diff options
Diffstat (limited to 'framework/src/audit/audisp/plugins/prelude')
10 files changed, 0 insertions, 3689 deletions
diff --git a/framework/src/audit/audisp/plugins/prelude/Makefile.am b/framework/src/audit/audisp/plugins/prelude/Makefile.am deleted file mode 100644 index a70d7652..00000000 --- a/framework/src/audit/audisp/plugins/prelude/Makefile.am +++ /dev/null @@ -1,50 +0,0 @@ -# Makefile.am -- -# Copyright 2008-09,2015 Red Hat Inc., Durham, North Carolina. -# All Rights Reserved. -# -# This library is free software; you can redistribute it and/or -# modify it under the terms of the GNU Lesser General Public -# License as published by the Free Software Foundation; either -# version 2.1 of the License, or (at your option) any later version. -# -# This library is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU -# Lesser General Public License for more details. -# -# You should have received a copy of the GNU Lesser General Public -# License along with this library; if not, write to the Free Software -# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA -# -# Authors: -# Steve Grubb <sgrubb@redhat.com> -# - -CONFIG_CLEAN_FILES = *.rej *.orig -EXTRA_DIST = au-prelude.conf audisp-prelude.conf -AUTOMAKE_OPTIONS = no-dependencies -AM_CPPFLAGS = -I${top_srcdir} -I${top_srcdir}/lib -I${top_srcdir}/auparse -LIBS = -L${top_builddir}/auparse/.libs -lauparse -lprelude -LDADD = -lpthread $(CAPNG_LDADD) -prog_confdir = $(sysconfdir)/audisp -prog_conf = audisp-prelude.conf -plugin_confdir=$(prog_confdir)/plugins.d -plugin_conf = au-prelude.conf -sbin_PROGRAMS = audisp-prelude -noinst_HEADERS = prelude-config.h audisp-int.h -dist_man_MANS = audisp-prelude.8 audisp-prelude.conf.5 - -audisp_prelude_SOURCES = audisp-prelude.c prelude-config.c audisp-int.c -audisp_prelude_CFLAGS = -fPIE -DPIE -g -D_REENTRANT -D_GNU_SOURCE -Wundef \ - @LIBPRELUDE_CFLAGS@ -audisp_prelude_LDFLAGS = -pie -Wl,-z,relro -Wl,-z,now @LIBPRELUDE_LDFLAGS@ - -install-data-hook: - mkdir -p -m 0750 ${DESTDIR}${plugin_confdir} - $(INSTALL_DATA) -D -m 640 ${srcdir}/$(plugin_conf) ${DESTDIR}${plugin_confdir} - $(INSTALL_DATA) -D -m 640 ${srcdir}/$(prog_conf) ${DESTDIR}${prog_confdir} - -uninstall-hook: - rm ${DESTDIR}${plugin_confdir}/$(plugin_conf) - rm ${DESTDIR}${prog_confdir}/$(prog_conf) - diff --git a/framework/src/audit/audisp/plugins/prelude/au-prelude.conf b/framework/src/audit/audisp/plugins/prelude/au-prelude.conf deleted file mode 100644 index 513fcf91..00000000 --- a/framework/src/audit/audisp/plugins/prelude/au-prelude.conf +++ /dev/null @@ -1,12 +0,0 @@ - -# This file controls the audispd data path to the audit -# based prelude IDS (Intrusion Detection System) plugin. It -# watches events and sends intersting ones to the prelude manager. - -active = no -direction = out -path = /sbin/audisp-prelude -type = always -#args = -format = string - diff --git a/framework/src/audit/audisp/plugins/prelude/audisp-int.c b/framework/src/audit/audisp/plugins/prelude/audisp-int.c deleted file mode 100644 index 54d7a3df..00000000 --- a/framework/src/audit/audisp/plugins/prelude/audisp-int.c +++ /dev/null @@ -1,114 +0,0 @@ -/* -* audisp-int.c - Minimal linked list library for integers -* Copyright (c) 2008 Red Hat Inc., Durham, North Carolina. -* All Rights Reserved. -* -* This software may be freely redistributed and/or modified under the -* terms of the GNU General Public License as published by the Free -* Software Foundation; either version 2, or (at your option) any -* later version. -* -* This program is distributed in the hope that it will be useful, -* but WITHOUT ANY WARRANTY; without even the implied warranty of -* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -* GNU General Public License for more details. -* -* You should have received a copy of the GNU General Public License -* along with this program; see the file COPYING. If not, write to the -* Free Software Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. -* -* Authors: -* Steve Grubb <sgrubb@redhat.com> -*/ - -#include "config.h" -#include <stdlib.h> -#include <string.h> -#include "audisp-int.h" - -void ilist_create(ilist *l) -{ - l->head = NULL; - l->cur = NULL; - l->cnt = 0; -} - -int_node *ilist_next(ilist *l) -{ - if (l->cur == NULL) - return NULL; - l->cur = l->cur->next; - return l->cur; -} - -void ilist_append(ilist *l, int num) -{ - int_node* newnode; - - newnode = malloc(sizeof(int_node)); - - newnode->num = num; - newnode->next = NULL; - - // if we are at top, fix this up - if (l->head == NULL) - l->head = newnode; - else // Otherwise add pointer to newnode - l->cur->next = newnode; - - // make newnode current - l->cur = newnode; - l->cnt++; -} - -int ilist_find_num(ilist *l, unsigned int num) -{ - register int_node* window = l->head; - - while (window) { - if (window->num == num) { - l->cur = window; - return 1; - } - else - window = window->next; - } - return 0; -} - -void ilist_clear(ilist* l) -{ - int_node* nextnode; - register int_node* current; - - if (l == NULL) - return; - - current = l->head; - while (current) { - nextnode=current->next; - free(current); - current=nextnode; - } - l->head = NULL; - l->cur = NULL; - l->cnt = 0; -} - -int ilist_add_if_uniq(ilist *l, int num) -{ - register int_node* cur; - - cur = l->head; - while (cur) { - if (cur->num == num) - return 0; - else - cur = cur->next; - } - - /* No matches, append to the end */ - ilist_append(l, num); - return 1; -} - diff --git a/framework/src/audit/audisp/plugins/prelude/audisp-int.h b/framework/src/audit/audisp/plugins/prelude/audisp-int.h deleted file mode 100644 index b0204753..00000000 --- a/framework/src/audit/audisp/plugins/prelude/audisp-int.h +++ /dev/null @@ -1,57 +0,0 @@ -/* -* audisp-int.h - Header file for audisp-int.c -* Copyright (c) 2008 Red Hat Inc., Durham, North Carolina. -* All Rights Reserved. -* -* This software may be freely redistributed and/or modified under the -* terms of the GNU General Public License as published by the Free -* Software Foundation; either version 2, or (at your option) any -* later version. -* -* This program is distributed in the hope that it will be useful, -* but WITHOUT ANY WARRANTY; without even the implied warranty of -* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -* GNU General Public License for more details. -* -* You should have received a copy of the GNU General Public License -* along with this program; see the file COPYING. If not, write to the -* Free Software Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. -* -* Authors: -* Steve Grubb <sgrubb@redhat.com> -*/ - -#ifndef AUINT_HEADER -#define AUINT_HEADER - -#include "config.h" -#include <sys/types.h> - -/* This is the node of the linked list. Number & item are the only elements - * at this time. Any data elements that are per item goes here. */ -typedef struct _int_node{ - int num; // The number - struct _int_node* next; // Next string node pointer -} int_node; - -/* This is the linked list head. Only data elements that are 1 per - * event goes here. */ -typedef struct { - int_node *head; // List head - int_node *cur; // Pointer to current node - unsigned int cnt; // How many items in this list -} ilist; - -void ilist_create(ilist *l); -static inline void ilist_first(ilist *l) { l->cur = l->head; } -int_node *ilist_next(ilist *l); -static inline int_node *ilist_get_cur(ilist *l) { return l->cur; } -void ilist_append(ilist *l, int num); -void ilist_clear(ilist* l); -int ilist_find_num(ilist *l, unsigned int num); - -/* append a number if its not already on the list */ -int ilist_add_if_uniq(ilist *l, int num); - -#endif - diff --git a/framework/src/audit/audisp/plugins/prelude/audisp-prelude.8 b/framework/src/audit/audisp/plugins/prelude/audisp-prelude.8 deleted file mode 100644 index e457407e..00000000 --- a/framework/src/audit/audisp/plugins/prelude/audisp-prelude.8 +++ /dev/null @@ -1,72 +0,0 @@ -.TH AUDISP-PRELUDE: "8" "Dec 2008" "Red Hat" "System Administration Utilities" -.SH NAME -audisp\-prelude \- plugin for IDMEF alerts -.SH SYNOPSIS -.B audisp\-prelude [ \-\-test ] -.SH DESCRIPTION -\fBaudisp\-prelude\fP is a plugin for the audit event dispatcher daemon, audispd, that uses libprelude to send IDMEF alerts for possible Intrusion Detection events. This plugin requires connecting to a prelude\-manager to record the events it sends. This plugin will analyze audit events in realtime and send detected events to the prelude\-manager for correlation, recording, and display. - -Events that are currently supported are: Logins, Forbidden Login Location, Max Concurrent Sessions, Max Login Failures, Forbidden Login Time, SE Linux AVCs, SE Linux Enforcement Changes, Abnormal Program Termination, Promiscuous Socket Changes, and watched account logins. - -.SH OPTIONS -.TP -.B \-\-test -Take input from stdin and write prelude events to stdout but does not send them to the prelude\-manager. This can be used for debugging or testing the system with suspicious log files when you do not want it to alert or react. - -.SH INSTALLATION -This sensor has to be registered with the prelude\-manager before it will work properly. If the prelude\-manager is on the same host as the sensor, you will need to open two windows to register. If not, you will have to adjust this example to fit your environment. - -In one window, type: - -.B prelude\-admin register auditd "idmef:w" localhost \-\-uid 0 \-\-gid 0 - -In another, type: - -.B prelude\-admin registration\-server prelude\-manager - -Follow the on\-screen instructions to complete the registration. - -.SH TIPS -If you are aggregating multiple machines, you should enable node information in the audit event stream. You can do this in one of two places. If you want computer node names written to disk as well as sent in the realtime event stream, edit the name_format option in /etc/audit/auditd.conf. If you only want the node names in the realtime event stream, then edit the name_format option in /etc/audisp/audispd.conf. Do not enable both as it will put 2 node fields in the event stream. - -At this point, if you want have audit: forbidden login location, max concurrent sessions, max login failures, and forbidden login time anomalies being reported, you have to setup pam modules correctly. The pam modules are respectively: pam_access, pam_limits, pam_tally2, and pam_time. Please see the respective pam module man pages for any instructions. - -For performance reasons, some audit events will not produce syscall records which contain additional information about events unless there is at least one audit rule loaded. If you do not have any additional audit rules, edit \fI/etc/audit/audit.rules\fP and add something simple that won't impact performace like this: \fB\-w /etc/shadow \-p wa\fP. This rule will watch the shadow file for writes or changes to its attributes. The additional audit information provided by having at least one rule will allow the plugin to give a more complete view of the alert it is sending. - -If you are wanting to get alerts on watched syscalls, watched files, watched execution, or something becoming executable, you need to add some keys to your audit rules. For example, if you have the following audit watch in \fI/etc/audit/audit.rules\fP: - -.B \-w /etc/shadow \-p wa - -and you want idmef alerts on this, you need to add \fB\-k ids\-file\-med\fP or something appropriate to signal to the plugin that this message is for it. The format of the key has a fixed format of keywords separated by a dash. It follows the form of -.IB ids \- type \- severity . -The \fItype\fP can be either \fBsys\fP, \fBfile\fP, \fBexec\fP, or \fBmkexe\fP depending on whether you want the event to be considered a watched_syscall, watched_file, watched_exec, or watched_mk_exe respectively. The \fIseverity\fP can be either \fBinfo\fP, \fBlow\fP, \fBmed\fP, or \fBhi\fP depending on how urgent you would like it to be. - -.SH EXAMPLE RULES -To alert on any use of the personality syscall: -.br -.B \-a always,exit \-S personality \-k ids\-sys\-med - -To alert on a user failing to access the shadow file: -.br -.B \-a always,exit \-F path=/etc/shadow \-F perms=wa \-F success=0 \-k ids\-file\-med - -To alert on the execution of a program: -.br -.B \-w /bin/ping \-p x \-k ids\-exe\-info - -To alert on users making exe's in their home dir (takes 2 rules): -.br -.B \-a always,exit \-S fchmodat \-F dir=/home \-F a2&0111 \-F filetype=file \-k ids\-mkexe\-hi -.br -.B \-a always,exit \-S fchmod,chmod \-F dir=/home \-F a1&0111 \-F filetype=file \-k ids\-mkexe\-hi - -.SH FILES -/etc/audisp/plugins.d/au\-prelude.conf, /etc/audit/auditd.conf, /etc/audisp/audispd.conf, /etc/audisp/audisp\-prelude.conf -.SH "SEE ALSO" -.BR audispd (8), -.BR prelude\-manager (1), -.BR auditd.conf (8), -.BR audispd.conf (8), -.BR audisp\-prelude.conf (5). -.SH AUTHOR -Steve Grubb diff --git a/framework/src/audit/audisp/plugins/prelude/audisp-prelude.c b/framework/src/audit/audisp/plugins/prelude/audisp-prelude.c deleted file mode 100644 index f3dc65a0..00000000 --- a/framework/src/audit/audisp/plugins/prelude/audisp-prelude.c +++ /dev/null @@ -1,2250 +0,0 @@ -/* audisp-prelude.c -- - * Copyright 2008-09,2011-12 Red Hat Inc., Durham, North Carolina. - * All Rights Reserved. - * - * This program is free software; you can redistribute it and/or modify - * it under the terms of the GNU General Public License as published by - * the Free Software Foundation; either version 2 of the License, or - * (at your option) any later version. