Changes in fim_fetch_attributes_state to maintain compatibility with …

…old agents
wazuh · Jul 2, 2021 · 3adbd71 · 3adbd71
1 parent aaed447
commit 3adbd71
Show file tree

Hide file tree

Showing 2 changed files with 90 additions and 20 deletions.
diff --git a/src/analysisd/decoders/syscheck.c b/src/analysisd/decoders/syscheck.c
@@ -101,6 +101,15 @@ static int fim_fetch_attributes_state(cJSON *attr, Eventinfo *lf, char new_state
 // Replace the coded fields with the decoded ones in the checksum
 static void fim_adjust_checksum(sk_sum_t *newsum, char **checksum);
 
+/**
+ * @brief Decode a cJSON with Windows permissions and convert to old format string
+ *
+ * @param perm_json cJSON with the permissions
+ *
+ * @returns A string with the old format Windows permissions
+*/
+static char *perm_json_to_old_format(cJSON *perm_json);
+
 // Mutexes
 static pthread_mutex_t control_msg_mutex = PTHREAD_MUTEX_INITIALIZER;
 
@@ -1724,6 +1733,14 @@ int fim_fetch_attributes_state(cJSON *attr, Eventinfo *lf, char new_state) {
             if (dst_data) {
                 os_strdup(attr_it->valuestring, *dst_data);
             }
+        } else if (attr_it->type == cJSON_Object) {
+            if (strcmp(attr_it->string, "perm") == 0) {
+                if (new_state) {
+                    lf->fields[FIM_PERM].value = perm_json_to_old_format(attr_it);
+                } else {
+                    lf->fields[FIM_PERM_BEFORE].value = perm_json_to_old_format(attr_it);
+                }
+            }
         } else {
             mdebug1("Unknown FIM data type.");
         }
@@ -1732,6 +1749,58 @@ int fim_fetch_attributes_state(cJSON *attr, Eventinfo *lf, char new_state) {
     return 0;
 }
 
+char *perm_json_to_old_format(cJSON *perm_json){
+    int perm_array_size;
+    char *account_name;
+    char *aux_buffer;
+    char buffer[MAX_WIN_PERM_SIZE];
+    buffer[0] = '\0';
+    cJSON *json_it;
+    cJSON *allowed_item_array;
+    cJSON *denied_item_array;
+
+    assert(perm_json != NULL);
+
+    cJSON_ArrayForEach(json_it, perm_json) {
+        account_name = cJSON_GetStringValue(cJSON_GetObjectItem(json_it, "name"));
+        assert(account_name != NULL);
+
+        allowed_item_array = cJSON_GetObjectItem(json_it, "allowed");
+        if (allowed_item_array) {
+            strcat(buffer, account_name);
+            strcat(buffer, " (allowed): ");
+
+            perm_array_size = cJSON_GetArraySize(allowed_item_array);
+            for (int i = 0; i < perm_array_size; i++) {
+                aux_buffer = strdup(cJSON_GetStringValue(cJSON_GetArrayItem(allowed_item_array, i)));
+                str_uppercase(aux_buffer);
+                strcat(buffer, aux_buffer);
+                strcat(buffer, i < perm_array_size - 1 ? "|" : ", ");
+
+                free(aux_buffer);
+            }
+        }
+        denied_item_array = cJSON_GetObjectItem(json_it, "denied");
+        if (denied_item_array) {
+            strcat(buffer, account_name);
+            strcat(buffer, " (denied): ");
+
+            perm_array_size = cJSON_GetArraySize(denied_item_array);
+            for (int i = 0; i < perm_array_size; i++) {
+                aux_buffer = strdup(cJSON_GetStringValue(cJSON_GetArrayItem(denied_item_array, i)));
+                str_uppercase(aux_buffer);
+                strcat(buffer, aux_buffer);
+                strcat(buffer, i < perm_array_size - 1 ? "|" : ", ");
+
+                free(aux_buffer);
+            }
+        }
+    }
+    buffer[strlen(buffer)] = '\0';
+
+    return strdup(buffer);
+}
+
 void fim_adjust_checksum(sk_sum_t *newsum, char **checksum) {
     // Adjust attributes
     if (newsum->attributes) {

diff --git a/src/shared/syscheck_op.c b/src/shared/syscheck_op.c
@@ -38,6 +38,7 @@ extern void mock_assert(const int result, const char* const expression,
 #endif
 #endif
 
+#ifdef WIN32
 /**
  * @brief Retrieves the permissions of a specific file (Windows)
  *
@@ -66,7 +67,7 @@ static void add_ace_to_json(cJSON *acl_json, char *sid, char *account_name, cons
  * @param [in] ace_type string "allowed" or "denied" depends on ace type
  */
 static void make_mask_readable (cJSON *ace_json, int mask, char *ace_type);
-
+#endif
 
 char *escape_syscheck_field(char *field) {
     char *esc_it;
@@ -1265,25 +1266,6 @@ void decode_win_attributes(char *str, unsigned int attrs) {
     }
 }
 
-void decode_win_acl_json (cJSON *acl_json) {
-    cJSON *json_object = NULL;
-    cJSON *allowed_item = NULL;
-    cJSON *denied_item = NULL;
-
-    assert(acl_json != NULL);
-
-    cJSON_ArrayForEach(json_object, acl_json) {
-        allowed_item = cJSON_GetObjectItem(json_object, "allowed");
-        if (allowed_item) {
-            make_mask_readable(json_object, allowed_item->valueint, "allowed");
-        }
-        denied_item = cJSON_GetObjectItem(json_object, "denied");
-        if (denied_item) {
-            make_mask_readable(json_object, denied_item->valueint, "denied");
-        }
-    }
-}
-
 void make_mask_readable (cJSON *ace_json, int mask, char *ace_type) {
     int i;
     int perm_bits[] = {
@@ -1343,6 +1325,25 @@ void make_mask_readable (cJSON *ace_json, int mask, char *ace_type) {
     cJSON_ReplaceItemInObject(ace_json, ace_type, perm_array);
 }
 
+void decode_win_acl_json (cJSON *acl_json) {
+    cJSON *json_object = NULL;
+    cJSON *allowed_item = NULL;
+    cJSON *denied_item = NULL;
+
+    assert(acl_json != NULL);
+
+    cJSON_ArrayForEach(json_object, acl_json) {
+        allowed_item = cJSON_GetObjectItem(json_object, "allowed");
+        if (allowed_item) {
+            make_mask_readable(json_object, allowed_item->valueint, "allowed");
+        }
+        denied_item = cJSON_GetObjectItem(json_object, "denied");
+        if (denied_item) {
+            make_mask_readable(json_object, denied_item->valueint, "denied");
+        }
+    }
+}
+
 char *decode_win_permissions(char *raw_perm) {
     int written = 0;
     int size = 0;