Add auxiliary list to the whodata flow in Windows

wazuh · Jun 22, 2018 · 003e55c · 003e55c
1 parent 10b8712
commit 003e55c
Show file tree

Hide file tree

Showing 2 changed files with 70 additions and 2 deletions.
diff --git a/src/config/syscheck-config.h b/src/config/syscheck-config.h
@@ -36,6 +36,14 @@
 
 #include "os_regex/os_regex.h"
 
+#ifdef WIN32
+typedef struct whodata_event_node {
+    struct whodata_event_node *next;
+    struct whodata_event_node *previous;
+    char *handle_id;
+} whodata_event_node;
+#endif
+
 typedef struct _rtfim {
     int fd;
     OSHash *dirtb;
@@ -64,11 +72,20 @@ typedef struct whodata_evt {
     unsigned int mask;
     int dir_position;
     char deleted;
+    whodata_event_node *wnode;
 #endif
 } whodata_evt;
 
 #ifdef WIN32
 
+typedef struct whodata_event_list {
+    whodata_event_node *nodes;
+    whodata_event_node *first;
+    whodata_event_node *last;
+    size_t current_size;
+    size_t max_size;
+} whodata_event_list;
+
 typedef struct whodata {
     OSHash *fd;        // Open file descriptors
     int *ignore_rest;       // List of directories whose SACL will not be restored
@@ -124,6 +141,7 @@ typedef struct _config {
     FILE *reg_fp;
     int max_fd_win_rt;
     whodata wdata;
+    whodata_event_list wlist;
 #endif
 
     OSHash *fp;

diff --git a/src/syscheckd/win_whodata.c b/src/syscheckd/win_whodata.c
@@ -18,6 +18,8 @@ static size_t ev_sid_size = 0;
 static unsigned short inherit_flag = CONTAINER_INHERIT_ACE | OBJECT_INHERIT_ACE; //SUB_CONTAINERS_AND_OBJECTS_INHERIT
 unsigned long WINAPI whodata_callback(EVT_SUBSCRIBE_NOTIFY_ACTION action, void *_void, EVT_HANDLE event);
 char *guid_to_string(GUID *guid);
+whodata_event_node *whodata_list_add(char *id);
+void whodata_list_remove(whodata_event_node *node);
 
 char *guid_to_string(GUID *guid) {
     char *string_guid;
@@ -426,12 +428,13 @@ unsigned long WINAPI whodata_callback(EVT_SUBSCRIBE_NOTIFY_ACTION action, void *
                 w_evt->process_id = process_id;
                 w_evt->mask = 0;
                 w_evt->deleted = 0;
+                w_evt->wnode = whodata_list_add(strdup(hash_id));
 
                 user_name = NULL;
                 path = NULL;
                 process_name = NULL;
 
-                if (result = OSHash_Add(syscheck.wdata.fd, hash_id, w_evt), result != 2) {
+                if (result = OSHash_Add_ex(syscheck.wdata.fd, hash_id, w_evt), result != 2) {
                     if (!result) {
                         merror("The event could not be added to the whodata hash table.");
                     } else if (result == 1) {
@@ -462,7 +465,7 @@ unsigned long WINAPI whodata_callback(EVT_SUBSCRIBE_NOTIFY_ACTION action, void *
             break;
             // Close fd
             case 4658:
-                if (w_evt = OSHash_Delete(syscheck.wdata.fd, hash_id), w_evt) {
+                if (w_evt = OSHash_Delete_ex(syscheck.wdata.fd, hash_id), w_evt) {
                     if (w_evt->mask) {
                         unsigned int mask = w_evt->mask;
 
@@ -484,6 +487,7 @@ unsigned long WINAPI whodata_callback(EVT_SUBSCRIBE_NOTIFY_ACTION action, void *
                             realtime_checksumfile(w_evt->path, w_evt);
                         }
                     }
+                    whodata_list_remove(w_evt->wnode);
                     free(w_evt->user_name);
                     free(w_evt->path);
                     free(w_evt->process_name);
@@ -517,7 +521,53 @@ int whodata_audit_start() {
     if (syscheck.wdata.fd = OSHash_Create(), !syscheck.wdata.fd) {
         return 1;
     }
+    OSHash_setSize_ex(syscheck.wdata.fd, OS_SIZE_1024);
+    memset(&syscheck.wlist, 0, sizeof(whodata_event_list));
+    syscheck.wlist.max_size = OS_SIZE_1024;
     return 0;
 }
 
+whodata_event_node *whodata_list_add(char *id) {
+    whodata_event_node *node = NULL;
+    if (syscheck.wlist.current_size < syscheck.wlist.max_size) {
+        os_calloc(sizeof(whodata_event_node), 1, node);
+        if (syscheck.wlist.last) {
+            node->next = NULL;
+            node->previous = syscheck.wlist.last;
+            syscheck.wlist.last = node->next;
+        } else {
+            node->next = node->previous = NULL;
+            syscheck.wlist.last = syscheck.wlist.first = node;
+        }
+        node->handle_id = id;
+        syscheck.wlist.current_size++;
+    } else {
+        // Increment control
+    }
+    return node;
+}
+
+void whodata_list_remove(whodata_event_node *node) {
+    if (node->next) {
+        if (node->previous) {
+            node->next->previous = node->previous;
+        } else {
+            node->next->previous = NULL;
+            syscheck.wlist.first = node->next;
+        }
+    }
+
+    if (node->previous) {
+        if (node->next) {
+            node->previous->next = node->next;
+        } else {
+            node->previous->next = NULL;
+            syscheck.wlist.last = node->previous;
+        }
+    }
+    free(node->handle_id);
+    free(node);
+    syscheck.wlist.current_size--;
+}
+
 #endif