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU General Public License for more details. - * - * You should have received a copy of the GNU General Public License - * along with this program; if not, write to the Free Software - * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA - * - * Authors: - * Steve Grubb <sgrubb@redhat.com> - * - */ - -#include <stdio.h> -#include <stdlib.h> -#include <signal.h> -#include <syslog.h> -#include <string.h> -#include <ctype.h> -#include <pwd.h> -#include <sys/stat.h> -#include <sys/select.h> -#include <errno.h> -#include <libprelude/prelude.h> -#include <libprelude/idmef-message-print.h> -#ifdef HAVE_LIBCAP_NG -#include <cap-ng.h> -#endif -#include "libaudit.h" -#include "auparse.h" -#include "prelude-config.h" - -#define CONFIG_FILE "/etc/audisp/audisp-prelude.conf" -#define ANALYZER_MODEL "auditd" -#define ANALYZER_CLASS "HIDS" -#define ANALYZER_MANUFACTURER "Red Hat, http://people.redhat.com/sgrubb/audit/" -#define PRELUDE_FAIL_CHECK if (ret < 0) goto err; - -typedef enum { AS_LOGIN, AS_MAX_LOGIN_FAIL, AS_MAX_LOGIN_SESS, AS_ABEND, - AS_PROM, AS_MAC_STAT, AS_LOGIN_LOCATION, AS_LOGIN_TIME, AS_MAC, - AS_AUTH, AS_WATCHED_LOGIN, AS_WATCHED_FILE, AS_WATCHED_EXEC, AS_MK_EXE, - AS_MMAP0, AS_WATCHED_SYSCALL, AS_TTY, AS_TOTAL } as_description_t; -const char *assessment_description[AS_TOTAL] = { - "A user has attempted to login", - "The maximum allowed login failures for this account has been reached. This could be an attempt to gain access to the account by someone other than the real account holder.", - "The maximum allowed concurrent logins for this account has been reached.", - "An application terminated abnormally. An attacker may be trying to exploit a weakness in the program.", - "A program has opened or closed a promiscuous socket. If this is not expected, it could be an attacker trying to sniff traffic.", - "A program has changed SE Linux policy enforcement. If this is not expected, it could be an attempt to subvert the system.", - "A user attempted to login from a location that is not allowed. This could be an attempt to gain access to the account by someone other than the real account holder.", - "A user attempted to login during a time that the user should not be logging into the system. This could be an attempt to gain access to the account by someone other than the real account holder.", - "A program has tried to access something that is not allowed in the MAC policy. This could indicate an attacker trying to exploit a weakness in the program.", - "A user has attempted to use an authentication mechanism and failed. This could be an attempt to gain privileges that they are not supposed to have.", - "A user has logged in to an account that is being watched.", - "A user has attempted to access a file that is being watched.", - "A user has attempted to execute a program that is being watched.", - "A user has attempted to create an executable program", - "A program has attempted mmap a fixed memory page at an address sometimes used as part of a kernel exploit", - "A user has run a command that issued a watched syscall", - "A user has typed keystrokes on a terminal" -}; -typedef enum { M_NORMAL, M_TEST } output_t; -typedef enum { W_NO, W_FILE, W_EXEC, W_MK_EXE } watched_t; - -/* Global Data */ -static volatile int stop = 0; -static volatile int hup = 0; -static prelude_client_t *client = NULL; -static auparse_state_t *au = NULL; -static prelude_conf_t config; -static output_t mode = M_NORMAL; -static char *myhostname=NULL; - -/* Local declarations */ -static void handle_event(auparse_state_t *au, - auparse_cb_event_t cb_event_type, void *user_data); - -/* - * SIGTERM handler - */ -static void term_handler( int sig ) -{ - stop = 1; -} - -/* - * SIGHUP handler: re-read config - */ -static void hup_handler( int sig ) -{ - hup = 1; -} - -static void reload_config(void) -{ - hup = 0; -} - -static int setup_analyzer(idmef_analyzer_t *analyzer) -{ - int ret; - prelude_string_t *string; - - ret = idmef_analyzer_new_model(analyzer, &string); - PRELUDE_FAIL_CHECK; - prelude_string_set_dup(string, ANALYZER_MODEL); - - ret = idmef_analyzer_new_class(analyzer, &string); - PRELUDE_FAIL_CHECK; - prelude_string_set_dup(string, ANALYZER_CLASS); - - ret = idmef_analyzer_new_manufacturer(analyzer, &string); - PRELUDE_FAIL_CHECK; - prelude_string_set_dup(string, ANALYZER_MANUFACTURER); - - ret = idmef_analyzer_new_version(analyzer, &string); - PRELUDE_FAIL_CHECK; - prelude_string_set_dup(string, PACKAGE_VERSION); - - return 0; - - err: - syslog(LOG_ERR, "%s: IDMEF error: %s.\n", - prelude_strsource(ret), prelude_strerror(ret)); - - return -1; -} - -static int init_prelude(int argc, char *argv[]) -{ - int ret; - prelude_client_flags_t flags; - - ret = prelude_thread_init(NULL); - ret = prelude_init(&argc, argv); - if (ret < 0) { - syslog(LOG_ERR, - "Unable to initialize the Prelude library: %s.\n", - prelude_strerror(ret)); - return -1; - } - ret = prelude_client_new(&client, - config.profile ? config.profile : ANALYZER_MODEL); - if (! client) { - syslog(LOG_ERR, - "Unable to create a prelude client object: %s.\n", - prelude_strerror(ret)); - return -1; - } - ret = setup_analyzer(prelude_client_get_analyzer(client)); - if (ret < 0) { - syslog(LOG_ERR, "Unable to setup analyzer: %s\n", - prelude_strerror(ret)); - - prelude_client_destroy(client, - PRELUDE_CLIENT_EXIT_STATUS_FAILURE); - prelude_deinit(); - return -1; - } - if (mode == M_NORMAL) { - flags = prelude_client_get_flags(client); - flags |= PRELUDE_CLIENT_FLAGS_ASYNC_TIMER; - } else - flags = 0; // Debug mode - ret = prelude_client_set_flags(client, flags); - if (ret < 0) { - syslog(LOG_ERR, "Unable to set prelude client flags: %s\n", - prelude_strerror(ret)); - - prelude_client_destroy(client, - PRELUDE_CLIENT_EXIT_STATUS_FAILURE); - prelude_deinit(); - return -1; - } - ret = prelude_client_start(client); - if (ret < 0) { - syslog(LOG_ERR, "Unable to start prelude client: %s\n", - prelude_strerror(ret)); - - prelude_client_destroy(client, - PRELUDE_CLIENT_EXIT_STATUS_FAILURE); - prelude_deinit(); - return -1; - } - return 0; -} - -int main(int argc, char *argv[]) -{ - char tmp[MAX_AUDIT_MESSAGE_LENGTH+1]; - struct sigaction sa; - - if (argc > 1) { - if (argc == 2 && strcmp(argv[1], "--test") == 0) { - mode = M_TEST; - } else { - fprintf(stderr, "Usage: audisp-prelude [--test]\n"); - return 1; - } - } - - /* Register sighandlers */ - sa.sa_flags = 0; - sigemptyset(&sa.sa_mask); - /* Set handler for the ones we care about */ - sa.sa_handler = term_handler; - sigaction(SIGTERM, &sa, NULL); - sa.sa_handler = hup_handler; - sigaction(SIGHUP, &sa, NULL); - if (load_config(&config, CONFIG_FILE)) { - if (mode == M_TEST) - puts("audisp-prelude is exiting on config load error"); - return 6; - } - - /* Initialize the auparse library */ - au = auparse_init(AUSOURCE_FEED, 0); - if (au == NULL) { - syslog(LOG_ERR, - "audisp-prelude is exiting due to auparse init errors"); - free_config(&config); - return -1; - } - auparse_add_callback(au, handle_event, NULL, NULL); - if (init_prelude(argc, argv)) { - if (mode == M_TEST) - puts("audisp-prelude is exiting due to init_prelude"); - else - syslog(LOG_ERR, - "audisp-prelude is exiting due to init_prelude failure"); - free_config(&config); - auparse_destroy(au); - return -1; - } -#ifdef HAVE_LIBCAP_NG - // Drop all capabilities - capng_clear(CAPNG_SELECT_BOTH); - capng_apply(CAPNG_SELECT_BOTH); -#endif - if (mode != M_TEST) - syslog(LOG_INFO, "audisp-prelude is ready for events"); - do { - fd_set read_mask; - struct timeval tv; - int retval; - - /* Load configuration */ - if (hup) { - reload_config(); - } - do { - tv.tv_sec = 5; - tv.tv_usec = 0; - FD_ZERO(&read_mask); - FD_SET(0, &read_mask); - if (auparse_feed_has_data(au)) - retval= select(1, &read_mask, NULL, NULL, &tv); - else - retval= select(1, &read_mask, NULL, NULL, NULL); } while (retval == -1 && errno == EINTR && !hup && !stop); - - /* Now the event loop */ - if (!stop && !hup && retval > 0) { - if (fgets_unlocked(tmp, MAX_AUDIT_MESSAGE_LENGTH, - stdin)){ - auparse_feed(au, tmp, strnlen(tmp, - MAX_AUDIT_MESSAGE_LENGTH)); - } - } else if (retval == 0) - auparse_flush_feed(au); - if (feof(stdin)) - break; - } while (stop == 0); - - /* Flush any accumulated events from queue */ - auparse_flush_feed(au); - - if (stop) { - if (mode == M_TEST) - puts("audisp-prelude is exiting on stop request"); - else - syslog(LOG_INFO, - "audisp-prelude is exiting on stop request"); - } else { - if (mode == M_TEST) - puts("audisp-prelude is exiting due to end of file"); - else - syslog(LOG_INFO, - "audisp-prelude is exiting due to losing input source"); - } - - /* Cleanup subsystems */ - if (client) - prelude_client_destroy(client, - PRELUDE_CLIENT_EXIT_STATUS_SUCCESS); - prelude_deinit(); - auparse_destroy(au); - free_config(&config); - free(myhostname); - - return 0; -} - -static void print_test_message(idmef_message_t *idmef) -{ - int ret; - prelude_io_t *fd; - - ret = prelude_io_new(&fd); - if ( ret < 0 ) - return; - - prelude_io_set_file_io(fd, stdout); - idmef_message_print(idmef, fd); - - prelude_io_destroy(fd); -} - -static void send_idmef(prelude_client_t *client, idmef_message_t *idmef) -{ - if (mode == M_TEST) - print_test_message(idmef); - else - prelude_client_send_idmef(client, idmef); -} - -static int new_alert_common(auparse_state_t *au, idmef_message_t **idmef, - idmef_alert_t **alert) -{ - int ret; - idmef_time_t *dtime, *ctime; - time_t au_time; - - ret = idmef_message_new(idmef); - PRELUDE_FAIL_CHECK; - - ret = idmef_message_new_alert(*idmef, alert); - PRELUDE_FAIL_CHECK; - - idmef_alert_set_analyzer(*alert, - idmef_analyzer_ref(prelude_client_get_analyzer(client)), - IDMEF_LIST_PREPEND); - - // Put the audit time and message ID in the event - au_time = auparse_get_time(au); - ret = idmef_time_new_from_time(&dtime, &au_time); - PRELUDE_FAIL_CHECK; - idmef_alert_set_detect_time(*alert, dtime); - - // Set time this was created - ret = idmef_time_new_from_gettimeofday(&ctime); - PRELUDE_FAIL_CHECK; - idmef_alert_set_create_time(*alert, ctime); - - return 0; - err: - syslog(LOG_ERR, "%s: IDMEF error: %s.\n", - prelude_strsource(ret), prelude_strerror(ret)); - idmef_message_destroy(*idmef); - return -1; -} - -static int get_loginuid(auparse_state_t *au) -{ - int uid; - const char *auid; - - auparse_first_field(au); - auid = auparse_find_field(au, "auid"); - if (auid) - uid = auparse_get_field_int(au); - else - uid = -1; - return uid; -} - -static int get_new_gid(auparse_state_t *au) -{ - int gid; - const char *ngid; - - auparse_first_field(au); - ngid = auparse_find_field(au, "new_gid"); - if (ngid) - gid = auparse_get_field_int(au); - else - gid = -1; - return gid; -} - -/* - * This function seeks to the specified record returning its type on succees - */ -static int goto_record_type(auparse_state_t *au, int type) -{ - int cur_type; - - auparse_first_record(au); - do { - cur_type = auparse_get_type(au); - if (cur_type == type) { - auparse_first_field(au); - return type; // Normal exit - } - } while (auparse_next_record(au) > 0); - - return -1; -} - -static int get_loginuid_info(auparse_state_t *au, idmef_user_id_t *user_id) -{ - int ret, type, is_num = 0; - const char *auid; - - type = auparse_get_type(au); - auparse_first_field(au); - auid = auparse_find_field(au, "acct"); - if (auid == NULL) { - is_num = 1; - goto_record_type(au, type); - auid = auparse_find_field(au, "sauid"); - if (auid == NULL) { - goto_record_type(au, type); - if (type == AUDIT_USER_LOGIN) { - // login programs write auid at second uid - auparse_find_field(au, "uid"); - auparse_next_field(au); - auid = auparse_find_field(au, "uid"); - } else { - auid = auparse_find_field(au, "auid"); - } - } - } - if (auid) { - prelude_string_t *str; - ret = prelude_string_new(&str); - PRELUDE_FAIL_CHECK; - - if (is_num) { - int uid = auparse_get_field_int(au); - idmef_user_id_set_number(user_id, uid); - } else { - struct passwd *pw; - pw = getpwnam(auid); - if (pw) - idmef_user_id_set_number(user_id, pw->pw_uid); - } - - auid = auparse_interpret_field(au); - ret = prelude_string_set_ref(str, auid); - PRELUDE_FAIL_CHECK; - idmef_user_id_set_name(user_id, str); - } - return 0; - - err: - return -1; -} - -static int get_tty_info(auparse_state_t *au, idmef_user_id_t *user_id) -{ - int ret, type; - const char *tty; - - type = auparse_get_type(au); - auparse_first_field(au); - tty = auparse_find_field(au, "terminal"); - if (tty == NULL) { - goto_record_type(au, type); - tty = auparse_find_field(au, "tty"); - } - if (tty) { - prelude_string_t *str; - - ret = prelude_string_new(&str); - PRELUDE_FAIL_CHECK; - - ret = prelude_string_set_ref(str, tty); - PRELUDE_FAIL_CHECK; - idmef_user_id_set_tty(user_id, str); - } - return 0; - err: - return -1; -} - -static int is_ipv4(const char *addr) -{ - int i = 0; - while (addr[i]) { - if ((addr[i] != '.') && !isdigit(addr[i])) - return 0; - i++; - } - return 1; -} - -static int is_ipv6(const char *addr) -{ - int i = 