate the hashes when reporting changes. --- src/analysisd/decoders/syscheck.c | 34 +++++++++++++++++++++++++++---- 1 file changed, 30 insertions(+), 4 deletions(-) diff --git a/src/analysisd/decoders/syscheck.c b/src/analysisd/decoders/syscheck.c index 127759a28..23bba3cdc 100644 --- a/src/analysisd/decoders/syscheck.c +++ b/src/analysisd/decoders/syscheck.c @@ -27,8 +27,13 @@ typedef struct __sdb { char perm[OS_FLSIZE + 1]; char owner[OS_FLSIZE + 1]; char gowner[OS_FLSIZE + 1]; +#ifdef LIBSODIUM_ENABLED + char md5[(OS_FLSIZE * 2) + 1]; + char sha1[(OS_FLSIZE * 2) + 1]; +#else //LIBSODIUM_ENABLED char md5[OS_FLSIZE + 1]; char sha1[OS_FLSIZE + 1]; +#endif char agent_cp[MAX_AGENTS + 1][1]; char *agent_ips[MAX_AGENTS + 1]; @@ -528,9 +533,22 @@ static int DB_Search(const char *f_name, const char *c_sum, Eventinfo *lf) if (!newmd5 || !oldmd5 || strcmp(newmd5, oldmd5) == 0) { sdb.md5[0] = '\0'; } else { +#ifdef LIBSODIUM_ENABLED + char *hash_type; + if(strncmp(newmd5, "GENERIC", 7) == 0) { + hash_type = "blake2b"; + } else if(strncmp(newmd5, "SHA256", 6) == 0) { + hash_type = "sha256"; + } else { + hash_type = "unknown"; + } + snprintf(sdb.md5, OS_FLSIZE * 2, "Old %s was: '%s'\n" + "New %s is: '%s'\n", hash_type, oldmd5, hash_type, newmd5); +#else //LIBSODIUM_ENABLED snprintf(sdb.md5, OS_FLSIZE, "Old md5sum was: '%s'\n" - "New md5sum is : '%s'\n", + "New md5sum is: '%s'\n", oldmd5, newmd5); +#endif //LIBSODIUM_ENABLED os_strdup(oldmd5, lf->md5_before); os_strdup(newmd5, lf->md5_after); } @@ -540,13 +558,21 @@ static int DB_Search(const char *f_name, const char *c_sum, Eventinfo *lf) sdb.sha1[0] = '\0'; } else { #ifdef LIBSODIUM_ENABLED - snprintf(sdb.sha1, OS_FLSIZE, "Old sha256sum was: '%s'\n" - "New sha256sum is : '%s'\n", + char *hash_type; + if(strncmp(newsha1, "GENERIC", 7) == 0) { + hash_type = "blake2b"; + } else if(strncmp(newsha1, "SHA256", 6) == 0) { + hash_type = "sha256"; + } else { + hash_type = "unknown"; + } + snprintf(sdb.sha1, OS_FLSIZE * 2, "Old %s was: '%s'\n" + "New %s is : '%s'\n", hash_type, oldsha1, hash_type, newsha1); #else //LIBSODIUM_ENABLED snprintf(sdb.sha1, OS_FLSIZE, "Old sha1sum was: '%s'\n" "New sha1sum is : '%s'\n", -#endif //LIBSODIUM_ENABLED oldsha1, newsha1); +#endif //LIBSODIUM_ENABLED os_strdup(oldsha1, lf->sha1_before); os_strdup(newsha1, lf->sha1_after); } From bd5cc7827ba36c2db22d4aed458d0781bb33523c Mon Sep 17 00:00:00 2001 From: ddpbsd Date: Mon, 5 Nov 2018 13:59:09 -0500 Subject: [PATCH 84/89] Remove some debugging --- src/syscheckd/run_check.c | 7 +------ 1 file changed, 1 insertion(+), 6 deletions(-) diff --git a/src/syscheckd/run_check.c b/src/syscheckd/run_check.c index 3b1a2de93..a917116f9 100644 --- a/src/syscheckd/run_check.c +++ b/src/syscheckd/run_check.c @@ -356,7 +356,7 @@ int c_read_file(const char *file_name, const char *oldsum, char *newsum, int sys } if(file_sums->check_md5 != 1 && file_sums->check_sha1 != 1 && file_sums->check_sha256 != 1 && file_sums->check_generic != 1) { - merror("XXX DOES NOT COMPUTER!"); + merror("XXX DOES NOT COMPUTER!"); // TODO replace with real message or something respectable } #endif // LIBSODIUM_ENABLED @@ -469,7 +469,6 @@ int c_read_file(const char *file_name, const char *oldsum, char *newsum, int sys if(file_sums->check_sha256 > 0) { snprintf(new_hashes, 