0; - while (addr[i]) { - if ((addr[i] != '.') && addr[i] != ':' && !isdigit(addr[i])) - return 0; - i++; - } - return 1; -} - -static int fill_in_node(idmef_node_t *node, const char *addr) -{ - int ret; - prelude_string_t *str; - - /* Setup the address string */ - ret = prelude_string_new(&str); - PRELUDE_FAIL_CHECK; - ret = prelude_string_set_ref(str, addr); - PRELUDE_FAIL_CHECK; - - /* Now figure out the kind of address */ - if (is_ipv4(addr)) { - idmef_address_t *my_addr; - ret = idmef_address_new(&my_addr); - PRELUDE_FAIL_CHECK; - idmef_address_set_category(my_addr, - IDMEF_ADDRESS_CATEGORY_IPV4_ADDR); - idmef_address_set_address(my_addr, str); - idmef_node_set_address(node, my_addr, 0); - } else if (is_ipv6(addr)){ - idmef_address_t *my_addr; - ret = idmef_address_new(&my_addr); - PRELUDE_FAIL_CHECK; - idmef_address_set_category(my_addr, - IDMEF_ADDRESS_CATEGORY_IPV6_ADDR); - idmef_address_set_address(my_addr, str); - idmef_node_set_address(node, my_addr, 0); - } else { /* Just a host name */ - idmef_node_set_name(node, str); - } - - return 0; - err: - return -1; -} - -static int get_rhost_info(auparse_state_t *au, idmef_source_t *source) -{ - int ret; - idmef_node_t *node; - const char *hostname; - - auparse_first_field(au); - hostname = auparse_find_field(au, "hostname"); - if (hostname) { - if (strcmp(hostname, "?") == 0) { - auparse_next_field(au); - hostname = auparse_get_field_str(au); - } - } else { /* Some AVCs have the remote addr */ - auparse_first_field(au); - hostname = auparse_find_field(au, "laddr"); - } - - if (hostname) { - ret = idmef_source_new_node(source, &node); - PRELUDE_FAIL_CHECK; - idmef_node_set_category(node, IDMEF_NODE_CATEGORY_UNKNOWN); - - ret = fill_in_node(node, hostname); - PRELUDE_FAIL_CHECK; - } - - return 0; - err: - return -1; -} - -static int do_node_common(auparse_state_t *au, idmef_node_t *node) -{ - int ret; - const char *name; - - auparse_first_field(au); - name = auparse_find_field(au, "node"); - if (name == NULL) { - if (myhostname == NULL) { - char tmp_name[255]; - if (gethostname(tmp_name, sizeof(tmp_name)) == 0) - myhostname = strdup(tmp_name); - } - name = myhostname; - idmef_node_set_category(node, IDMEF_NODE_CATEGORY_HOSTS); - } else - idmef_node_set_category(node, IDMEF_NODE_CATEGORY_UNKNOWN); - - if (name) { - ret = fill_in_node(node, name); - PRELUDE_FAIL_CHECK; - } else - goto err; - - return 0; - err: - return -1; -} - -static int get_node_info(auparse_state_t *au, idmef_source_t *source, - idmef_target_t *target) -{ - int ret; - idmef_node_t *node; - - if (source) { - ret = idmef_source_new_node(source, &node); - PRELUDE_FAIL_CHECK; - - ret = do_node_common(au, node); - PRELUDE_FAIL_CHECK; - } - - if (target) { - ret = idmef_target_new_node(target, &node); - PRELUDE_FAIL_CHECK; - - ret = do_node_common(au, node); - PRELUDE_FAIL_CHECK; - } - - return 0; - err: - return -1; -} - -static int get_login_exe_info(auparse_state_t *au, idmef_target_t *target) -{ - int ret, type; - idmef_process_t *process; - const char *exe, *pid; - - ret = idmef_target_new_process(target, &process); - PRELUDE_FAIL_CHECK; - - type = auparse_get_type(au); - auparse_first_field(au); - pid = auparse_find_field(au, "pid"); - if (pid) - idmef_process_set_pid(process, auparse_get_field_int(au)); - - goto_record_type(au, type); - exe = auparse_find_field(au, "exe"); - if (exe) { - char *base; - prelude_string_t *str, *name_str; - ret = prelude_string_new(&str); - PRELUDE_FAIL_CHECK; - - exe = auparse_interpret_field(au); - ret = prelude_string_set_ref(str, exe); - PRELUDE_FAIL_CHECK; - idmef_process_set_path(process, str); - - /* Set process name, login events do not have comm fields */ - base = basename(exe); - ret = prelude_string_new(&name_str); - PRELUDE_FAIL_CHECK; - ret = prelude_string_set_dup(name_str, base); - PRELUDE_FAIL_CHECK; - idmef_process_set_name(process, name_str); - } - - return 0; - err: - return -1; -} - -static int get_target_group_info(auparse_state_t *au, idmef_user_t *tuser) -{ - int ret; - const char *ngid; - - auparse_first_field(au); - ngid = auparse_find_field(au, "new_gid"); - if (ngid) { - int gid; - idmef_user_id_t *user_id; - prelude_string_t *str; - - ret = idmef_user_new_user_id(tuser, &user_id, 0); - PRELUDE_FAIL_CHECK; - idmef_user_id_set_type(user_id, IDMEF_USER_ID_TYPE_GROUP_PRIVS); - - ret = prelude_string_new(&str); - PRELUDE_FAIL_CHECK; - - gid = auparse_get_field_int(au); - if (gid >= 0) - idmef_user_id_set_number(user_id, gid); - - ngid = auparse_interpret_field(au); - ret = prelude_string_set_ref(str, ngid); - PRELUDE_FAIL_CHECK; - idmef_user_id_set_name(user_id, str); - } - - return 0; - err: - return -1; -} - -static int get_comm_info(auparse_state_t *au, idmef_source_t *source, - idmef_target_t *target) -{ - int ret, type, need_comm = 1; - idmef_process_t *process; - const char *exe, *pid; - - if (source) - ret = idmef_source_new_process(source, &process); - else if (target) - ret = idmef_target_new_process(target, &process); - else - return -1; - PRELUDE_FAIL_CHECK; - - type = auparse_get_type(au); - auparse_first_field(au); - pid = auparse_find_field(au, "pid"); - if (pid) - idmef_process_set_pid(process, auparse_get_field_int(au)); - - goto_record_type(au, type); - auparse_first_field(au); - exe = auparse_find_field(au, "comm"); - if (exe) { - prelude_string_t *str; - ret = prelude_string_new(&str); - PRELUDE_FAIL_CHECK; - - exe = auparse_interpret_field(au); - ret = prelude_string_set_ref(str, exe); - PRELUDE_FAIL_CHECK; - idmef_process_set_name(process, str); - need_comm = 0; - } - - goto_record_type(au, type); - exe = auparse_find_field(au, "exe"); - if (exe) { - prelude_string_t *str; - ret = prelude_string_new(&str); - PRELUDE_FAIL_CHECK; - - exe = auparse_interpret_field(au); - ret = prelude_string_set_ref(str, exe); - PRELUDE_FAIL_CHECK; - idmef_process_set_path(process, str); - - /* Set the process name if not set already */ - if (need_comm) { - prelude_string_t *name_str; - - char *base = basename(exe); - ret = prelude_string_new(&name_str); - PRELUDE_FAIL_CHECK; - ret = prelude_string_set_dup(name_str, base); - idmef_process_set_name(process, name_str); - } - } - - return 0; - err: - return -1; -} - -/* - * Fill in a file record for idmef. Note that we always get the - * full path name unless we have an AVC. - */ -static int get_file_info(auparse_state_t *au, idmef_target_t *target, int full) -{ - int ret; - idmef_file_t *file; - const char *name; - char path[PATH_MAX+1]; - - ret = idmef_target_new_file(target, &file, 0); - PRELUDE_FAIL_CHECK; - - *path = 0; - if (full) { - const char *cwd; - auparse_first_field(au); - cwd = auparse_find_field(au, "cwd"); - if (cwd) { - if ((cwd = auparse_interpret_field(au))) - strcat(path, cwd); - } - // Loop across all PATH records in the event - goto_record_type(au, AUDIT_PATH); - name = NULL; - do { // Make sure that we have an actual file record - if (auparse_find_field(au, "mode")) { - int m = auparse_get_field_int(au); - if (S_ISREG(m)) { - // Now back up and get file name - auparse_first_field(au); - name = auparse_find_field(au, "name"); - break; - } - } - } while (auparse_next_record(au) > 0 && - auparse_get_type(au) == AUDIT_PATH); - } else { - // SE Linux AVC - int type = auparse_get_type(au); - auparse_first_field(au); - name = auparse_find_field(au, "path"); - if (name == NULL) { - goto_record_type(au, type); - name = auparse_find_field(au, "name"); - } - } - if (name) - name = auparse_interpret_field(au); - if (name) { - if (name[0] == '/') - strcpy(path, name); - else - strcat(path, name); - } - if (path[0] != 0) { - prelude_string_t *str; - ret = prelude_string_new(&str); - PRELUDE_FAIL_CHECK; - - ret = prelude_string_set_dup(str, path); - PRELUDE_FAIL_CHECK; - if (path[0] == '/') { - char *base; - prelude_string_t *name_str; - - idmef_file_set_path(file, str); - base = basename(path); - if (base[0] == 0) - base = "/"; - ret = prelude_string_new(&name_str); - PRELUDE_FAIL_CHECK; - ret = prelude_string_set_dup(name_str, base); - PRELUDE_FAIL_CHECK; - idmef_file_set_name(file, name_str); - } else - idmef_file_set_name(file, str); - } - idmef_file_set_category(file, IDMEF_FILE_CATEGORY_CURRENT); - - return 0; - err: - return -1; -} - -static int add_additional_data(idmef_alert_t *alert, const char *title, - const char *text) -{ - int ret; - idmef_additional_data_t *data; - prelude_string_t *str; - - ret = idmef_alert_new_additional_data(alert, &data, IDMEF_LIST_APPEND); - PRELUDE_FAIL_CHECK; - - ret = idmef_additional_data_new_meaning(data, &str); - PRELUDE_FAIL_CHECK; - - prelude_string_set_dup(str, title); - idmef_additional_data_set_type(data, IDMEF_ADDITIONAL_DATA_TYPE_STRING); - idmef_additional_data_set_string_ref(data, text); - return 0; - err: - return -1; -} - -static int add_serial_number_data(auparse_state_t *au, idmef_alert_t *alert) -{ - int ret; - idmef_additional_data_t *data; - prelude_string_t *str; - unsigned long serial; - char eid[24]; - - serial = auparse_get_serial(au); - snprintf(eid, sizeof(eid), "%lu", serial); - - ret = idmef_alert_new_additional_data(alert, &data, IDMEF_LIST_APPEND); - PRELUDE_FAIL_CHECK; - - ret = idmef_additional_data_new_meaning(data, &str); - PRELUDE_FAIL_CHECK; - - prelude_string_set_dup(str, "Audit event serial #"); - idmef_additional_data_set_type(data, IDMEF_ADDITIONAL_DATA_TYPE_STRING); - idmef_additional_data_set_string_dup(data, eid); - return 0; - err: - return -1; -} - -static int add_exit_data(auparse_state_t *au, idmef_alert_t *alert) -{ - const char *e_ptr; - - if (goto_record_type(au, AUDIT_SYSCALL) == -1) - goto err; - e_ptr = auparse_find_field(au, "exit"); - if (e_ptr) { - int ret; - idmef_additional_data_t *data; - prelude_string_t *str; - char exit_code[80]; - - snprintf(exit_code, sizeof(exit_code), "%d (%s)", - auparse_get_field_int(au), - auparse_interpret_field(au)); - - ret = idmef_alert_new_additional_data(alert, - &data, IDMEF_LIST_APPEND); - PRELUDE_FAIL_CHECK; - - ret = idmef_additional_data_new_meaning(data, &str); - PRELUDE_FAIL_CHECK; - - prelude_string_set_dup(str, "Audit syscall exit code:"); - idmef_additional_data_set_type(data, - IDMEF_ADDITIONAL_DATA_TYPE_STRING); - idmef_additional_data_set_string_dup(data, exit_code); - } - return 0; - err: - return -1; -} - -static int add_execve_data(auparse_state_t *au, idmef_alert_t *alert) -{ - int ret, i, len = 0; - idmef_additional_data_t *data; - prelude_string_t *str; - const char *msgptr; - char msg[256], var[16]; - - if (goto_record_type(au, AUDIT_EXECVE) != AUDIT_EXECVE) - return 0; - - msg[0] = 0; - for (i=0; i<8; i++) { - snprintf(var, sizeof(var), "a%d", i); - msgptr = auparse_find_field(au, var); - if (msgptr) { - char *ptr; - int len2; - len2 = asprintf(&ptr, "%s=%s ", var, - auparse_interpret_field(au)); - if (len2 < 0) { - ptr = NULL; - } else if (len2 > 0 && (len2 + len + 1) < sizeof(msg)) { - strcat(msg, ptr); - len += len2; - } - free(ptr); - } else - break; - } - - ret = idmef_alert_new_additional_data(alert, &data, IDMEF_LIST_APPEND); - PRELUDE_FAIL_CHECK; - - ret = idmef_additional_data_new_meaning(data, &str); - PRELUDE_FAIL_CHECK; - - prelude_string_set_dup(str, "Execve args"); - idmef_additional_data_set_type(data, IDMEF_ADDITIONAL_DATA_TYPE_STRING); - idmef_additional_data_set_string_dup(data, msg); - return 0; - err: - return -1; -} - -static int set_classification(idmef_alert_t *alert, const char *text) -{ - int ret; - idmef_classification_t *classification; - prelude_string_t *str; - - ret = idmef_alert_new_classification(alert, &classification); - PRELUDE_FAIL_CHECK; - ret = prelude_string_new(&str); - PRELUDE_FAIL_CHECK; - ret = prelude_string_set_ref(str, text); - PRELUDE_FAIL_CHECK; - idmef_classification_set_text(classification, str); - - return 0; - err: - return -1; -} - -static int do_assessment(idmef_alert_t *alert, auparse_state_t *au, - idmef_impact_severity_t severity, idmef_impact_type_t type, - const char *descr) -{ - int ret; - idmef_assessment_t *assessment; - idmef_impact_t *impact; - idmef_impact_completion_t completion = IDMEF_IMPACT_COMPLETION_ERROR; - const char *result; - - auparse_first_record(au); - result = auparse_find_field(au, "res"); - if (result == NULL) { - auparse_first_record(au); - result = auparse_find_field(au, "success"); - } - if (result) { - if (strcmp(result, "yes") == 0) - completion = IDMEF_IMPACT_COMPLETION_SUCCEEDED; - else if (strcmp(result, "success") == 0) - completion = IDMEF_IMPACT_COMPLETION_SUCCEEDED; - else - completion = IDMEF_IMPACT_COMPLETION_FAILED; - } - - // Adjust the rating on AVC's based on if they succeeded or not - if (goto_record_type(au, AUDIT_AVC) == AUDIT_AVC) { - if (completion == IDMEF_IMPACT_COMPLETION_FAILED) - severity = IDMEF_IMPACT_SEVERITY_LOW; - } else if (goto_record_type(au, AUDIT_USER_AVC) == AUDIT_USER_AVC) { - if (completion == IDMEF_IMPACT_COMPLETION_FAILED) - severity = IDMEF_IMPACT_SEVERITY_LOW; - } - // If this is a segfault, they failed - if (goto_record_type(au, AUDIT_ANOM_ABEND) == AUDIT_ANOM_ABEND) - completion = IDMEF_IMPACT_COMPLETION_FAILED; - - ret = idmef_alert_new_assessment(alert, &assessment); - PRELUDE_FAIL_CHECK; - ret = idmef_assessment_new_impact(assessment, &impact); - PRELUDE_FAIL_CHECK; - idmef_impact_set_severity(impact, severity); - idmef_impact_set_type(impact, type); - if (descr) { - prelude_string_t *str; - ret = idmef_impact_new_description(impact, &str); - PRELUDE_FAIL_CHECK; - ret = prelude_string_set_ref(str, descr); - PRELUDE_FAIL_CHECK; - } - - // FIXME: I think this is wrong. sb a way to express indeterminate - if (completion != IDMEF_IMPACT_COMPLETION_ERROR) - idmef_impact_set_completion(impact, completion); - - return 0; - err: - return -1; -} - -/* - * This is for login related alerts - */ -static int login_alert(auparse_state_t *au, idmef_message_t *idmef, - idmef_alert_t *alert, const char *msg, - idmef_impact_severity_t severity, as_description_t num) -{ - int ret; - idmef_source_t *source; - idmef_target_t *target; - idmef_user_t *suser, *tuser; - idmef_user_id_t *user_id; - idmef_impact_type_t impact; - - /* Fill in information about the event's source */ - ret = idmef_alert_new_source(alert, &source, -1); - PRELUDE_FAIL_CHECK; - - ret = idmef_source_new_user(source, &suser); - PRELUDE_FAIL_CHECK; - idmef_user_set_category(suser, IDMEF_USER_CATEGORY_UNKNOWN); - - ret = get_rhost_info(au, source); - PRELUDE_FAIL_CHECK; - - /* Fill in information about the target of the event */ - ret = idmef_alert_new_target(alert, &target, -1); - PRELUDE_FAIL_CHECK; - ret = idmef_target_new_user(target, &tuser); - PRELUDE_FAIL_CHECK; - idmef_user_set_category(tuser, IDMEF_USER_CATEGORY_APPLICATION); - ret = idmef_user_new_user_id(tuser, &user_id, 0); - PRELUDE_FAIL_CHECK; - idmef_user_id_set_type(user_id, IDMEF_USER_ID_TYPE_TARGET_USER); - - auparse_first_record(au); - ret = get_loginuid_info(au, user_id); - PRELUDE_FAIL_CHECK; - - ret = get_tty_info(au, user_id); - PRELUDE_FAIL_CHECK; - - ret = get_login_exe_info(au, target); - PRELUDE_FAIL_CHECK; - - ret = get_node_info(au, NULL, target); - PRELUDE_FAIL_CHECK; - - ret = add_serial_number_data(au, alert); - PRELUDE_FAIL_CHECK; - - /* Describe event */ - ret = set_classification(alert, msg); - PRELUDE_FAIL_CHECK; - - /* Assess impact */ - if (get_loginuid(au) == 0) - impact = IDMEF_IMPACT_TYPE_ADMIN; - else - impact = IDMEF_IMPACT_TYPE_USER; - ret = do_assessment(alert, au, severity, impact, - assessment_description[num]); - PRELUDE_FAIL_CHECK; - - send_idmef(client, idmef); - idmef_message_destroy(idmef); - - return 0; - - err: - syslog(LOG_ERR, "login_alert: IDMEF error: %s.\n", - prelude_strerror(ret)); - idmef_message_destroy(idmef); - return -1; -} - -/* - * This is for SE Linux AVC related alerts - */ -static int avc_alert(auparse_state_t *au, idmef_message_t *idmef, - idmef_alert_t *alert) -{ - int ret, type; - idmef_source_t *source; - idmef_target_t *target; - idmef_user_t *suser; - idmef_user_id_t *user_id; - idmef_impact_type_t impact_type = IDMEF_IMPACT_TYPE_OTHER; - const char *seperm = NULL; - - /* Fill in information about the event's source */ - ret = idmef_alert_new_source(alert, &source, -1); - PRELUDE_FAIL_CHECK; - - if ((type = goto_record_type(au, AUDIT_SYSCALL)) == AUDIT_SYSCALL || - (type = goto_record_type(au, AUDIT_USER_AVC)) == AUDIT_USER_AVC) { - ret = idmef_source_new_user(source, &suser); - PRELUDE_FAIL_CHECK; - idmef_user_set_category(suser, IDMEF_USER_CATEGORY_APPLICATION); - ret = idmef_user_new_user_id(suser, &user_id, 0); - PRELUDE_FAIL_CHECK; - idmef_user_id_set_type(user_id, - IDMEF_USER_ID_TYPE_ORIGINAL_USER); - ret = get_loginuid_info(au, user_id); - PRELUDE_FAIL_CHECK; - - ret = get_tty_info(au, user_id); - PRELUDE_FAIL_CHECK; - - ret = get_comm_info(au, source, NULL); - PRELUDE_FAIL_CHECK; - - ret = get_rhost_info(au, source); - PRELUDE_FAIL_CHECK; - } else if ((type = goto_record_type(au, AUDIT_AVC)) == AUDIT_AVC) { - ret = get_comm_info(au, source, NULL); - PRELUDE_FAIL_CHECK; - } - - /* Fill in information about the target of the event */ - ret = idmef_alert_new_target(alert, &target, -1); - PRELUDE_FAIL_CHECK; - - auparse_first_record(au); - ret = get_node_info(au, source, target); - PRELUDE_FAIL_CHECK; - - type = goto_record_type(au, AUDIT_CWD); - if (type == AUDIT_CWD) { - ret = get_file_info(au, target, 1); - PRELUDE_FAIL_CHECK; - impact_type = IDMEF_IMPACT_TYPE_FILE; - } else if ((type = goto_record_type(au, AUDIT_AVC)) == AUDIT_AVC) { - seperm = auparse_find_field(au, "seperm"); - if (auparse_find_field(au, "path")) { - ret = get_file_info(au, target, 0); - impact_type = IDMEF_IMPACT_TYPE_FILE; - } else { - goto_record_type(au, AUDIT_AVC); - if (auparse_find_field(au, "name")) { - ret = get_file_info(au, target, 0); - impact_type = IDMEF_IMPACT_TYPE_FILE; - } - } - } - - /* Add AVC info for reference */ - if ((goto_record_type(au, AUDIT_AVC) == AUDIT_AVC) || - (goto_record_type(au, AUDIT_USER_AVC) == AUDIT_USER_AVC)) { - ret = add_additional_data(alert, "AVC Text", - auparse_get_record_text(au)); - PRELUDE_FAIL_CHECK; - } - - ret = add_serial_number_data(au, alert); - PRELUDE_FAIL_CHECK; - - /* Detect mmap 0 here */ - type = AS_MAC; - if (seperm && strcmp(seperm, "mmap_zero") == 0) { - const char *tclass = auparse_find_field(au, "tclass"); - if (tclass && strcmp(tclass, "memprotect")) - type = AS_MMAP0; - } - - /* Describe event */ - if (type == AS_MAC) { - ret = set_classification(alert, "MAC Violation"); - PRELUDE_FAIL_CHECK; - - /* Assess impact */ - ret = do_assessment(alert, au, IDMEF_IMPACT_SEVERITY_MEDIUM, - impact_type, assessment_description[AS_MAC]); - } else { - ret = set_classification(alert, "MMAP Page 0"); - PRELUDE_FAIL_CHECK; - - /* Assess impact */ - ret = do_assessment(alert, au, IDMEF_IMPACT_SEVERITY_HIGH, - impact_type, assessment_description[AS_MMAP0]); - } - PRELUDE_FAIL_CHECK; - - send_idmef(client, idmef); - idmef_message_destroy(idmef); - - return 0; - - err: - syslog(LOG_ERR, "avc_alert: IDMEF error: %s.\n", - prelude_strerror(ret)); - idmef_message_destroy(idmef); - return -1; -} - -/* - * This is for Application Abnormal Termination related alerts - */ -static int app_term_alert(auparse_state_t *au, idmef_message_t *idmef, - idmef_alert_t *alert) -{ - int ret; - idmef_source_t *source; - idmef_target_t *target; - idmef_user_t *suser, *tuser; - idmef_user_id_t *user_id; - const char *sig; - - /* Fill in information about the event's source */ - ret = idmef_alert_new_source(alert, &source, -1); - PRELUDE_FAIL_CHECK; - - ret = idmef_source_new_user(source, &suser); - PRELUDE_FAIL_CHECK; - idmef_user_set_category(suser, IDMEF_USER_CATEGORY_APPLICATION); - - /* Fill in information about the target of the event */ - ret = idmef_alert_new_target(alert, &target, -1); - PRELUDE_FAIL_CHECK; - ret = idmef_target_new_user(target, &tuser); - PRELUDE_FAIL_CHECK; - idmef_user_set_category(tuser, IDMEF_USER_CATEGORY_APPLICATION); - ret = idmef_user_new_user_id(tuser, &user_id, 0); - PRELUDE_FAIL_CHECK; - idmef_user_id_set_type(user_id, IDMEF_USER_ID_TYPE_ORIGINAL_USER); - - auparse_first_record(au); - ret = get_loginuid_info(au, user_id); - PRELUDE_FAIL_CHECK; - - ret = get_comm_info(au, NULL, target); - PRELUDE_FAIL_CHECK; - - ret = get_node_info(au, source, target); - PRELUDE_FAIL_CHECK; - - auparse_first_record(au); - sig = auparse_find_field(au, "sig"); - if (sig) { - sig = auparse_interpret_field(au); - ret = add_additional_data(alert, "Signal", sig); - PRELUDE_FAIL_CHECK; - } - - ret = add_serial_number_data(au, alert); - PRELUDE_FAIL_CHECK; - - /* Describe event */ - ret = set_classification(alert, "App Abnormal Termination"); - PRELUDE_FAIL_CHECK; - - /* Assess impact */ - ret = do_assessment(alert, au, IDMEF_IMPACT_SEVERITY_MEDIUM, - IDMEF_IMPACT_TYPE_OTHER, - assessment_description[AS_ABEND]); - PRELUDE_FAIL_CHECK; - - send_idmef(client, idmef); - idmef_message_destroy(idmef); - - return 0; - - err: - syslog(LOG_ERR, "term_alert: IDMEF error: %s.\n", - prelude_strerror(ret)); - idmef_message_destroy(idmef); - return -1; -} - -/* - * This is to alert that something has opened a promiscuous socket - */ -static int promiscuous_alert(auparse_state_t *au, idmef_message_t *idmef, - idmef_alert_t *alert) -{ - int ret, type, old_prom=-1, new_prom=-1; - idmef_source_t *source; - idmef_target_t *target; - idmef_user_t *suser, *tuser; - idmef_user_id_t *user_id; - const char *dev; - - /* Fill in information about the event's source */ - ret = idmef_alert_new_source(alert, &source, -1); - PRELUDE_FAIL_CHECK; - - type = goto_record_type(au, AUDIT_SYSCALL); - if (type == AUDIT_SYSCALL) { - ret = idmef_source_new_user(source, &suser); - PRELUDE_FAIL_CHECK; - idmef_user_set_category(suser, IDMEF_USER_CATEGORY_APPLICATION); - ret = idmef_user_new_user_id(suser, &user_id, 0); - PRELUDE_FAIL_CHECK; - idmef_user_id_set_type(user_id, - IDMEF_USER_ID_TYPE_ORIGINAL_USER); - - ret = get_loginuid_info(au, user_id); - PRELUDE_FAIL_CHECK; - - ret = get_tty_info(au, user_id); - PRELUDE_FAIL_CHECK; - - ret = get_comm_info(au, source, NULL); - PRELUDE_FAIL_CHECK; - } - dev = auparse_find_field(au, "dev"); - if (dev) { - ret = add_additional_data(alert, "Device", dev); - PRELUDE_FAIL_CHECK; - } - - /* Fill in information about the target of the event */ - ret = idmef_alert_new_target(alert, &target, -1); - PRELUDE_FAIL_CHECK; - ret = idmef_target_new_user(target, &tuser); - PRELUDE_FAIL_CHECK; - idmef_user_set_category(tuser, IDMEF_USER_CATEGORY_OS_DEVICE); - - ret = get_node_info(au, source, target); - PRELUDE_FAIL_CHECK; - - type = goto_record_type(au, AUDIT_ANOM_PROMISCUOUS); - if (type == AUDIT_ANOM_PROMISCUOUS) { - const char *old_val, *new_val; - - auparse_first_field(au); - new_val = auparse_find_field(au, "prom"); - if (new_val) - new_prom = auparse_get_field_int(au); - old_val = auparse_find_field(au, "old_prom"); - if (old_val) - old_prom = auparse_get_field_int(au); - } - - ret = add_serial_number_data(au, alert); - PRELUDE_FAIL_CHECK; - - /* Describe event */ - if (new_prom == 256 && old_prom == 0) - ret = set_classification(alert, "Promiscuous Socket Opened"); - else if (new_prom == 0 && old_prom == 256) - ret = set_classification(alert, "Promiscuous Socket Closed"); - else - ret = set_classification(alert, "Promiscuous Socket Changed"); - PRELUDE_FAIL_CHECK; - - /* Assess impact */ - ret = do_assessment(alert, au, IDMEF_IMPACT_SEVERITY_INFO, - IDMEF_IMPACT_TYPE_RECON, - assessment_description[AS_PROM]); - PRELUDE_FAIL_CHECK; - - send_idmef(client, idmef); - idmef_message_destroy(idmef); - - return 0; - - err: - syslog(LOG_ERR, "promiscuous_alert: IDMEF error: %s.\n", - prelude_strerror(ret)); - idmef_message_destroy(idmef); - return -1; -} - -/* - * This is to alert that something has changed the selinux enforcement - */ -static int mac_status_alert(auparse_state_t *au, idmef_message_t *idmef, - idmef_alert_t *alert) -{ - int ret, type, old_enforce=-1, new_enforce=-1; - idmef_source_t *source; - idmef_target_t *target; - idmef_user_t *suser, *tuser; - idmef_user_id_t *user_id; - idmef_impact_severity_t severity; - - /* Fill in information about the event's source */ - ret = idmef_alert_new_source(alert, &source, -1); - PRELUDE_FAIL_CHECK; - - ret = idmef_source_new_user(source, &suser); - PRELUDE_FAIL_CHECK; - idmef_user_set_category(suser, IDMEF_USER_CATEGORY_APPLICATION); - ret = idmef_user_new_user_id(suser, &user_id, 0); - PRELUDE_FAIL_CHECK; - idmef_user_id_set_type(user_id, IDMEF_USER_ID_TYPE_ORIGINAL_USER); - - type = goto_record_type(au, AUDIT_SYSCALL); - if (type == AUDIT_SYSCALL) { - ret = get_loginuid_info(au, user_id); - PRELUDE_FAIL_CHECK; - - ret = get_tty_info(au, user_id); - PRELUDE_FAIL_CHECK; - - ret = get_comm_info(au, source, NULL); - PRELUDE_FAIL_CHECK; - } - - /* Fill in information about the target of the event */ - ret = idmef_alert_new_target(alert, &target, -1); - PRELUDE_FAIL_CHECK; - ret = idmef_target_new_user(target, &tuser); - PRELUDE_FAIL_CHECK; - idmef_user_set_category(tuser, IDMEF_USER_CATEGORY_OS_DEVICE); - - ret = get_node_info(au, source, target); - PRELUDE_FAIL_CHECK; - - type = goto_record_type(au, AUDIT_MAC_STATUS); - if (type == AUDIT_MAC_STATUS) { - const char *old_val, *new_val; - - auparse_first_field(au); - new_val = auparse_find_field(au, "enforcing"); - if (new_val) - new_enforce = auparse_get_field_int(au); - old_val = auparse_find_field(au, "old_enforcing"); - if (old_val) - old_enforce = auparse_get_field_int(au); - } - - ret = add_serial_number_data(au, alert); - PRELUDE_FAIL_CHECK; - - /* Describe event */ - if (new_enforce == 1 && old_enforce == 0) { - ret = set_classification(alert, "SE Linux Enforcement Enabled"); - severity = IDMEF_IMPACT_SEVERITY_LOW; - } else if (new_enforce == 0 && old_enforce == 1) { - ret = set_classification(alert,"SE Linux Enforcement Disabled"); - severity = IDMEF_IMPACT_SEVERITY_HIGH; - } else { - ret = set_classification(alert, "SE Linux Enforcement Changed"); - severity = IDMEF_IMPACT_SEVERITY_LOW; - } - PRELUDE_FAIL_CHECK; - - /* Assess impact */ - ret = do_assessment(alert, au, severity, IDMEF_IMPACT_TYPE_OTHER, - assessment_description[AS_MAC_STAT]); - PRELUDE_FAIL_CHECK; - - send_idmef(client, idmef); - idmef_message_destroy(idmef); - - return 0; - - err: - syslog(LOG_ERR, "mac_status_alert: IDMEF error: %s.