511, "%s", file_sums->sha256output); hashc++; - merror("YYY sha256! %s", new_hashes); } if(file_sums->check_generic > 0) { if(hashc > 0) { @@ -480,7 +479,6 @@ int c_read_file(const char *file_name, const char *oldsum, char *newsum, int sys snprintf(new_hashes, 511, "%s", file_sums->genericoutput); hashc++; } - merror("YYY generic! %s", new_hashes); } if(file_sums->check_sha1 > 0 && hashc < 2) { if(hashc > 0) { @@ -490,7 +488,6 @@ int c_read_file(const char *file_name, const char *oldsum, char *newsum, int sys } else if(hashc == 0) { snprintf(new_hashes, 511, "%s", file_sums->sha1output); hashc++; } - merror("YYY sha1! %s", new_hashes); } if(file_sums->check_md5 > 0 && hashc < 2) { if(hashc > 0) { @@ -500,7 +497,6 @@ int c_read_file(const char *file_name, const char *oldsum, char *newsum, int sys } else if(hashc == 0) { snprintf(new_hashes, 511, "%s", file_sums->md5output); hashc++; } - merror("YYY md5! %s", new_hashes); } if(hashc < 2) { if(hashc == 0) { @@ -508,7 +504,6 @@ int c_read_file(const char *file_name, const char *oldsum, char *newsum, int sys } else if (hashc == 1) { snprintf(new_hashes_tmp, 511, "%s:xxx", new_hashes); strncpy(new_hashes, new_hashes_tmp, 511); } - merror("YYY uh-oh! %s", new_hashes); } snprintf(newsum, 255, "%ld:%d:%d:%d:%s", From 136e7f38971bb13bdf80eaa71c9dcf4094269d32 Mon Sep 17 00:00:00 2001 From: ddpbsd Date: Wed, 2 Jan 2019 17:19:41 -0500 Subject: [PATCH 85/89] Update the hash sizes --- src/os_crypto/md5_sha1/md5_sha1_op.h | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/os_crypto/md5_sha1/md5_sha1_op.h b/src/os_crypto/md5_sha1/md5_sha1_op.h index 41c1bb5de..759eaf384 100644 --- a/src/os_crypto/md5_sha1/md5_sha1_op.h +++ b/src/os_crypto/md5_sha1/md5_sha1_op.h @@ -33,8 +33,8 @@ struct hash_output { // Here's where we put it. char md5output[37]; char sha1output[70]; - char genericoutput[138]; - char sha256output[crypto_hash_sha256_BYTES + 7]; + char genericoutput[256]; + char sha256output[96]; }; int OS_Hash_File(const char *fname, const char *prefilter_cmd, struct hash_output *file_output, int mode); From 509222770d728924be65d9086b2c69a64710ffee Mon Sep 17 00:00:00 2001 From: ddpbsd Date: Wed, 2 Jan 2019 17:23:35 -0500 Subject: [PATCH 86/89] I'm not sure why I thought strncat worked like that. --- src/os_crypto/md5_sha1/md5_sha1_op.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/src/os_crypto/md5_sha1/md5_sha1_op.c b/src/os_crypto/md5_sha1/md5_sha1_op.c index 0fdaacb9b..17fe67a87 100644 --- a/src/os_crypto/md5_sha1/md5_sha1_op.c +++ b/src/os_crypto/md5_sha1/md5_sha1_op.c @@ -190,28 +190,28 @@ int OS_Hash_File(const char *fname, const char *prefilter_cmd, struct hash_outpu for (n = 0; n < 16; n++) { hashtmp[0] = '\0'; snprintf(hashtmp, 3, "%02x", md5_digest[n]); - strncat(file_output->md5output, hashtmp, sizeof(file_output->md5output) - 1 - strlen(file_output->md5output)); + strncat(file_output->md5output, hashtmp, 2); } } if(file_output->check_sha1) { for (n = 0; n < 16; n++) { hashtmp[0] = '\0'; snprintf(hashtmp, 3, "%02x", sha1_digest[n]); - strncat(file_output->sha1output, hashtmp, sizeof(file_output->sha1output) - 1 - strlen(file_output->sha1output)); + strncat(file_output->sha1output, hashtmp, 2); } } if(file_output->check_generic) { for (n = 0; n < crypto_generichash_BYTES_MAX; ++n) { hashtmp[0] = '\0'; snprintf(hashtmp, 