\n", - prelude_strerror(ret)); - idmef_message_destroy(idmef); - return -1; -} - -/* - * This is for authentication failure alerts - */ -static int auth_failure_alert(auparse_state_t *au, idmef_message_t *idmef, - idmef_alert_t *alert, const char *msg, - idmef_impact_severity_t severity, as_description_t num) -{ - int ret, gid; - idmef_source_t *source; - idmef_target_t *target; - idmef_user_t *suser, *tuser; - idmef_user_id_t *user_id; - idmef_impact_type_t impact; - - /* Fill in information about the event's source */ - ret = idmef_alert_new_source(alert, &source, -1); - PRELUDE_FAIL_CHECK; - ret = idmef_source_new_user(source, &suser); - PRELUDE_FAIL_CHECK; - idmef_user_set_category(suser, IDMEF_USER_CATEGORY_APPLICATION); - ret = idmef_user_new_user_id(suser, &user_id, 0); - PRELUDE_FAIL_CHECK; - idmef_user_id_set_type(user_id, IDMEF_USER_ID_TYPE_ORIGINAL_USER); - - ret = get_loginuid_info(au, user_id); - PRELUDE_FAIL_CHECK; - - ret = get_tty_info(au, user_id); - PRELUDE_FAIL_CHECK; - - ret = get_comm_info(au, source, NULL); - PRELUDE_FAIL_CHECK; - - /* Fill in information about the target of the event */ - ret = idmef_alert_new_target(alert, &target, -1); - PRELUDE_FAIL_CHECK; - ret = idmef_target_new_user(target, &tuser); - PRELUDE_FAIL_CHECK; - idmef_user_set_category(tuser, IDMEF_USER_CATEGORY_APPLICATION); - - ret = get_target_group_info(au, tuser); - PRELUDE_FAIL_CHECK; - - ret = add_serial_number_data(au, alert); - PRELUDE_FAIL_CHECK; - - /* Describe event */ - ret = set_classification(alert, msg); - PRELUDE_FAIL_CHECK; - - /* Assess impact */ - gid = get_new_gid(au); - if (gid == 0 || gid == 10) { // Root or wheel - impact = IDMEF_IMPACT_TYPE_ADMIN; - severity = IDMEF_IMPACT_SEVERITY_MEDIUM; - } else - impact = IDMEF_IMPACT_TYPE_USER; - ret = do_assessment(alert, au, severity, impact, - assessment_description[num]); - PRELUDE_FAIL_CHECK; - - send_idmef(client, idmef); - idmef_message_destroy(idmef); - - return 0; - - err: - syslog(LOG_ERR, "auth_failure_alert: IDMEF error: %s.\n", - prelude_strerror(ret)); - idmef_message_destroy(idmef); - return -1; -} - -/* - * This is for watched syscall related alerts - */ -static int watched_syscall_alert(auparse_state_t *au, idmef_message_t *idmef, - idmef_alert_t *alert, idmef_impact_severity_t severity) -{ - int ret, rtype; - idmef_source_t *source; - idmef_target_t *target; - idmef_user_t *suser; - idmef_user_id_t *user_id; - idmef_impact_type_t impact; - - /* Fill in information about the event's source */ - ret = idmef_alert_new_source(alert, &source, -1); - PRELUDE_FAIL_CHECK; - - ret = idmef_source_new_user(source, &suser); - PRELUDE_FAIL_CHECK; - idmef_user_set_category(suser, IDMEF_USER_CATEGORY_APPLICATION); - ret = idmef_user_new_user_id(suser, &user_id, 0); - PRELUDE_FAIL_CHECK; - idmef_user_id_set_type(user_id, IDMEF_USER_ID_TYPE_ORIGINAL_USER); - ret = get_loginuid_info(au, user_id); - PRELUDE_FAIL_CHECK; - - /* We should only analyze the syscall */ - rtype = goto_record_type(au, AUDIT_SYSCALL); - ret = get_tty_info(au, user_id); - PRELUDE_FAIL_CHECK; - - ret = get_comm_info(au, source, NULL); - PRELUDE_FAIL_CHECK; - - /* Fill in information about the target of the event */ - ret = idmef_alert_new_target(alert, &target, -1); - PRELUDE_FAIL_CHECK; - - auparse_first_record(au); - ret = get_node_info(au, source, target); - PRELUDE_FAIL_CHECK; - - rtype = goto_record_type(au, AUDIT_CWD); - if (rtype == AUDIT_CWD) { - ret = get_file_info(au, target, 1); - PRELUDE_FAIL_CHECK; - } - impact = IDMEF_IMPACT_TYPE_OTHER; - - ret = add_serial_number_data(au, alert); - PRELUDE_FAIL_CHECK; - ret = add_exit_data(au, alert); - PRELUDE_FAIL_CHECK; - - /* Describe event */ - ret = set_classification(alert, "Watched Syscall"); - PRELUDE_FAIL_CHECK; - - /* Assess impact */ - ret = do_assessment(alert, au, severity, impact, - assessment_description[AS_WATCHED_SYSCALL]); - PRELUDE_FAIL_CHECK; - - send_idmef(client, idmef); - idmef_message_destroy(idmef); - - return 0; - - err: - syslog(LOG_ERR, "watches_syscall_alert: IDMEF error: %s.\n", - prelude_strerror(ret)); - idmef_message_destroy(idmef); - return -1; -} - -/* - * This is for watched file related alerts - */ -static int watched_file_alert(auparse_state_t *au, idmef_message_t *idmef, - idmef_alert_t *alert, idmef_impact_severity_t severity) -{ - int ret, rtype; - idmef_source_t *source; - idmef_target_t *target; - idmef_user_t *suser; - idmef_user_id_t *user_id; - idmef_impact_type_t impact; - - /* Fill in information about the event's source */ - ret = idmef_alert_new_source(alert, &source, -1); - PRELUDE_FAIL_CHECK; - - ret = idmef_source_new_user(source, &suser); - PRELUDE_FAIL_CHECK; - idmef_user_set_category(suser, IDMEF_USER_CATEGORY_APPLICATION); - ret = idmef_user_new_user_id(suser, &user_id, 0); - PRELUDE_FAIL_CHECK; - idmef_user_id_set_type(user_id, IDMEF_USER_ID_TYPE_ORIGINAL_USER); - ret = get_loginuid_info(au, user_id); - PRELUDE_FAIL_CHECK; - - ret = get_tty_info(au, user_id); - PRELUDE_FAIL_CHECK; - - ret = get_comm_info(au, source, NULL); - PRELUDE_FAIL_CHECK; - - /* Fill in information about the target of the event */ - ret = idmef_alert_new_target(alert, &target, -1); - PRELUDE_FAIL_CHECK; - - auparse_first_record(au); - ret = get_node_info(au, source, target); - PRELUDE_FAIL_CHECK; - - rtype = goto_record_type(au, AUDIT_CWD); - if (rtype == AUDIT_CWD) { - ret = get_file_info(au, target, 1); - PRELUDE_FAIL_CHECK; - } - impact = IDMEF_IMPACT_TYPE_FILE; - - ret = add_serial_number_data(au, alert); - PRELUDE_FAIL_CHECK; - - /* Describe event */ - ret = set_classification(alert, "Watched File"); - PRELUDE_FAIL_CHECK; - - /* Assess impact */ - ret = do_assessment(alert, au, severity, impact, - assessment_description[AS_WATCHED_FILE]); - PRELUDE_FAIL_CHECK; - - send_idmef(client, idmef); - idmef_message_destroy(idmef); - - return 0; - - err: - syslog(LOG_ERR, "watches_file_alert: IDMEF error: %s.\n", - prelude_strerror(ret)); - idmef_message_destroy(idmef); - return -1; -} - -/* - * This is for watched executable related alerts - */ -static int watched_exec_alert(auparse_state_t *au, idmef_message_t *idmef, - idmef_alert_t *alert, idmef_impact_severity_t severity) -{ - int ret, rtype; - idmef_source_t *source; - idmef_target_t *target; - idmef_user_t *suser; - idmef_user_id_t *user_id; - idmef_impact_type_t impact; - - /* Fill in information about the event's source */ - ret = idmef_alert_new_source(alert, &source, -1); - PRELUDE_FAIL_CHECK; - - ret = idmef_source_new_user(source, &suser); - PRELUDE_FAIL_CHECK; - idmef_user_set_category(suser, IDMEF_USER_CATEGORY_APPLICATION); - ret = idmef_user_new_user_id(suser, &user_id, 0); - PRELUDE_FAIL_CHECK; - idmef_user_id_set_type(user_id, IDMEF_USER_ID_TYPE_ORIGINAL_USER); - ret = get_loginuid_info(au, user_id); - PRELUDE_FAIL_CHECK; - - ret = get_tty_info(au, user_id); - PRELUDE_FAIL_CHECK; - - ret = get_comm_info(au, source, NULL); - PRELUDE_FAIL_CHECK; - - /* Fill in information about the target of the event */ - ret = idmef_alert_new_target(alert, &target, -1); - PRELUDE_FAIL_CHECK; - - auparse_first_record(au); - ret = get_node_info(au, source, target); - PRELUDE_FAIL_CHECK; - - rtype = goto_record_type(au, AUDIT_CWD); - if (rtype == AUDIT_CWD) { - ret = get_file_info(au, target, 1); - PRELUDE_FAIL_CHECK; - } - - ret = add_execve_data(au, alert); - PRELUDE_FAIL_CHECK; - - ret = add_serial_number_data(au, alert); - PRELUDE_FAIL_CHECK; - - /* Describe event */ - ret = set_classification(alert, "Watched Executable"); - PRELUDE_FAIL_CHECK; - - /* Assess impact */ - if (get_loginuid(au) == 0) - impact = IDMEF_IMPACT_TYPE_ADMIN; - else - impact = IDMEF_IMPACT_TYPE_USER; - ret = do_assessment(alert, au, severity, impact, - assessment_description[AS_WATCHED_EXEC]); - PRELUDE_FAIL_CHECK; - - send_idmef(client, idmef); - idmef_message_destroy(idmef); - - return 0; - - err: - syslog(LOG_ERR, "watched_exec_alert: IDMEF error: %s.\n", - prelude_strerror(ret)); - idmef_message_destroy(idmef); - return -1; -} - -/* - * This is for watching exe's being made related alerts - */ -static int watched_mk_exe_alert(auparse_state_t *au, idmef_message_t *idmef, - idmef_alert_t *alert, idmef_impact_severity_t severity) -{ - int ret, rtype; - idmef_source_t *source; - idmef_target_t *target; - idmef_user_t *suser; - idmef_user_id_t *user_id; - idmef_impact_type_t impact; - - /* Fill in information about the event's source */ - ret = idmef_alert_new_source(alert, &source, -1); - PRELUDE_FAIL_CHECK; - - ret = idmef_source_new_user(source, &suser); - PRELUDE_FAIL_CHECK; - idmef_user_set_category(suser, IDMEF_USER_CATEGORY_APPLICATION); - ret = idmef_user_new_user_id(suser, &user_id, 0); - PRELUDE_FAIL_CHECK; - idmef_user_id_set_type(user_id, IDMEF_USER_ID_TYPE_ORIGINAL_USER); - ret = get_loginuid_info(au, user_id); - PRELUDE_FAIL_CHECK; - - ret = get_tty_info(au, user_id); - PRELUDE_FAIL_CHECK; - - ret = get_comm_info(au, source, NULL); - PRELUDE_FAIL_CHECK; - - /* Fill in information about the target of the event */ - ret = idmef_alert_new_target(alert, &target, -1); - PRELUDE_FAIL_CHECK; - - auparse_first_record(au); - ret = get_node_info(au, source, target); - PRELUDE_FAIL_CHECK; - - rtype = goto_record_type(au, AUDIT_CWD); - if (rtype == AUDIT_CWD) { - ret = get_file_info(au, target, 1); - PRELUDE_FAIL_CHECK; - } - impact = IDMEF_IMPACT_TYPE_FILE; - - ret = add_serial_number_data(au, alert); - PRELUDE_FAIL_CHECK; - - /* Describe event */ - ret = set_classification(alert, "Executable Created"); - PRELUDE_FAIL_CHECK; - - ret = do_assessment(alert, au, severity, impact, - assessment_description[AS_MK_EXE]); - PRELUDE_FAIL_CHECK; - - send_idmef(client, idmef); - idmef_message_destroy(idmef); - - return 0; - - err: - syslog(LOG_ERR, "watched_mk_exe_alert: IDMEF error: %s.\n", - prelude_strerror(ret)); - idmef_message_destroy(idmef); - return -1; -} - -static int account_is_watched(auparse_state_t *au) -{ - const char *auid; - - auparse_first_field(au); - auid = auparse_find_field(au, "auid"); - if (auid) { // This is for successful logins - int uid = auparse_get_field_int(au); - if (ilist_find_num(&config.watched_accounts, uid)) - return 1; - } else { // Now try failed logins to see if we know who they are - auparse_first_field(au); - if ((auid = auparse_find_field(au, "acct"))) { - struct passwd *pw = getpwnam(auid); - if (pw && ilist_find_num( - &config.watched_accounts, pw->pw_uid)) - return 1; - } - } - return 0; -} - -static idmef_impact_type_t lookup_itype(const char *kind) -{ - if (strcasecmp(kind, "sys") == 0) - return IDMEF_IMPACT_TYPE_OTHER; - if (strcasecmp(kind, "file") == 0) - return IDMEF_IMPACT_TYPE_FILE; - if (strcasecmp(kind, "exec") == 0) - return IDMEF_IMPACT_TYPE_USER; - if (strcasecmp(kind, "mkexe") == 0) - return IDMEF_IMPACT_TYPE_OTHER; - return IDMEF_IMPACT_TYPE_ERROR; -} - -static idmef_impact_severity_t lookup_iseverity(const char *severity) -{ - if (strncmp(severity, "inf", 3) == 0) - return IDMEF_IMPACT_SEVERITY_INFO; - if (strncmp(severity, "low", 3) == 0) - return IDMEF_IMPACT_SEVERITY_LOW; - if (strncmp(severity, "med", 3) == 0) - return IDMEF_IMPACT_SEVERITY_MEDIUM; - if (strncmp(severity, "hi", 2) == 0) - return IDMEF_IMPACT_SEVERITY_HIGH; - return IDMEF_IMPACT_SEVERITY_ERROR; -} - -static void handle_watched_syscalls(auparse_state_t *au, - idmef_message_t **idmef, idmef_alert_t **alert) -{ - if (config.watched_syscall == E_YES || config.watched_file == E_YES || - config.watched_exec == E_YES || - config.watched_mk_exe == E_YES) { - const char *keyptr; - char *ptr, *kindptr, *ratingptr; - char key[AUDIT_MAX_KEY_LEN+1]; - idmef_impact_type_t type; - idmef_impact_severity_t severity; - - /* If no key or key is not for the ids, return */ - auparse_first_field(au); - keyptr = auparse_find_field(au, "key"); - if (keyptr) - keyptr = auparse_interpret_field(au); - while (keyptr) { - if (strncmp(keyptr, "ids-", 4) == 0) - break; - keyptr = auparse_find_field_next(au); - if (keyptr) - keyptr = auparse_interpret_field(au); - } - if (keyptr == NULL) - return; - - /* This key is for us, parse it up */ - strncpy(key, keyptr, AUDIT_MAX_KEY_LEN); - key[AUDIT_MAX_KEY_LEN] = 0; - - ptr = strchr(key, '-'); // There has to be a - because strncmp - kindptr = ptr + 1; - ptr = strchr(kindptr, '-'); - if (ptr) { - *ptr = 0; - ratingptr = ptr +1; - } else // The rules are misconfigured - return; - - type = lookup_itype(kindptr); - severity = lookup_iseverity(ratingptr); - - if (type == IDMEF_IMPACT_TYPE_OTHER && - strcasecmp(kindptr, "sys") == 0 && - config.watched_syscall == E_YES && - config.watched_syscall_act == A_IDMEF) { - if (new_alert_common(au, idmef, alert) >= 0) - watched_syscall_alert(au, *idmef, *alert, - severity); - } else if (type == IDMEF_IMPACT_TYPE_FILE && - config.watched_file == E_YES && - config.watched_file_act == A_IDMEF) { - if (new_alert_common(au, idmef, alert) >= 0) - watched_file_alert(au, *idmef, *alert, - severity); - } else if (type == IDMEF_IMPACT_TYPE_USER && - config.watched_exec == E_YES && - config.watched_exec_act == A_IDMEF) { - if (new_alert_common(au, idmef, alert) >= 0) - watched_exec_alert(au, *idmef, *alert, - severity); - } else if (type == IDMEF_IMPACT_TYPE_OTHER && - strcasecmp(kindptr, "mkexe") == 0 && - config.watched_mk_exe == E_YES && - config.watched_mk_exe_act == A_IDMEF) { - if (new_alert_common(au, idmef, alert) >= 0) - watched_mk_exe_alert(au, *idmef, *alert, - severity); - } - } -} - -static int tty_alert(auparse_state_t *au, idmef_message_t *idmef, - idmef_alert_t *alert) -{ - int ret; - - idmef_source_t *source; - idmef_user_t *suser; - idmef_user_id_t *user_id; - idmef_impact_type_t impact_type; - idmef_assessment_t *assessment; - idmef_impact_t *impact; - idmef_impact_severity_t severity; - prelude_string_t *str; - idmef_impact_completion_t completion = IDMEF_IMPACT_COMPLETION_ERROR; - - /* Fill in information about the event's source */ - ret = idmef_alert_new_source(alert, &source, -1); - PRELUDE_FAIL_CHECK; - - ret = idmef_source_new_user(source, &suser); - PRELUDE_FAIL_CHECK; - idmef_user_set_category(suser, IDMEF_USER_CATEGORY_APPLICATION); - ret = idmef_user_new_user_id(suser, &user_id, 0); - PRELUDE_FAIL_CHECK; - idmef_user_id_set_type(user_id, IDMEF_USER_ID_TYPE_ORIGINAL_USER); - ret = get_loginuid_info(au, user_id); - PRELUDE_FAIL_CHECK; - - ret = get_tty_info(au, user_id); - PRELUDE_FAIL_CHECK; - - ret = get_comm_info(au, source, NULL); - PRELUDE_FAIL_CHECK; - - ret = add_execve_data(au, alert); - PRELUDE_FAIL_CHECK; - - ret = add_serial_number_data(au, alert); - PRELUDE_FAIL_CHECK; - - /* Describe event */ - ret = set_classification(alert, "Keylogger"); - PRELUDE_FAIL_CHECK; - - /* Assess impact */ - if (get_loginuid(au) == 0) - impact_type = IDMEF_IMPACT_TYPE_ADMIN; - else - impact_type = IDMEF_IMPACT_TYPE_USER; - completion = IDMEF_IMPACT_COMPLETION_SUCCEEDED; - severity = IDMEF_IMPACT_SEVERITY_LOW; - - ret = idmef_alert_new_assessment(alert, &assessment); - PRELUDE_FAIL_CHECK; - ret = idmef_assessment_new_impact(assessment, &impact); - PRELUDE_FAIL_CHECK; - idmef_impact_set_severity(impact, severity); - PRELUDE_FAIL_CHECK; - idmef_impact_set_type(impact, impact_type); - PRELUDE_FAIL_CHECK; - ret = idmef_impact_new_description(impact, &str); - PRELUDE_FAIL_CHECK; - ret = prelude_string_set_ref(str, assessment_description[AS_TTY]); - PRELUDE_FAIL_CHECK; - - send_idmef(client, idmef); - idmef_message_destroy(idmef); - - return 0; - - err: - syslog(LOG_ERR, "tty_alert: IDMEF error: %s.\n", - prelude_strerror(ret)); - idmef_message_destroy(idmef); - return -1; -} -static void handle_event(auparse_state_t *au, - auparse_cb_event_t cb_event_type, void *user_data) -{ - int type, num=0; - idmef_message_t *idmef; - idmef_alert_t *alert; - - if (cb_event_type != AUPARSE_CB_EVENT_READY) - return; - - // Loop through the records in the event looking for one to process. - // We use physical record number because we may search around and - // move the cursor accidentally skipping a record. - while (auparse_goto_record_num(au, num) > 0) { - type = auparse_get_type(au); - switch (type) { - case AUDIT_AVC: -// case AUDIT_USER_AVC: ignore USER_AVC for now - if (config.avcs == E_NO) - break; - if (config.avcs_act != A_IDMEF) - break; - if (new_alert_common(au, &idmef, &alert) >= 0) - avc_alert(au, idmef, alert); - break; - case AUDIT_USER_LOGIN: - // Do normal login alert - if (config.logins == E_YES && - config.logins_act == A_IDMEF) { - if (new_alert_common(au, &idmef, &alert) >= 0){ - login_alert(au, idmef, alert, "Login", - IDMEF_IMPACT_SEVERITY_INFO, AS_LOGIN); - }} - // Next do watched account alerts - if (config.watched_acct == E_NO) - break; - if (config.watched_acct_act != A_IDMEF) - break; - else if (account_is_watched(au)) { - if (new_alert_common(au, &idmef, &alert) >= 0){ - login_alert(au, idmef, alert, - "Watched Account Login", - IDMEF_IMPACT_SEVERITY_MEDIUM, - AS_WATCHED_LOGIN); - }} - break; - case AUDIT_ANOM_LOGIN_FAILURES: - if (config.login_failure_max == E_NO) - break; - if (config.login_failure_max_act != A_IDMEF) - break; - if (new_alert_common(au, &idmef, &alert) >= 0){ - login_alert(au, idmef, alert, - "Max Failed Logins", - IDMEF_IMPACT_SEVERITY_LOW, - AS_MAX_LOGIN_FAIL); - } - break; - case AUDIT_ANOM_LOGIN_SESSIONS: - if (config.login_session_max == E_NO) - break; - if (config.login_session_max_act != A_IDMEF) - break; - if (new_alert_common(au, &idmef, &alert) >= 0){ - login_alert(au, idmef, alert, - "Max Concurrent Sessions", - IDMEF_IMPACT_SEVERITY_INFO, - AS_MAX_LOGIN_SESS); - } - break; - case AUDIT_ANOM_LOGIN_LOCATION: - if (config.login_location == E_NO) - break; - if (config.login_location_act != A_IDMEF) - break; - if (new_alert_common(au, &idmef, &alert) >= 0){ - login_alert(au, idmef, alert, - "Login From Forbidden Location", - IDMEF_IMPACT_SEVERITY_MEDIUM, - AS_LOGIN_LOCATION); - } - break; - case AUDIT_ANOM_LOGIN_TIME: - if (config.login_time == E_NO) - break; - if (config.login_time_act != A_IDMEF) - break; - if (new_alert_common(au, &idmef, &alert) >= 0){ - login_alert(au, idmef, alert, - "Login During Forbidden Time", - IDMEF_IMPACT_SEVERITY_LOW, - AS_LOGIN_TIME); - } - break; - case AUDIT_ANOM_ABEND: - if (config.abends == E_NO) - break; - if (config.abends_act != A_IDMEF) - break; - if (new_alert_common(au, &idmef, &alert) >= 0) - app_term_alert(au, idmef, alert); - break; - case AUDIT_ANOM_PROMISCUOUS: - if (config.promiscuous == E_NO) - break; - if (config.promiscuous_act != A_IDMEF) - break; - if (new_alert_common(au, &idmef, &alert) >= 0) - promiscuous_alert(au, idmef, alert); - break; - case AUDIT_MAC_STATUS: - if (config.mac_status == E_NO) - break; - if (config.mac_status_act != A_IDMEF) - break; - if (new_alert_common(au, &idmef, &alert) >= 0) - mac_status_alert(au, idmef, alert); - break; - case AUDIT_GRP_AUTH: - if (config.group_auth == E_NO) - break; - if (config.group_auth_act != A_IDMEF) - break; - else { - const char *result; - - // We only care about failures - auparse_first_field(au); - result = auparse_find_field(au, "res"); - if (result && strcmp(result, "failed")) - break; - if (new_alert_common(au, &idmef, &alert) >= 0){ - auth_failure_alert(au, idmef, alert, - "Group Authentication Failure", - IDMEF_IMPACT_SEVERITY_LOW, - AS_AUTH); - }} - break; - case AUDIT_SYSCALL: - handle_watched_syscalls(au, &idmef, &alert); - // The previous call moves the current record - auparse_goto_record_num(au, num); - break; - case AUDIT_TTY: - if (config.tty == E_NO) - break; - if (config.tty_act != A_IDMEF) - break; - if (new_alert_common(au, &idmef, &alert) >= 0) - tty_alert(au, idmef, alert); - break; - default: - break; - } - num++; - } -} - diff --git a/framework/src/audit/audisp/plugins/prelude/audisp-prelude.conf b/framework/src/audit/audisp/plugins/prelude/audisp-prelude.conf deleted file mode 100644 index ae499a86..00000000 --- a/framework/src/audit/audisp/plugins/prelude/audisp-prelude.conf +++ /dev/null @@ -1,61 +0,0 @@ -# -# This file controls the configuration of the audit based -# intrusion detection system, audisp-prelude. -# - -profile = auditd - -detect_avc = yes -avc_action = idmef - -detect_logins = yes -login_action = idmef -#login_acct_exceptions = - -detect_login_fail_max = yes -login_fail_max_action = idmef -#login_fail_max_acct_exceptions = - -detect_login_session_max = yes -login_session_max_action = idmef -#login_session_max_acct_exceptions = - -detect_login_location = yes -login_location_action = idmef -#login_location_acct_exceptions = - -detect_login_time = yes -login_time_action = idmef -#login_time_acct_exceptions = - -detect_abend = yes -abend_action = idmef - -detect_promiscuous = yes -promiscuous_action = idmef - -detect_mac_status = yes -mac_status_action = idmef - -detect_group_auth = yes -group_auth_action = idmef - -detect_watched_acct = yes -watched_acct_action = idmef -watched_accounts = 1-499 - -detect_watched_syscall = yes -watched_syscall_action = idmef - -detect_watched_file = yes -watched_file_action = idmef - -detect_watched_exec = yes -watched_exec_action = idmef - -detect_watched_mk_exe = yes -watched_mk_exe_action = idmef - -detect_tty = no -tty_action = idmef - diff --git a/framework/src/audit/audisp/plugins/prelude/audisp-prelude.conf.5 b/framework/src/audit/audisp/plugins/prelude/audisp-prelude.conf.5 deleted file mode 100644 index b7228ed3..00000000 --- a/framework/src/audit/audisp/plugins/prelude/audisp-prelude.conf.5 +++ /dev/null @@ -1,153 +0,0 @@ -.TH AUDISP-PRELUDE.CONF: "5" "Mar 2008" "Red Hat" "System Administration Utilities" -.SH NAME -audisp-prelude.conf \- the audisp-prelude configuration file -.SH DESCRIPTION -\fBaudisp-prelude.conf\fP is the file that controls the configuration of the audit based intrusion detection system. There are 2 general kinds of configuration option types, enablers and actions. The enablers simply have -.IR yes "/" no " -as the only valid choices. - -The action options currently allow -.IR ignore ", and "idmef " -as its choices. The -.IR ignore -option means that the IDS still detects events, but only logs the detection in response. The -.IR idmef -option means that the IDS will send an IDMEF alert to the prelude manager upon detection. - -The configuration options that are available are as follows: - -.TP -.I profile -This is a one word character string that is used to identify the profile name in the prelude reporting tools. The default is auditd. -.TP -.I detect_avc -This an enabler that determines if the IDS should be examining SE Linux AVC events. The default is -.IR yes ". -.TP -.I avc_action -This is an action that determines what response should be taken whenever a SE Linux AVC is detected. The default is -.IR idmef ". -.TP -.I detect_login -This is an enabler that determines if the IDS should be examining login events. The default is -.IR yes ". -.TP -.I login_action -This is an action that determines what response should be taken whenever a login event is detected. The default is -.IR idmef ". -.TP -.I detect_login_fail_max -This is an enabler that determines if the IDS should be looking for maximum number of failed logins for an account. The default is -.IR yes ". -.TP -.I login_fail_max_action -This is an action that determines what response should be taken whenever the maximum number of failed logins for an account is detected. The default is -.IR idmef ". -.TP -.I detect_login_session_max -This is an enabler that determines if the IDS should be looking for maximum concurrent sessions limit for an account. The default is -.IR yes ". -.TP -.I login_session_max_action -This is an action that determines what response should be taken whenever the maximum concurrent sessions limit for an account is detected. The default is -.IR idmef ". -.TP -.I detect_login_location -This is an enabler that determines if the IDS should be looking for logins being attempted from a forbidden location. The default is -.IR yes ". -.TP -.I login_location_action -This is an action that determines what response should be taken whenever logins are attempted from a forbidden location. The default is -.IR idmef ". -.TP -.I detect_login_time_alerts -This is an enabler that determines if the IDS should be looking for logins attempted during a forbidden time. The default is -.IR yes ". -.TP -.I login_time_action -This is an action that determines what response should be taken whenever logins are attempted during a forbidden time. The default is -.IR idmef ". -.TP -.I detect_abend -This is an enabler that determines if the IDS should be looking for programs terminating for an abnormal reason. The default is -.IR yes ". -.TP -.I abend_action -This is an action that determines what response should be taken whenever programs terminate for an abnormal reason. The default is -.IR idmef ". -.TP -.I detect_promiscuous -This is an enabler that determines if the IDS should be looking for promiscuous sockets being opened. The default is -.IR yes ". -.TP -.I promiscuous_action -This is an action that determines what response should be taken whenever promiscuous sockets are detected open. The default is -.IR idmef ". -.TP -.I detect_mac_status -This is an enabler that determines if the IDS should be detecting changes made to the SE Linux MAC enforcement. The default is -.IR yes ". -.TP -.I mac_status_action -This is an action that determines what response should be taken whenever changes are made to the SE Linux MAC enforcement. The default is -.IR idmef ". -.TP -.I detect_group_auth -This is an enabler that determines if the IDS should be detecting whenever a user fails in changing their default group. The default is -.IR yes ". -.TP -.I group_auth_act -This is an action that determines what response should be taken whenever a user fails in changing their default group. The default is -.IR idmef ". -.TP -.I detect_watched_acct -This is an enabler that determines if the IDS should be detecting a user attempting to login on an account that is being watched. The accounts to watch is set by the -.IR watched_accounts -option. The default is -.IR yes ". -.TP -.I watched_acct_act -This is an action that determines what response should be taken whenever a user attempts to login on an account that is being watched. The default is -.IR idmef ". -.TP -.I watched_accounts -This option is a whitespace and comma separated list of accounts to watch. The accounts may be numeric or alphanumeric. If you want to include a range of accounts, separate them with a dash but no spaces. For example, to watch logins from bin to lp, use "bin-lp". Only successful logins are recorded. -.TP -.I detect_watched_syscall -This is an enabler that determines if the IDS should be detecting whenever a user runs a command that issues a syscall that is being watched. The default is -.IR yes ". -.TP -.I