3, "%02x", generic_digest[n]); - strncat(file_output->genericoutput, hashtmp, sizeof(file_output->genericoutput) - 1 - strlen(file_output->genericoutput)); + strncat(file_output->genericoutput, hashtmp,2); } } if(file_output->check_sha256) { for (n = 0; n < crypto_hash_sha256_BYTES; ++n) { hashtmp[0] = '\0'; snprintf(hashtmp, 3, "%02x", sha256_digest[n]); - strncat(file_output->sha256output, hashtmp, sizeof(file_output->sha256output) - 1 - strlen(file_output->sha256output)); + strncat(file_output->sha256output, hashtmp, 2); } } From 86f23ff2c6a7617d7be95d399665ceeed224eb2a Mon Sep 17 00:00:00 2001 From: ddpbsd Date: Thu, 18 Apr 2019 19:19:11 -0400 Subject: [PATCH 87/89] Make sure we can handle md5 and sha1 in libsodium mode too. --- src/analysisd/decoders/syscheck.c | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/src/analysisd/decoders/syscheck.c b/src/analysisd/decoders/syscheck.c index 23bba3cdc..21fa765e5 100644 --- a/src/analysisd/decoders/syscheck.c +++ b/src/analysisd/decoders/syscheck.c @@ -535,10 +535,14 @@ static int DB_Search(const char *f_name, const char *c_sum, Eventinfo *lf) } else { #ifdef LIBSODIUM_ENABLED char *hash_type; - if(strncmp(newmd5, "GENERIC", 7) == 0) { + if (strncmp(newmd5, "GENERIC", 7) == 0) { hash_type = "blake2b"; - } else if(strncmp(newmd5, "SHA256", 6) == 0) { + } else if (strncmp(newmd5, "SHA256", 6) == 0) { hash_type = "sha256"; + } else if (strncmp(newmd5, "MD5", 3) == 0) { + hash_type = "md5"; + } else if (strncmp(newmd5, "SHA1", 4) == 0) { + hash_type = "sha1"; } else { hash_type = "unknown"; } From 425391c06ae87218341c006c0a18a02e0903942c Mon Sep 17 00:00:00 2001 From: ddpbsd Date: Thu, 18 Apr 2019 19:25:20 -0400 Subject: [PATCH 88/89] I'm not sure there is enough space for the blake2b hash, so default to SHA256 and MD5. SHA256 should be good enough for integrity checking for now, and MD5 can be used with services (if necessary, and sha256 isn't an option). --- src/config/syscheck-config.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/config/syscheck-config.c b/src/config/syscheck-config.c index ac0557bae..a58723de1 100644 --- a/src/config/syscheck-config.c +++ b/src/config/syscheck-config.c @@ -238,7 +238,7 @@ static int read_attr(syscheck_config *syscheck, const char *dirs, char **g_attrs opts |= CHECK_OWNER; opts |= CHECK_GROUP; opts |= CHECK_SHA256SUM; - opts |= CHECK_GENERIC; + opts |= CHECK_MD5SUM; #else //LIBSODIUM_ENABLED opts |= CHECK_SHA1SUM; opts |= CHECK_MD5SUM; From 3082ed52fe9ae5ca25a4182d43d2c1e77e8bdb02 Mon Sep 17 00:00:00 2001 From: ddpbsd Date: Mon, 29 Apr 2019 10:00:59 -0400 Subject: [PATCH 89/89] Missed a white->allow change. --- src/analysisd/decoders/syscheck.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/analysisd/decoders/syscheck.c b/src/analysisd/decoders/syscheck.c index 0ce27abef..631a354a3 100644 --- a/src/analysisd/decoders/syscheck.c +++ b/src/analysisd/decoders/syscheck.c @@ -735,7 +735,7 @@ int DecodeSyscheck(Eventinfo *lf) merror("%s: Not a valid MD5 hash: '%s'", ARGV0, p); return(0); } - debug1("%s: Checking MD5 '%s' in %s", ARGV0, p, Config.md5_whitelist); + debug1("%s: Checking MD5 '%s' in %s", ARGV0, p, Config.md5_allowlist); if((snprintf(stmt, OS_MAXSTR, "select md5sum from files where md5sum = \"%s\"", p)) < 0) { merror("ERROR: snprintf failed for md5sum: %s", p); }