watched_syscall_act -This is an action that determines what response should be taken whenever a user runs a command that issues a syscall that is being watched. The default is -.IR idmef ". -.TP -.I detect_watched_file -This is an enabler that determines if the IDS should be detecting whenever a user accesses a file that is being watched. The default is -.IR yes ". -.TP -.I watched_file_act -This is an action that determines what response should be taken whenever a user accesses a file that is being watched. The default is -.IR idmef ". -.TP -.I detect_watched_exec -This is an enabler that determines if the IDS should be detecting whenever a user executes a program that is being watched. The default is -.IR yes ". -.TP -.I watched_exec_act -This is an action that determines what response should be taken whenever a user executes a program that is being watched. The default is -.IR idmef ". -.TP -.I detect_watched_mk_exe -This is an enabler that determines if the IDS should be detecting whenever a user creates a file that is executable. The default is -.IR yes ". -.TP -.I watched_mk_exe_act -This is an action that determines what response should be taken whenever a user creates a file that is executable. The default is -.IR idmef ". -.SH "SEE ALSO" -.BR audispd (8), -.BR audisp-prelude (8), -.BR prelude-manager (1). -.SH AUTHOR -Steve Grubb - diff --git a/framework/src/audit/audisp/plugins/prelude/prelude-config.c b/framework/src/audit/audisp/plugins/prelude/prelude-config.c deleted file mode 100644 index 3a360483..00000000 --- a/framework/src/audit/audisp/plugins/prelude/prelude-config.c +++ /dev/null @@ -1,844 +0,0 @@ -/* prelude-config.c -- - * Copyright 2008,2010-2011 Red Hat Inc., Durham, North Carolina. - * All Rights Reserved. - * - * This program is free software; you can redistribute it and/or modify - * it under the terms of the GNU General Public License as published by - * the Free Software Foundation; either version 2 of the License, or - * (at your option) any later version. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU General Public License for more details. - * - * You should have received a copy of the GNU General Public License - * along with this program; if not, write to the Free Software - * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA - * - * Authors: - * Steve Grubb <sgrubb@redhat.com> - * - */ - -#include "config.h" -#include <string.h> -#include <stdio.h> -#include <fcntl.h> -#include <sys/stat.h> -#include <errno.h> -#include <unistd.h> -#include <stdlib.h> -#include <syslog.h> -#include <ctype.h> -#include <pwd.h> -#include "prelude-config.h" - -/* Local prototypes */ -struct nv_pair -{ - const char *name; - const char *value; - const char *option; -}; - -struct kw_pair -{ - const char *name; - int (*parser)(struct nv_pair *, int, prelude_conf_t *); - int max_options; -}; - -struct nv_list -{ - const char *name; - int option; -}; - -static char *get_line(FILE *f, char *buf); -static int nv_split(char *buf, struct nv_pair *nv); -static const struct kw_pair *kw_lookup(const char *val); -static int profile_parser(struct nv_pair *nv, int line, - prelude_conf_t *config); -static int avc_parser(struct nv_pair *nv, int line, - prelude_conf_t *config); -static int avc_act_parser(struct nv_pair *nv, int line, - prelude_conf_t *config); -static int login_parser(struct nv_pair *nv, int line, - prelude_conf_t *config); -static int login_act_parser(struct nv_pair *nv, int line, - prelude_conf_t *config); -static int login_failure_parser(struct nv_pair *nv, int line, - prelude_conf_t *config); -static int login_failure_act_parser(struct nv_pair *nv, int line, - prelude_conf_t *config); -static int login_session_parser(struct nv_pair *nv, int line, - prelude_conf_t *config); -static int login_session_act_parser(struct nv_pair *nv, int line, - prelude_conf_t *config); -static int login_location_parser(struct nv_pair *nv, int line, - prelude_conf_t *config); -static int login_location_act_parser(struct nv_pair *nv, int line, - prelude_conf_t *config); -static int login_time_parser(struct nv_pair *nv, int line, - prelude_conf_t *config); -static int login_time_act_parser(struct nv_pair *nv, int line, - prelude_conf_t *config); -static int abends_parser(struct nv_pair *nv, int line, - prelude_conf_t *config); -static int abends_act_parser(struct nv_pair *nv, int line, - prelude_conf_t *config); -static int promiscuous_parser(struct nv_pair *nv, int line, - prelude_conf_t *config); -static int promiscuous_act_parser(struct nv_pair *nv, int line, - prelude_conf_t *config); -static int mac_status_parser(struct nv_pair *nv, int line, - prelude_conf_t *config); -static int mac_status_act_parser(struct nv_pair *nv, int line, - prelude_conf_t *config); -static int group_auth_parser(struct nv_pair *nv, int line, - prelude_conf_t *config); -static int group_auth_act_parser(struct nv_pair *nv, int line, - prelude_conf_t *config); -static int watched_acct_parser(struct nv_pair *nv, int line, - prelude_conf_t *config); -static int watched_acct_act_parser(struct nv_pair *nv, int line, - prelude_conf_t *config); -static int watched_accounts_parser(struct nv_pair *nv, int line, - prelude_conf_t *config); -static int watched_syscall_parser(struct nv_pair *nv, int line, - prelude_conf_t *config); -static int watched_syscall_act_parser(struct nv_pair *nv, int line, - prelude_conf_t *config); -static int watched_file_parser(struct nv_pair *nv, int line, - prelude_conf_t *config); -static int watched_file_act_parser(struct nv_pair *nv, int line, - prelude_conf_t *config); -static int watched_exec_parser(struct nv_pair *nv, int line, - prelude_conf_t *config); -static int watched_exec_act_parser(struct nv_pair *nv, int line, - prelude_conf_t *config); -static int watched_mk_exe_parser(struct nv_pair *nv, int line, - prelude_conf_t *config); -static int watched_mk_exe_act_parser(struct nv_pair *nv, int line, - prelude_conf_t *config); -static int tty_parser(struct nv_pair *nv, int line, - prelude_conf_t *config); -static int tty_act_parser(struct nv_pair *nv, int line, - prelude_conf_t *config); -static int sanity_check(prelude_conf_t *config, const char *file); - -static const struct kw_pair keywords[] = -{ - {"profile", profile_parser, 0 }, - {"detect_avc", avc_parser, 0 }, - {"avc_action", avc_act_parser, 0 }, - {"detect_logins", login_parser, 0 }, - {"login_action", login_act_parser, 0 }, - {"detect_login_fail_max", login_failure_parser, 0 }, - {"login_fail_max_action", login_failure_act_parser, 0 }, - {"detect_login_session_max", login_session_parser, 0 }, - {"login_session_max_action", login_session_act_parser, 0 }, - {"detect_login_location", login_location_parser, 0 }, - {"login_location_action", login_location_act_parser, 0 }, - {"detect_login_time", login_time_parser, 0 }, - {"login_time_action", login_time_act_parser, 0 }, - {"detect_abend", abends_parser, 0 }, - {"abend_action", abends_act_parser, 0 }, - {"detect_promiscuous", promiscuous_parser, 0 }, - {"promiscuous_action", promiscuous_act_parser, 0 }, - {"detect_mac_status", mac_status_parser, 0 }, - {"mac_status_action", mac_status_act_parser, 0 }, - {"detect_group_auth", group_auth_parser, 0 }, - {"group_auth_action", group_auth_act_parser, 0 }, - {"detect_watched_acct", watched_acct_parser, 0 }, - {"watched_acct_action", watched_acct_act_parser, 0 }, - {"watched_accounts", watched_accounts_parser, 1 }, - {"detect_watched_syscall", watched_syscall_parser, 0 }, - {"watched_syscall_action", watched_syscall_act_parser, 0 }, - {"detect_watched_file", watched_file_parser, 0 }, - {"watched_file_action", watched_file_act_parser, 0 }, - {"detect_watched_exec", watched_exec_parser, 0 }, - {"watched_exec_action", watched_exec_act_parser, 0 }, - {"detect_watched_mk_exe", watched_mk_exe_parser, 0 }, - {"watched_mk_exe_action", watched_mk_exe_act_parser, 0 }, - {"detect_tty", tty_parser, 0 }, - {"tty_action", tty_act_parser, 0 }, - { NULL, NULL } -}; - -static const struct nv_list enabler_words[] = -{ - {"no", E_NO }, - {"yes", E_YES }, - { NULL, 0 } -}; - -static const struct nv_list action_words[] = -{ - {"ignore", A_IGNORE }, - {"idmef", A_IDMEF }, -// {"kill", A_KILL }, -// {"session", A_SESSION }, -// {"single", A_SINGLE }, -// {"halt", A_HALT }, - { NULL, 0 } -}; - -/* - * Set everything to its default value -*/ -void clear_config(prelude_conf_t *config) -{ - config->profile = strdup("auditd"); - config->avcs = E_YES; - config->avcs_act = A_IDMEF; - config->logins = E_YES; - config->logins_act = A_IDMEF; - config->login_failure_max = E_YES; - config->login_failure_max_act = A_IDMEF; - config->login_session_max = E_YES; - config->login_session_max_act = A_IDMEF; - config->login_location = E_YES; - config->login_location_act = A_IDMEF; - config->login_time = E_YES; - config->login_time_act = A_IDMEF; - config->abends = E_YES; - config->abends_act = A_IDMEF; - config->promiscuous = E_YES; - config->promiscuous_act = A_IDMEF; - config->mac_status = E_YES; - config->mac_status_act = A_IDMEF; - config->group_auth = E_YES; - config->group_auth_act = A_IDMEF; - config->watched_acct = E_YES; - config->watched_acct_act = A_IDMEF; - config->watched_syscall = E_YES; - config->watched_syscall_act = A_IDMEF; - config->watched_file = E_YES; - config->watched_file_act = A_IDMEF; - config->watched_exec = E_YES; - config->watched_exec_act = A_IDMEF; - config->watched_mk_exe = E_YES; - config->watched_mk_exe_act = A_IDMEF; - config->tty = E_NO; - config->tty_act = A_IDMEF; - ilist_create(&config->watched_accounts); -} - -int load_config(prelude_conf_t *config, const char *file) -{ - int fd, rc, mode, lineno = 1; - struct stat st; - FILE *f; - char buf[128]; - - clear_config(config); - - /* open the file */ - mode = O_RDONLY; - rc = open(file, mode); - if (rc < 0) { - free_config(config); - if (errno != ENOENT) { - syslog(LOG_ERR, "Error opening %s (%s)", file, - strerror(errno)); - return 1; - } - syslog(LOG_WARNING, - "Config file %s doesn't exist, skipping", file); - return 0; - } - fd = rc; - - /* check the file's permissions: owned by root, not world writable, - * not symlink. - */ - if (fstat(fd, &st) < 0) { - free_config(config); - syslog(LOG_ERR, "Error fstat'ing config file (%s)", - strerror(errno)); - close(fd); - return 1; - } - if (st.st_uid != 0) { - free_config(config); - syslog(LOG_ERR, "Error - %s isn't owned by root", - file); - close(fd); - return 1; - } - if ((st.st_mode & S_IWOTH) == S_IWOTH) { - free_config(config); - syslog(LOG_ERR, "Error - %s is world writable", - file); - close(fd); - return 1; - } - if (!S_ISREG(st.st_mode)) { - free_config(config); - syslog(LOG_ERR, "Error - %s is not a regular file", - file); - close(fd); - return 1; - } - - /* it's ok, read line by line */ - f = fdopen(fd, "rm"); - if (f == NULL) { - free_config(config); - syslog(LOG_ERR, "Error - fdopen failed (%s)", - strerror(errno)); - close(fd); - return 1; - } - - while (get_line(f, buf)) { - // convert line into name-value pair - const struct kw_pair *kw; - struct nv_pair nv; - rc = nv_split(buf, &nv); - switch (rc) { - case 0: // fine - break; - case 1: // not the right number of tokens. - syslog(LOG_ERR, - "Wrong number of arguments for line %d in %s", - lineno, file); - break; - case 2: // no '=' sign - syslog(LOG_ERR, - "Missing equal sign for line %d in %s", - lineno, file); - break; - default: // something else went wrong... - syslog(LOG_ERR, - "Unknown error for line %d in %s", - lineno, file); - break; - } - if (nv.name == NULL) { - lineno++; - continue; - } - if (nv.value == NULL) { - free_config(config); - fclose(f); - return 1; - } - - /* identify keyword or error */ - kw = kw_lookup(nv.name); - if (kw->name == NULL) { - free_config(config); - syslog(LOG_ERR, - "Unknown keyword \"%s\" in line %d of %s", - nv.name, lineno, file); - fclose(f); - return 1; - } - - /* Check number of options */ - if (kw->max_options == 0 && nv.option != NULL) { - free_config(config); - syslog(LOG_ERR, - "Keyword \"%s\" has invalid option " - "\"%s\" in line %d of %s", - nv.name, nv.option, lineno, file); - fclose(f); - return 1; - } - - /* dispatch to keyword's local parser */ - rc = kw->parser(&nv, lineno, config); - if (rc != 0) { - free_config(config); - fclose(f); - return 1; // local parser puts message out - } - - lineno++; - } - - fclose(f); - if (lineno > 1) - return sanity_check(config, file); - return 0; -} - -static char *get_line(FILE *f, char *buf) -{ - if (fgets_unlocked(buf, 128, f)) { - /* remove newline */ - char *ptr = strchr(buf, 0x0a); - if (ptr) - *ptr = 0; - return buf; - } - return NULL; -} - -static int nv_split(char *buf, struct nv_pair *nv) -{ - /* Get the name part */ - char *ptr, *saved; - - nv->name = NULL; - nv->value = NULL; - nv->option = NULL; - ptr = strtok_r(buf, " ", &saved); - if (ptr == NULL) - return 0; /* If there's nothing, go to next line */ - if (ptr[0] == '#') - return 0; /* If there's a comment, go to next line */ - nv->name = ptr; - - /* Check for a '=' */ - ptr = strtok_r(NULL, " ", &saved); - if (ptr == NULL) - return 1; - if (strcmp(ptr, "=") != 0) - return 2; - - /* get the value */ - ptr = strtok_r(NULL, " ", &saved); - if (ptr == NULL) - return 1; - nv->value = ptr; - - /* Everything is OK */ - return 0; -} - -static const struct kw_pair *kw_lookup(const char *val) -{ - int i = 0; - while (keywords[i].name != NULL) { - if (strcasecmp(keywords[i].name, val) == 0) - break; - i++; - } - return &keywords[i]; -} - -static int profile_parser(struct nv_pair *nv, int line, - prelude_conf_t *config) -{ - if (nv->value) { - free((char*)config->profile); - config->profile = strdup(nv->value); - } - return 0; -} - -static int lookup_enabler(const char *value, enable_t *enabled) -{ - int i; - for (i=0; enabler_words[i].name != NULL; i++) { - if (strcasecmp(value, enabler_words[i].name) == 0) { - *enabled = enabler_words[i].option; - return 0; - } - } - return 1; -} - -static int lookup_action(const char *value, action_t *action) -{ - int i; - for (i=0; action_words[i].name != NULL; i++) { - if (strcasecmp(value, action_words[i].name) == 0) { - *action = action_words[i].option; - return 0; - } - } - return 1; -} - -static int avc_parser(struct nv_pair *nv, int line, prelude_conf_t *config) -{ - if (lookup_enabler(nv->value, &config->avcs) == 0) - return 0; - syslog(LOG_ERR, "Option %s not found - line %d", nv->value, line); - return 1; -} - -static int avc_act_parser(struct nv_pair *nv, int line, prelude_conf_t *config) -{ - if (lookup_action(nv->value, &config->avcs_act) == 0) - return 0; - syslog(LOG_ERR, "Option %s not found - line %d", nv->value, line); - return 1; -} - -static int login_parser(struct nv_pair *nv, int line, prelude_conf_t *config) -{ - if (lookup_enabler(nv->value, &config->logins) == 0) - return 0; - syslog(LOG_ERR, "Option %s not found - line %d", nv->value, line); - return 1; -} - -static int login_act_parser(struct nv_pair *nv, int line, - prelude_conf_t *config) -{ - if (lookup_action(nv->value, &config->logins_act) == 0) - return 0; - syslog(LOG_ERR, "Option %s not found - line %d", nv->value, line); - return 1; -} - -static int login_failure_parser(struct nv_pair *nv, int line, - prelude_conf_t *config) -{ - if (lookup_enabler(nv->value, &config->login_failure_max) == 0) - return 0; - syslog(LOG_ERR, "Option %s not found - line %d", nv->value, line); - return 1; -} - -static int login_failure_act_parser(struct nv_pair *nv, int line, - prelude_conf_t *config) -{ - if (lookup_action(nv->value, &config->login_failure_max_act) == 0) - return 0; - syslog(LOG_ERR, "Option %s not found - line %d", nv->value, line); - return 1; -} - -static int login_session_parser(struct nv_pair *nv, int line, - prelude_conf_t *config) -{ - if (lookup_enabler(nv->value, &config->login_session_max) == 0) - return 0; - syslog(LOG_ERR, "Option %s not found - line %d", nv->value, line); - return 1; -} - -static int login_session_act_parser(struct nv_pair *nv, int line, - prelude_conf_t *config) -{ - if (lookup_action(nv->value, &config->login_session_max_act) == 0) - return 0; - syslog(LOG_ERR, "Option %s not found - line %d", nv->value, line); - return 1; -} - -static int login_location_parser(struct nv_pair *nv, int line, - prelude_conf_t *config) -{ - if (lookup_enabler(nv->value, &config->login_location) == 0) - return 0; - syslog(LOG_ERR, "Option %s not found - line %d", nv->value, line); - return 1; -} - -static int login_location_act_parser(struct nv_pair *nv, int line, - prelude_conf_t *config) -{ - if (lookup_action(nv->value, &config->login_location_act) == 0) - return 0; - syslog(LOG_ERR, "Option %s not found - line %d", nv->value, line); - return 1; -} - -static int login_time_parser(struct nv_pair *nv, int line, - prelude_conf_t *config) -{ - if (lookup_enabler(nv->value, &config->login_time) == 0) - return 0; - syslog(LOG_ERR, "Option %s not found - line %d", nv->value, line); - return 1; -} - -static int login_time_act_parser(struct nv_pair *nv, int line, - prelude_conf_t *config) -{ - if (lookup_action(nv->value, &config->login_time_act) == 0) - return 0; - syslog(LOG_ERR, "Option %s not found - line %d", nv->value, line); - return 1; -} - -static int abends_parser(struct nv_pair *nv, int line, prelude_conf_t *config) -{ - if (lookup_enabler(nv->value, &config->abends) == 0) - return 0; - syslog(LOG_ERR, "Option %s not found - line %d", nv->value, line); - return 1; -} - -static int abends_act_parser(struct nv_pair *nv, int line, - prelude_conf_t *config) -{ - if (lookup_action(nv->value, &config->abends_act) == 0) - return 0; - syslog(LOG_ERR, "Option %s not found - line %d", nv->value, line); - return 1; -} - -static int promiscuous_parser(struct nv_pair *nv, int line, - prelude_conf_t *config) -{ - if (lookup_enabler(nv->value, &config->promiscuous) == 0) - return 0; - syslog(LOG_ERR, "Option %s not found - line %d", nv->value, line); - return 1; -} - -static int promiscuous_act_parser(struct nv_pair *nv, int line, - prelude_conf_t *config) -{ - if (lookup_action(nv->value, &config->promiscuous_act) == 0) - return 0; - syslog(LOG_ERR, "Option %s not found - line %d", nv->value, line); - return 1; -} - -static int mac_status_parser(struct nv_pair *nv, int line, - prelude_conf_t *config) -{ - if (lookup_enabler(nv->value, &config->mac_status) == 0) - return 0; - syslog(LOG_ERR, "Option %s not found - line %d", nv->value, line); - return 1; -} - -static int mac_status_act_parser(struct nv_pair *nv, int line, - prelude_conf_t *config) -{ - if (lookup_action(nv->value, &config->mac_status_act) == 0) - return 0; - syslog(LOG_ERR, "Option %s not found - line %d", nv->value, line); - return 1; -} - -static int group_auth_parser(struct nv_pair *nv, int line, - prelude_conf_t *config) -{ - if (lookup_enabler(nv->value, &config->group_auth) == 0) - return 0; - syslog(LOG_ERR, "Option %s not found - line %d", nv->value, line); - return 1; -} - -static int group_auth_act_parser(struct nv_pair *nv, int line, - prelude_conf_t *config) -{ - if (lookup_action(nv->value, &config->group_auth_act) == 0) - return 0; - syslog(LOG_ERR, "Option %s not found - line %d", nv->value, line); - return 1; -} - -static int watched_acct_parser(struct nv_pair *nv, int line, - prelude_conf_t *config) -{ - if (lookup_enabler(nv->value, &config->watched_acct) == 0) - return 0; - syslog(LOG_ERR, "Option %s not found - line %d", nv->value, line); - return 1; -} - -static int watched_acct_act_parser(struct nv_pair *nv, int line, - prelude_conf_t *config) -{ - if (lookup_action(nv->value, &config->watched_acct_act) == 0) - return 0; - syslog(LOG_ERR, "Option %s not found - line %d", nv->value, line); - return 1; -} - -static int string_is_numeric(const char *s) -{ - if (*s == 0) - return 0; - do { - if (!isdigit(*s)) - return 0; - s++; - } while (*s); - return 1; -} - -static int watched_accounts_parser(struct nv_pair *nv, int line, - prelude_conf_t *config) -{ - char *str = (char *)nv->value; - do { - char *ptr = strchr(str, '-'); - if (ptr) { - char *user1, *user2; - int start, end, i; - - user1 = str; - *ptr = 0; - user2 = ptr+1; - if (string_is_numeric(user1)) { - start = strtoul(user1, NULL, 10); - } else { - struct passwd *pw; - pw = getpwnam(user1); - if (pw == NULL) { - syslog(LOG_ERR, - "user %s is invalid - line %d, skipping", - user1, line); - continue; - } - start = pw->pw_uid; - } - i = strlen(user2); - if (i>0 && user2[i-1] == ',') - user2[i-1] = 0; - if (string_is_numeric(user2)) { - end = strtoul(user2, NULL, 10); - } else { - struct passwd *pw; - pw = getpwnam(user2); - if (pw == NULL) { - syslog(LOG_ERR, - "user %s is invalid - line %d, skipping", - user2, line); - continue; - } - end = pw->pw_uid; - } - if (start >= end) { - syslog(LOG_ERR, - "%s is larger or equal to %s, please fix, skipping", - user1, user2); - continue; - } - for (i=start; i<=end; i++) { - ilist_add_if_uniq( - &config->watched_accounts, i); - } - } else { - int acct; - if (string_is_numeric(str)) - acct = strtoul(str, NULL, 10); - else { - struct passwd *pw; - pw = getpwnam(str); - if (pw == NULL) { - syslog(LOG_ERR, - "user %s is invalid - line %d, skipping", - str, line); - continue; - } - acct = pw->pw_uid; - } - ilist_add_if_uniq(&config->watched_accounts, acct); - } - str = strtok(NULL, ", "); - } while(str); - - return 0; -} - -static int watched_syscall_parser(struct nv_pair *nv, int line, - prelude_conf_t *config) -{ - if (lookup_enabler(nv->value, &config->watched_syscall) == 0) - return 0; - syslog(LOG_ERR, "Option %s not found - line %d", nv->value, line); - return 1; -} - -static int watched_syscall_act_parser(struct nv_pair *nv, int line, - prelude_conf_t *config) -{ - if (lookup_action(nv->value, &config->watched_syscall_act) == 0) - return 0; - syslog(LOG_ERR, "Option %s not found - line %d", nv->value, line); - return 1; -} - -static int watched_file_parser(struct nv_pair *nv, int line, - prelude_conf_t *config) -{ - if (lookup_enabler(nv->value, &config->watched_file) == 0) - return 0; - syslog(LOG_ERR, "Option %s not found - line %d", nv->value, line); - return 1; -} - -static int watched_file_act_parser(struct nv_pair *nv, int line, - prelude_conf_t *config) -{ - if (lookup_action(nv->value, &config->watched_file_act) == 0) - return 0; - syslog(LOG_ERR, "Option %s not found - line %d", nv->value, line); - return 1; -} - -static int watched_exec_parser(struct nv_pair *nv, int line, - prelude_conf_t *config) -{ - if (lookup_enabler(nv->value, &config->watched_exec) == 0) - return 0; - syslog(LOG_ERR, "Option %s not found - line %d", nv->value, line); - return 1; -} - -static int watched_exec_act_parser(struct nv_pair *nv, int line, - prelude_conf_t *config) -{ - if (lookup_action(nv->value, &config->watched_exec_act) == 0) - return 0; - syslog(LOG_ERR, "Option %s not found - line %d", nv->value, line); - return 1; -} - -static int watched_mk_exe_parser(struct nv_pair *nv, int line, - prelude_conf_t *config) -{ - if (lookup_enabler(nv->value, &config->watched_mk_exe) == 0) - return 0; - syslog(LOG_ERR, "Option %s not found - line %d", nv->value, line); - return 1; -} - -static int watched_mk_exe_act_parser(struct nv_pair *nv, int line, - prelude_conf_t *config) -{ - if (lookup_action(nv->value, &config->watched_mk_exe_act) == 0) - return 0; - syslog(LOG_ERR, "Option %s not found - line %d", nv->value, line); - return 1; -} - -static int tty_parser(struct nv_pair *nv, int line, - prelude_conf_t *config) -{ - if (lookup_enabler(nv->value, &config->tty) == 0) - return 0; - syslog(LOG_ERR, "Option %s not found - line %d", nv->value, line); - return 1; -} - -static int tty_act_parser(struct nv_pair *nv, int line, - prelude_conf_t *config) -{ - if (lookup_action(nv->value, &config->tty_act) == 0) - return 0; - syslog(LOG_ERR, "Option %s not found - line %d", nv->value, line); - return 1; -} -/* - * This function is where we do the integrated check of the audispd config - * options. At this point, all fields have been read. Returns 0 if no - * problems and 1 if problems detected. - */ -static int sanity_check(prelude_conf_t *config, const char *file) -{ - /* Error checking */ - return 0; -} - -void free_config(prelude_conf_t *config) -{ - free((void *)config->profile); - ilist_clear(&config->watched_accounts); -} - diff --git a/framework/src/audit/audisp/plugins/prelude/prelude-config.h b/framework/src/audit/audisp/plugins/prelude/prelude-config.h deleted file mode 100644 index f9d1c14a..00000000 --- a/framework/src/audit/audisp/plugins/prelude/prelude-config.h +++ /dev/null @@ -1,76 +0,0 @@ -/* prelude-config.h -- - * Copyright 2008 Red Hat Inc., Durham, North Carolina. - * All Rights Reserved. - * - * This program is free software; you can redistribute it and/or modify - * it under the terms of the GNU General Public License as published by - * the Free Software Foundation; either version 2 of the License, or - * (at your option) any later version. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU General Public License for more details. - * - * You should have received a copy of the GNU General Public License - * along with this program; if not, write to the Free Software - * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA - * - * Authors: - * Steve Grubb <sgrubb@redhat.com> - * - */ - -#ifndef PRELUDE_CONFIG_H -#define PRELUDE_CONFIG_H - -#include "audisp-int.h" - -typedef enum { E_NO, E_YES } enable_t; -typedef enum { A_IGNORE, A_IDMEF=1, A_KILL=2, A_SESSION=4, A_SINGLE=8, - A_HALT=16 } action_t; - -typedef struct prelude_conf -{ - const char *profile; - enable_t avcs; - action_t avcs_act; - enable_t logins; - action_t logins_act; - enable_t login_failure_max; - action_t login_failure_max_act; - enable_t login_session_max; - action_t login_session_max_act; - enable_t login_location; - action_t login_location_act; - enable_t login_time; - action_t login_time_act; - enable_t abends; - action_t abends_act; - enable_t promiscuous; - action_t promiscuous_act; - enable_t mac_status; - action_t mac_status_act; - enable_t group_auth; - action_t group_auth_act; - enable_t watched_acct; - action_t watched_acct_act; - ilist watched_accounts; - enable_t watched_syscall; - action_t watched_syscall_act; - enable_t watched_file; - action_t watched_file_act; - enable_t watched_exec; - action_t watched_exec_act; - enable_t watched_mk_exe; - action_t watched_mk_exe_act; - enable_t tty; - action_t tty_act; -} prelude_conf_t; - -void clear_config(prelude_conf_t *config); -int load_config(prelude_conf_t *config, const char *file); -void free_config(prelude_conf_t *config); - -#endif - |